feat: add push secret to e2e tests (#3017)

* feat: add push secret to e2e tests

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* finally, a fully working example for an e2e flow with push secret

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix value field duplication issue

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

apis/externalsecrets/v1beta1/externalsecret_validator.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package v1beta1
 
 import (

apis/externalsecrets/v1beta1/externalsecret_validator_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package v1beta1
 
 import (

apis/externalsecrets/v1beta1/provider_schema_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package v1beta1
 
 import (

cmd/certcontroller.go

@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package cmd
 
 import (

cmd/root.go

@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package cmd
 
 import (

cmd/webhook.go

@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package cmd
 
 import (

e2e/framework/addon/addon.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/chart.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/eso.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/eso_argocd_application.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/eso_flux_helm.go

@@ -10,6 +10,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/helmserver.go

@@ -10,6 +10,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/uninstall_eso_crds.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (

e2e/framework/addon/vault.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package addon
 
 import (
@@ -33,7 +34,7 @@ import (
 	vault "github.com/hashicorp/vault/api"
 
 	// nolint
-	ginkgo "github.com/onsi/ginkgo/v2"
+	"github.com/onsi/ginkgo/v2"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 

e2e/framework/framework.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package framework
 
 import (

e2e/framework/log/log.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package log
 
 import (

e2e/framework/testcase.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package framework
 
 import (
@@ -31,13 +32,16 @@ var TargetSecretName = "target-secret"
 
 // TestCase contains the test infra to run a table driven test.
 type TestCase struct {
-	Framework              *Framework
+	Framework               *Framework
-	ExternalSecret         *esv1beta1.ExternalSecret
+	ExternalSecret          *esv1beta1.ExternalSecret
-	ExternalSecretV1Alpha1 *esv1alpha1.ExternalSecret
+	ExternalSecretV1Alpha1  *esv1alpha1.ExternalSecret
-	AdditionalObjects      []client.Object
+	PushSecret              *esv1alpha1.PushSecret
-	Secrets                map[string]SecretEntry
+	PushSecretSource        *v1.Secret
-	ExpectedSecret         *v1.Secret
+	AdditionalObjects       []client.Object
-	AfterSync              func(SecretStoreProvider, *v1.Secret)
+	Secrets                 map[string]SecretEntry
+	ExpectedSecret          *v1.Secret
+	AfterSync               func(SecretStoreProvider, *v1.Secret)
+	VerifyPushSecretOutcome func(ps *esv1alpha1.PushSecret, pushClient esv1beta1.SecretsClient)
 }
 
 type SecretEntry struct {
@@ -52,64 +56,114 @@ type SecretStoreProvider interface {
 	DeleteSecret(key string)
 }
 
-// TableFunc returns the main func that runs a TestCase in a table driven test.
+// TableFuncWithExternalSecret returns the main func that runs a TestCase in a table driven test.
-func TableFunc(f *Framework, prov SecretStoreProvider) func(...func(*TestCase)) {
+func TableFuncWithExternalSecret(f *Framework, prov SecretStoreProvider) func(...func(*TestCase)) {
 	return func(tweaks ...func(*TestCase)) {
-		var err error
-
 		// make default test case
 		// and apply customization to it
-		tc := makeDefaultTestCase(f)
+		tc := makeDefaultExternalSecretTestCase(f)
 		for _, tweak := range tweaks {
 			tweak(tc)
 		}
 
 		// create secrets & defer delete
+		var deferRemoveKeys []string
 		for k, v := range tc.Secrets {
 			key := k
 			prov.CreateSecret(key, v)
-			defer func() {
+			deferRemoveKeys = append(deferRemoveKeys, key)
-				prov.DeleteSecret(key)
-			}()
 		}
 
-		// create v1alpha1 external secret, if provided
+		defer func() {
-		if tc.ExternalSecretV1Alpha1 != nil {
+			for _, k := range deferRemoveKeys {
-			err = tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecretV1Alpha1)
+				prov.DeleteSecret(k)
-			Expect(err).ToNot(HaveOccurred())
-		} else if tc.ExternalSecret != nil {
-			// create v1beta1 external secret otherwise
-			err = tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecret)
-			Expect(err).ToNot(HaveOccurred())
-		}
-		if tc.AdditionalObjects != nil {
-			for _, obj := range tc.AdditionalObjects {
-				err = tc.Framework.CRClient.Create(context.Background(), obj)
-				Expect(err).ToNot(HaveOccurred())
 			}
-		}
+		}()
+
+		// create v1alpha1 external secret, if provided
+		createProvidedExternalSecret(tc)
+
+		// create additional objects
+		generateAdditionalObjects(tc)
+
 		// in case target name is empty
 		if tc.ExternalSecret != nil && tc.ExternalSecret.Spec.Target.Name == "" {
 			TargetSecretName = tc.ExternalSecret.ObjectMeta.Name
 		}
 
 		// wait for Kind=Secret to have the expected data
-		if tc.ExpectedSecret != nil {
+		executeAfterSync(tc, f, prov)
-			secret, err := tc.Framework.WaitForSecretValue(tc.Framework.Namespace.Name, TargetSecretName, tc.ExpectedSecret)
+	}
-			if err != nil {
+}
-				f.printESDebugLogs(tc.ExternalSecret.Name, tc.ExternalSecret.Namespace)
-				log.Logf("Did not match. Expected: %+v, Got: %+v", tc.ExpectedSecret, secret)
-			}
 
+func executeAfterSync(tc *TestCase, f *Framework, prov SecretStoreProvider) {
+	if tc.ExpectedSecret != nil {
+		secret, err := tc.Framework.WaitForSecretValue(tc.Framework.Namespace.Name, TargetSecretName, tc.ExpectedSecret)
+		if err != nil {
+			f.printESDebugLogs(tc.ExternalSecret.Name, tc.ExternalSecret.Namespace)
+			log.Logf("Did not match. Expected: %+v, Got: %+v", tc.ExpectedSecret, secret)
+		}
+
+		Expect(err).ToNot(HaveOccurred())
+		tc.AfterSync(prov, secret)
+	} else {
+		tc.AfterSync(prov, nil)
+	}
+}
+
+func generateAdditionalObjects(tc *TestCase) {
+	if tc.AdditionalObjects != nil {
+		for _, obj := range tc.AdditionalObjects {
+			err := tc.Framework.CRClient.Create(context.Background(), obj)
 			Expect(err).ToNot(HaveOccurred())
-			tc.AfterSync(prov, secret)
-		} else {
-			tc.AfterSync(prov, nil)
 		}
 	}
 }
 
-func makeDefaultTestCase(f *Framework) *TestCase {
+func createProvidedExternalSecret(tc *TestCase) {
+	if tc.ExternalSecretV1Alpha1 != nil {
+		err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecretV1Alpha1)
+		Expect(err).ToNot(HaveOccurred())
+	} else if tc.ExternalSecret != nil {
+		// create v1beta1 external secret otherwise
+		err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecret)
+		Expect(err).ToNot(HaveOccurred())
+	}
+}
+
+// TableFuncWithPushSecret returns the main func that runs a TestCase in a table driven test for push secrets.
+func TableFuncWithPushSecret(f *Framework, prov SecretStoreProvider, pushClient esv1beta1.SecretsClient) func(...func(*TestCase)) {
+	return func(tweaks ...func(*TestCase)) {
+		var err error
+
+		// make default test case
+		// and apply customization to it
+		tc := makeDefaultPushSecretTestCase(f)
+		for _, tweak := range tweaks {
+			tweak(tc)
+		}
+
+		if tc.PushSecretSource != nil {
+			err := tc.Framework.CRClient.Create(context.Background(), tc.PushSecretSource)
+			Expect(err).ToNot(HaveOccurred())
+		}
+
+		// create v1alpha1 push secret, if provided
+		if tc.PushSecret != nil {
+			// create v1beta1 external secret otherwise
+			err = tc.Framework.CRClient.Create(context.Background(), tc.PushSecret)
+			Expect(err).ToNot(HaveOccurred())
+		}
+
+		// additional objects
+		generateAdditionalObjects(tc)
+
+		// Run verification on the secret that push secret created or not.
+		tc.VerifyPushSecretOutcome(tc.PushSecret, pushClient)
+	}
+}
+
+func makeDefaultExternalSecretTestCase(f *Framework) *TestCase {
 	return &TestCase{
 		AfterSync: func(ssp SecretStoreProvider, s *v1.Secret) {},
 		Framework: f,
@@ -130,3 +184,23 @@ func makeDefaultTestCase(f *Framework) *TestCase {
 		},
 	}
 }
+
+func makeDefaultPushSecretTestCase(f *Framework) *TestCase {
+	return &TestCase{
+		Framework: f,
+		PushSecret: &esv1alpha1.PushSecret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "e2e-ps",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: esv1alpha1.PushSecretSpec{
+				RefreshInterval: &metav1.Duration{Duration: time.Second * 5},
+				SecretStoreRefs: []esv1alpha1.PushSecretStoreRef{
+					{
+						Name: f.Namespace.Name,
+					},
+				},
+			},
+		},
+	}
+}

e2e/framework/util/util.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package util
 
 import (

e2e/suites/argocd/argocd.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package argocd
 
 import (
@@ -28,7 +29,7 @@ var _ = Describe("argocd", Label("argocd"), func() {
 	f := framework.New("argocd")
 	prov := fake.NewProvider(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.JSONDataFromSync(f)),
 		Entry(common.SSHKeySync(f)),

e2e/suites/argocd/install.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package argocd
 
 import (

e2e/suites/argocd/suite_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package argocd
 
 import (

e2e/suites/flux/flux.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package flux
 
 import (
@@ -28,7 +29,7 @@ var _ = Describe("flux", Label("flux"), func() {
 	f := framework.New("flux")
 	prov := fake.NewProvider(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.JSONDataFromSync(f)),
 		Entry(common.SSHKeySync(f)),

e2e/suites/flux/install.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package flux
 
 import (

e2e/suites/flux/suite_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package flux
 
 import (

e2e/suites/generator/ecr.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package generator
 
 import (

e2e/suites/generator/fake.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package generator
 
 import (

e2e/suites/generator/password.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package generator
 
 import (

e2e/suites/generator/suite_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package generator
 
 import (

e2e/suites/generator/testcase.go

@@ -12,6 +12,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package generator
 
 import (

e2e/suites/provider/cases/akeyless/akeyless.go

@@ -27,7 +27,7 @@ var _ = Describe("[akeyless]", Label("akeyless"), func() {
 	f := framework.New("eso-akeyless")
 	prov := newFromEnv(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.NestedJSONWithGJSON(f)),
 		Entry(common.JSONDataFromSync(f)),

e2e/suites/provider/cases/alibaba/alibaba.go

@@ -27,7 +27,7 @@ var _ = Describe("[alibaba]", Label("alibaba"), func() {
 	f := framework.New("eso-alibaba")
 	prov := newFromEnv(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.NestedJSONWithGJSON(f)),
 		Entry(common.JSONDataFromSync(f)),

e2e/suites/provider/cases/aws/common.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package common
 
 import (

e2e/suites/provider/cases/aws/parameterstore/parameterstore.go

@@ -35,7 +35,7 @@ var _ = Describe("[aws] ", Label("aws", "parameterstore"), func() {
 	prov := NewFromEnv(f)
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(withStaticAuth, f, common.SimpleDataSync, useStaticAuth),
 		framework.Compose(withStaticAuth, f, common.NestedJSONWithGJSON, useStaticAuth),

e2e/suites/provider/cases/aws/parameterstore/parameterstore_managed.go

@@ -34,7 +34,7 @@ var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws"
 
 	// nolint
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(awscommon.WithReferencedIRSA, f, common.SimpleDataSync, awscommon.UseClusterSecretStore),
 		framework.Compose(awscommon.WithReferencedIRSA, f, common.NestedJSONWithGJSON, awscommon.UseClusterSecretStore),
@@ -74,7 +74,7 @@ var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "parameterstore"
 
 	// nolint
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(awscommon.WithMountedIRSA, f, common.SimpleDataSync, awscommon.UseMountedIRSAStore),
 		framework.Compose(awscommon.WithMountedIRSA, f, common.NestedJSONWithGJSON, awscommon.UseMountedIRSAStore),

e2e/suites/provider/cases/aws/secretsmanager/secretsmanager.go

@@ -37,7 +37,7 @@ var _ = Describe("[aws] ", Label("aws", "secretsmanager"), func() {
 	prov := NewFromEnv(f)
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(withStaticAuth, f, common.SimpleDataSync, useStaticAuth),
 		framework.Compose(withStaticAuth, f, common.NestedJSONWithGJSON, useStaticAuth),

e2e/suites/provider/cases/aws/secretsmanager/secretsmanager_managed.go

@@ -34,7 +34,7 @@ var _ = Describe("[awsmanaged] IRSA via referenced service account", Label("aws"
 
 	// nolint
 	DescribeTable("sync secretsmanager secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(awscommon.WithReferencedIRSA, f, common.SimpleDataSync, awscommon.UseClusterSecretStore),
 		framework.Compose(awscommon.WithReferencedIRSA, f, common.NestedJSONWithGJSON, awscommon.UseClusterSecretStore),
@@ -74,7 +74,7 @@ var _ = Describe("[awsmanaged] with mounted IRSA", Label("aws", "secretsmanager"
 
 	// nolint
 	DescribeTable("sync secretsmanager secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		framework.Compose(awscommon.WithMountedIRSA, f, common.SimpleDataSync, awscommon.UseMountedIRSAStore),
 		framework.Compose(awscommon.WithMountedIRSA, f, common.NestedJSONWithGJSON, awscommon.UseMountedIRSAStore),

e2e/suites/provider/cases/azure/azure_cert.go

@@ -41,7 +41,7 @@ var _ = Describe("[azure]", Label("azure", "keyvault", "cert"), func() {
 		prov.DeleteCertificate(certName)
 	})
 
-	ff := framework.TableFunc(f, prov)
+	ff := framework.TableFuncWithExternalSecret(f, prov)
 	It("should sync keyvault objects with type=cert", func() {
 		ff(func(tc *framework.TestCase) {
 			secretKey := "azkv-cert"

e2e/suites/provider/cases/azure/azure_key.go

@@ -42,7 +42,7 @@ var _ = Describe("[azure]", Label("azure", "keyvault", "key"), func() {
 		prov.DeleteKey(keyName)
 	})
 
-	ff := framework.TableFunc(f, prov)
+	ff := framework.TableFuncWithExternalSecret(f, prov)
 
 	It("should sync keyvault objects with type=key", func() {
 		ff(func(tc *framework.TestCase) {

e2e/suites/provider/cases/azure/azure_managed.go

@@ -49,7 +49,7 @@ var _ = Describe("[azuremanaged] with pod identity", Label("azure", "keyvault",
 	})
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		// uses pod id
 		framework.Compose(withPodID, f, common.SimpleDataSync, usePodIDESReference),

e2e/suites/provider/cases/azure/azure_secret.go

@@ -32,7 +32,7 @@ var _ = Describe("[azure]", Label("azure", "keyvault", "secret"), func() {
 	f := framework.New("eso-azure")
 	prov := newFromEnv(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		framework.Compose(withStaticCredentials, f, common.SimpleDataSync, useStaticCredentials),
 		framework.Compose(withStaticCredentials, f, common.NestedJSONWithGJSON, useStaticCredentials),
 		framework.Compose(withStaticCredentials, f, common.JSONDataFromSync, useStaticCredentials),

e2e/suites/provider/cases/delinea/delinea.go

@@ -30,7 +30,7 @@ var _ = ginkgo.Describe("[delinea]", ginkgo.Label("delinea"), func() {
 		createResources(context.Background(), f, cfg)
 	})
 
-	ginkgo.DescribeTable("sync secrets", framework.TableFunc(f, provider),
+	ginkgo.DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
 
 		ginkgo.Entry(common.JSONDataWithProperty(f)),
 		ginkgo.Entry(common.JSONDataWithoutTargetName(f)),

e2e/suites/provider/cases/fake/provider.go

@@ -11,12 +11,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (
 	"context"
 	"encoding/json"
-
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
 

e2e/suites/provider/cases/gcp/gcp.go

@@ -39,7 +39,7 @@ var _ = Describe("[gcp]", Label("gcp", "secretsmanager"), func() {
 	f := framework.New("eso-gcp")
 	prov := NewFromEnv(f, "")
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		framework.Compose(withStaticAuth, f, common.SimpleDataSync, useStaticAuth),
 		framework.Compose(withStaticAuth, f, common.JSONDataWithProperty, useStaticAuth),
 		framework.Compose(withStaticAuth, f, common.JSONDataFromSync, useStaticAuth),

e2e/suites/provider/cases/gcp/gcp_managed.go

@@ -50,7 +50,7 @@ var _ = Describe("[gcpmanaged] with pod identity", Label("gcp", "secretsmanager"
 	})
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		// uses pod id
 		framework.Compose(withPodID, f, common.SimpleDataSync, usePodIDESReference),
@@ -86,7 +86,7 @@ var _ = Describe("[gcpmanaged] with service account", Label("gcp", "secretsmanag
 	})
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		// uses specific sa
 		framework.Compose(withSpecifcSA, f, common.JSONDataFromSync, useSpecifcSAESReference(prov)),

e2e/suites/provider/cases/gitlab/gitlab.go

@@ -30,7 +30,7 @@ var _ = Describe("[gitlab]", Label("gitlab"), func() {
 	f := framework.New("eso-gitlab")
 	prov := newFromEnv(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.JSONDataWithProperty(f)),
 		Entry(common.JSONDataFromSync(f)),

e2e/suites/provider/cases/gitlab/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package gitlab
 
 import (
@@ -23,7 +24,7 @@ import (
 
 	// nolint
 	. "github.com/onsi/gomega"
-	gitlab "github.com/xanzy/go-gitlab"
+	"github.com/xanzy/go-gitlab"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 

e2e/suites/provider/cases/import.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package suite
 
 import (

e2e/suites/provider/cases/kubernetes/kubernetes.go

@@ -33,7 +33,7 @@ var _ = Describe("[kubernetes] ", Label("kubernetes"), func() {
 	prov := NewProvider(f)
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f,
+		framework.TableFuncWithExternalSecret(f,
 			prov),
 		Entry(common.JSONDataWithProperty(f)),
 		Entry(common.JSONDataWithoutTargetName(f)),

e2e/suites/provider/cases/kubernetes/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package kubernetes
 
 import (

e2e/suites/provider/cases/oracle/oracle.go

@@ -25,7 +25,7 @@ var _ = Describe("[oracle]", Label("oracle"), func() {
 	f := framework.New("eso-oracle")
 	prov := newFromEnv(f)
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
 		Entry(common.SimpleDataSync(f)),
 		Entry(common.NestedJSONWithGJSON(f)),
 		Entry(common.JSONDataFromSync(f)),

e2e/suites/provider/cases/scaleway/scaleway.go

@@ -2,6 +2,8 @@ package scaleway
 
 import (
 	"context"
+	"sync"
+
 	"github.com/external-secrets/external-secrets-e2e/framework"
 	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
@@ -10,7 +12,6 @@ import (
 	"github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sync"
 )
 
 var cleanupOnce sync.Once
@@ -37,7 +38,7 @@ var _ = ginkgo.Describe("[scaleway]", ginkgo.Label("scaleway"), func() {
 		createResources(context.Background(), f, cfg)
 	})
 
-	ginkgo.DescribeTable("sync secrets", framework.TableFunc(f, provider),
+	ginkgo.DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, provider),
 
 		//ginkgo.Entry(common.SyncV1Alpha1(f)), // not supported
 		ginkgo.Entry(common.SimpleDataSync(f)),

e2e/suites/provider/cases/template/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package template
 
 import (

e2e/suites/provider/cases/template/template.go

@@ -10,25 +10,41 @@ distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 limitations under the License.
 */
+
 package template
 
 import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/external-secrets/external-secrets-e2e/framework"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
+	"github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
-	v1 "k8s.io/api/core/v1"
-
-	"github.com/external-secrets/external-secrets-e2e/framework"
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 var _ = Describe("[template]", Label("template"), func() {
-	f := framework.New("eso-template")
+	f := framework.New("templating")
 	prov := newProvider(f)
+	fakeSecretClient := fake.New()
 
-	DescribeTable("sync secrets", framework.TableFunc(f, prov),
+	DescribeTable("sync secrets", framework.TableFuncWithExternalSecret(f, prov),
-		framework.Compose("template v1", f, genericTemplate, useTemplateV1),
+		framework.Compose("template v1", f, genericExternalSecretTemplate, useTemplateV1),
-		framework.Compose("template v2", f, genericTemplate, useTemplateV2),
+		framework.Compose("template v2", f, genericExternalSecretTemplate, useTemplateV2),
+	)
+
+	DescribeTable("push secret", framework.TableFuncWithPushSecret(f, prov, fakeSecretClient),
+		framework.Compose("template", f, genericPushSecretTemplate, useTemplateWithPushSecret),
 	)
 })
 
@@ -67,7 +83,7 @@ func useTemplateV2(tc *framework.TestCase) {
 }
 
 // This case uses template engine v1.
-func genericTemplate(f *framework.Framework) (string, func(*framework.TestCase)) {
+func genericExternalSecretTemplate(f *framework.Framework) (string, func(*framework.TestCase)) {
 	return "[template] should execute template v1", func(tc *framework.TestCase) {
 		tc.ExpectedSecret = &v1.Secret{
 			Type: v1.SecretTypeOpaque,
@@ -101,3 +117,108 @@ func genericTemplate(f *framework.Framework) (string, func(*framework.TestCase))
 		}
 	}
 }
+
+// This case uses template engine v1.
+func genericPushSecretTemplate(f *framework.Framework) (string, func(*framework.TestCase)) {
+	return "[template] should execute template v1", func(tc *framework.TestCase) {
+		secretKey1 := fmt.Sprintf("%s-%s", f.Namespace.Name, "one")
+		tc.PushSecretSource = &v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretKey1,
+				Namespace: f.Namespace.Name,
+			},
+			Data: map[string][]byte{
+				"singlefoo": []byte("bar"),
+			},
+			Type: v1.SecretTypeOpaque,
+		}
+		tc.PushSecret.Spec.Selector = esv1alpha1.PushSecretSelector{
+			Secret: esv1alpha1.PushSecretSecret{
+				Name: secretKey1,
+			},
+		}
+		tc.PushSecret.Spec.Data = []esv1alpha1.PushSecretData{
+			{
+				Match: esv1alpha1.PushSecretMatch{
+					SecretKey: "singlefoo",
+					RemoteRef: esv1alpha1.PushSecretRemoteRef{
+						RemoteKey: "key",
+						Property:  "singlefoo",
+					},
+				},
+			},
+		}
+		tc.VerifyPushSecretOutcome = func(sourcePs *esv1alpha1.PushSecret, pushClient esv1beta1.SecretsClient) {
+			gomega.Eventually(func() bool {
+				s := &esv1alpha1.PushSecret{}
+				err := tc.Framework.CRClient.Get(context.Background(), types.NamespacedName{Name: tc.PushSecret.Name, Namespace: tc.PushSecret.Namespace}, s)
+				gomega.Expect(err).ToNot(gomega.HaveOccurred())
+				for i := range s.Status.Conditions {
+					c := s.Status.Conditions[i]
+					if c.Type == esv1alpha1.PushSecretReady && c.Status == v1.ConditionTrue {
+						return true
+					}
+				}
+
+				return false
+			}, time.Minute*1, time.Second*5).Should(gomega.BeTrue())
+
+			// create an external secret that fetches the created remote secret
+			// and check the value
+			exampleOutput := "example-output"
+			es := &esv1beta1.ExternalSecret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "e2e-es",
+					Namespace: f.Namespace.Name,
+				},
+				Spec: esv1beta1.ExternalSecretSpec{
+					RefreshInterval: &metav1.Duration{Duration: time.Second * 5},
+					SecretStoreRef: esv1beta1.SecretStoreRef{
+						Name: f.Namespace.Name,
+					},
+					Target: esv1beta1.ExternalSecretTarget{
+						Name: exampleOutput,
+					},
+					Data: []esv1beta1.ExternalSecretData{
+						{
+							SecretKey: exampleOutput,
+							RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
+								Key: "key",
+							},
+						},
+					},
+				},
+			}
+
+			err := tc.Framework.CRClient.Create(context.Background(), es)
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+			outputSecret := &v1.Secret{}
+			err = wait.PollImmediate(time.Second*5, time.Second*15, func() (bool, error) {
+				err := f.CRClient.Get(context.Background(), types.NamespacedName{
+					Namespace: f.Namespace.Name,
+					Name:      exampleOutput,
+				}, outputSecret)
+				if apierrors.IsNotFound(err) {
+					return false, nil
+				}
+				return true, nil
+			})
+			gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+			v, ok := outputSecret.Data[exampleOutput]
+			gomega.Expect(ok).To(gomega.BeTrue())
+			gomega.Expect(string(v)).To(gomega.Equal("executed: BAR"))
+		}
+	}
+}
+
+// useTemplateWithPushSecret specifies a test case which uses the template engine v1.
+func useTemplateWithPushSecret(tc *framework.TestCase) {
+	tc.PushSecret.Spec.Template = &esv1beta1.ExternalSecretTemplate{
+		EngineVersion: esv1beta1.TemplateEngineV2,
+		Data: map[string]string{
+			"singlefoo": "executed: {{ .singlefoo | upper }}",
+		},
+	}
+}

e2e/suites/provider/cases/vault/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package vault
 
 import (

e2e/suites/provider/cases/vault/vault.go

@@ -15,10 +15,11 @@ package vault
 import (
 	"context"
 	"fmt"
+	"time"
+
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"time"
 
 	// nolint
 	. "github.com/onsi/ginkgo/v2"
@@ -48,7 +49,7 @@ var _ = Describe("[vault]", Label("vault"), func() {
 	prov := newVaultProvider(f)
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f, prov),
+		framework.TableFuncWithExternalSecret(f, prov),
 		// uses token auth
 		framework.Compose(withTokenAuth, f, common.FindByName, useTokenAuth),
 		framework.Compose(withTokenAuth, f, common.FindByNameAndRewrite, useTokenAuth),
@@ -127,7 +128,7 @@ var _ = Describe("[vault] with mTLS", Label("vault", "vault-mtls"), func() {
 	prov := newVaultProvider(f)
 
 	DescribeTable("sync secrets",
-		framework.TableFunc(f, prov),
+		framework.TableFuncWithExternalSecret(f, prov),
 		// uses token auth
 		framework.Compose(withTokenAuthAndMTLS, f, common.FindByName, useMTLSAndTokenAuth),
 		// use referent auth

e2e/suites/provider/suite_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package e2e
 
 import (

main.go

@@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package main
 
 import "github.com/external-secrets/external-secrets/cmd"

pkg/cache/cache_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package cache
 
 import (

pkg/constants/constants.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package constants
 
 const (

pkg/controllers/crds/common_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package crds
 
 import (

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -58,12 +58,7 @@ const (
 	errInvalidKeys          = "secret keys from spec.dataFrom.%v[%d] can only have alphanumeric,'-', '_' or '.' characters. Convert them using rewrite (https://external-secrets.io/latest/guides-datafrom-rewrite)"
 	errUpdateSecret         = "could not update Secret"
 	errPatchStatus          = "unable to patch status"
-	errStoreRef             = "could not get store reference"
-	errStoreUsability       = "could not use store reference"
-	errStoreProvider        = "could not get store provider"
-	errStoreClient          = "could not get provider client"
 	errGetExistingSecret    = "could not get existing secret: %w"
-	errCloseStoreClient     = "could not close provider client"
 	errSetCtrlReference     = "could not set ExternalSecret controller reference: %w"
 	errFetchTplFrom         = "error fetching templateFrom data: %w"
 	errGetSecretData        = "could not get secret data from provider"
@@ -75,8 +70,6 @@ const (
 	errPolicyMergeGetSecret = "unable to get secret %s: %w"
 	errPolicyMergeMutate    = "unable to mutate secret %s: %w"
 	errPolicyMergePatch     = "unable to patch secret %s: %w"
-	errTplCMMissingKey      = "error in configmap %s: missing key %s"
-	errTplSecMissingKey     = "error in secret %s: missing key %s"
 )
 
 // Reconciler reconciles a ExternalSecret object.

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package externalsecret
 
 import (

pkg/controllers/externalsecret/util.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package externalsecret
 
 import (
@@ -18,7 +19,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-	esmetrics "github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
+	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret/esmetrics"
 )
 
 // NewExternalSecretCondition a set of default options for creating an External Secret Condition.

pkg/controllers/externalsecret/util_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package externalsecret
 
 import (

pkg/controllers/secretstore/common.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretstore
 
 import (

pkg/controllers/secretstore/common_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretstore
 
 import (

pkg/controllers/webhookconfig/webhookconfig_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package webhookconfig
 
 import (

pkg/feature/feature.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package feature
 
 import (

pkg/provider/akeyless/akeyless_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package akeyless
 
 import (

pkg/provider/akeyless/fake/fake.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/akeyless/utils.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package akeyless
 
 import (

pkg/provider/aws/auth/fake/assumeroler.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/aws/auth/resolver.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package auth
 
 import (

pkg/provider/aws/auth/resolver_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package auth
 
 import (

pkg/provider/aws/auth/token_fetcher.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package auth
 
 import (

pkg/provider/aws/auth/token_fetcher_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package auth
 
 import (

pkg/provider/aws/parameterstore/fake/fake.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/aws/parameterstore/parameterstore.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package parameterstore
 
 import (

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package parameterstore
 
 import (

pkg/provider/aws/util/errors_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package util
 
 import (

pkg/provider/aws/util/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package util
 
 import (

pkg/provider/aws/util/validation.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package util
 
 import (

pkg/provider/azure/keyvault/fake/fake.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/conjur/auth_jwt.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package conjur
 
 import (

pkg/provider/conjur/conjur_api.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package conjur
 
 import (

pkg/provider/conjur/provider.go

@@ -1,4 +1,3 @@
-// Package conjur provides a Conjur provider for External Secrets.
 /*
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -12,6 +11,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
+// Package conjur provides a Conjur provider for External Secrets.
 package conjur
 
 import (

pkg/provider/conjur/util/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package util
 
 import (

pkg/provider/delinea/client.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package delinea
 
 import (

pkg/provider/delinea/client_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package delinea
 
 import (

pkg/provider/delinea/provider_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package delinea
 
 import (

pkg/provider/delinea/secret_api.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package delinea
 
 import (

pkg/provider/doppler/fake/fake.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/fake/fake.go

@@ -122,10 +122,12 @@ func (p *Provider) PushSecret(_ context.Context, secret *corev1.Secret, data esv
 		}
 		return nil
 	}
+
 	if currentData.Origin != FakeSetSecret {
 		return fmt.Errorf("key already exists")
 	}
 	currentData.Value = string(value)
+
 	return nil
 }
 

pkg/provider/fake/fake_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/gcp/secretmanager/auth.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretmanager
 
 import (

pkg/provider/gcp/secretmanager/client.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretmanager
 
 import (

pkg/provider/gcp/secretmanager/client_test.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretmanager
 
 import (

pkg/provider/gcp/secretmanager/fake/fake.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package fake
 
 import (

pkg/provider/gcp/secretmanager/provider.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretmanager
 
 import (

pkg/provider/gcp/secretmanager/push_secret.go

@@ -11,6 +11,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package secretmanager
 
 import (