Merge pull request #26 from siddhibhor-56/sbhor-eso-52

ESO-52: Adds e2e test case for the operator

Author: openshift-merge-bot[bot]

go.mod

@@ -3,6 +3,7 @@ module github.com/openshift/external-secrets-operator
 go 1.23.6
 
 require (
+	github.com/aws/aws-sdk-go v1.55.7
 	github.com/cert-manager/cert-manager v1.16.4
 	github.com/elastic/crd-ref-docs v0.1.0
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
@@ -11,15 +12,16 @@ require (
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
-	github.com/openshift/build-machinery-go v0.0.0-20250414185254-3ce8e800ceda
+	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
+	github.com/stretchr/testify v1.10.0
 	go.uber.org/zap v1.27.0
-	k8s.io/api v0.32.1
+	k8s.io/api v0.32.3
 	k8s.io/apiextensions-apiserver v0.32.1
-	k8s.io/apimachinery v0.32.1
+	k8s.io/apimachinery v0.32.3
 	k8s.io/client-go v0.32.1
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubernetes v1.32.1
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
+	k8s.io/utils v0.0.0-20241210054802-24370beab758
 	sigs.k8s.io/controller-runtime v0.20.1
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20250308055145-5fe7bb3edc86
 	sigs.k8s.io/controller-tools v0.16.1
@@ -142,6 +144,7 @@ require (
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
 	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
 	github.com/jjti/go-spancheck v0.6.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/julz/importas v0.1.0 // indirect
@@ -221,7 +224,6 @@ require (
 	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
 	github.com/tdakkota/asciicheck v0.2.0 // indirect

go.sum

@@ -54,6 +54,8 @@ github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8ger
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
+github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
+github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJY=
@@ -284,6 +286,10 @@ github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af h1:KA9B
 github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af/go.mod h1:HEWGJkRDzjJY2sqdDwxccsGicWEf9BQOZsq2tV+xzM0=
 github.com/jjti/go-spancheck v0.6.1 h1:ZK/wE5Kyi1VX3PJpUO2oEgeoI4FWOUm7Shb2Gbv5obI=
 github.com/jjti/go-spancheck v0.6.1/go.mod h1:vF1QkOO159prdo6mHRxak2CpzDpHAfKiPUDP/NeRnX8=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
 github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
@@ -393,8 +399,8 @@ github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw=
 github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/openshift/build-machinery-go v0.0.0-20250414185254-3ce8e800ceda h1:Yjnmq1n4zf1pTwao3EAgkG5o++6iOuxfxGVDwj2Kfrs=
-github.com/openshift/build-machinery-go v0.0.0-20250414185254-3ce8e800ceda/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
+github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
+github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
@@ -766,19 +772,20 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
 honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
+k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
+k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
 k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
 k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
+k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
 k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak=
 k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw=
 k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
@@ -801,8 +808,8 @@ k8s.io/kubelet v0.32.1 h1:bB91GvMsZb+LfzBxnjPEr1Fal/sdxZtYphlfwAaRJGw=
 k8s.io/kubelet v0.32.1/go.mod h1:4sAEZ6PlewD0GroV3zscY7llym6kmNNTVmUI/Qshm6w=
 k8s.io/kubernetes v1.32.1 h1:46YPpIBCT9dkmeglstZ2Gg4LGaAdro1/3IQ+1AfbF1s=
 k8s.io/kubernetes v1.32.1/go.mod h1:tiIKO63GcdPRBHW2WiUFm3C0eoLczl3f7qi56Dm1W8I=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0=
+k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 mvdan.cc/gofumpt v0.6.0 h1:G3QvahNDmpD+Aek/bNOLrFR2XC6ZAdo62dZu65gmwGo=
 mvdan.cc/gofumpt v0.6.0/go.mod h1:4L0wf+kgIPZtcCWXynNS2e6bhmj73umwnuXSZarixzA=
 mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f h1:lMpcwN6GxNbWtbpI1+xzFLSW8XzX0u72NttUGVFjO3U=

test/e2e/e2e_suite_test.go

@@ -20,10 +20,26 @@ import (
 	"fmt"
 	"testing"
 
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
 
+var (
+	cfg *rest.Config
+)
+
+var _ = BeforeSuite(func() {
+	var err error
+
+	By("Initializing Kubernetes config")
+
+	cfg, err = config.GetConfig()
+	Expect(err).NotTo(HaveOccurred(), "failed to get kubeconfig")
+})
+
 // Run e2e tests using the Ginkgo runner.
 func TestE2E(t *testing.T) {
 	RegisterFailHandler(Fail)

test/e2e/e2e_test.go

@@ -1,11 +1,10 @@
 /*
 Copyright 2025.
-
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-    http://www.apache.org/licenses/LICENSE-2.0
+	http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
@@ -17,66 +16,147 @@ limitations under the License.
 package e2e
 
 import (
+	"context"
+	"embed"
+	"encoding/base64"
 	"fmt"
-	"os/exec"
+	"testing"
 	"time"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
 	"github.com/openshift/external-secrets-operator/test/utils"
 )
 
-const namespace = "external-secrets-operator"
+//go:embed testdata/*
+var testassets embed.FS
+
+const (
+	operatorNamespace       = "external-secrets-operator"
+	operandNamespace        = "external-secrets"
+	secretStoreFile         = "testdata/aws_secret_store.yaml"
+	externalSecretFile      = "testdata/aws_external_secret.yaml"
+	pushSecretFile          = "testdata/push_secret.yaml"
+	externalSecrets         = "testdata/external_secret.yaml"
+	expectedSecretValueFile = "testdata/expected_value.yaml"
+	awsSecretToPushFile     = "testdata/aws_k8s_push_secret.yaml"
+	awsSecretRegionName     = "ap-south-1"
+)
+
+var _ = Describe("External Secrets Operator End-to-End test scenarios", Ordered, func() {
+	ctx := context.TODO()
+	var (
+		clientset     *kubernetes.Clientset
+		dynamicClient *dynamic.DynamicClient
+		loader        utils.DynamicResourceLoader
+		awsSecretName string
+	)
 
-var _ = Describe("controller", Ordered, func() {
 	BeforeAll(func() {
-		//TODO: add any pre-reqs for the tests.
+		var err error
+		loader = utils.NewDynamicResourceLoader(ctx, &testing.T{})
+
+		clientset, err = kubernetes.NewForConfig(cfg)
+		Expect(err).Should(BeNil())
+
+		dynamicClient, err = dynamic.NewForConfig(cfg)
+		Expect(err).Should(BeNil())
+
+		awsSecretName = fmt.Sprintf("eso-e2e-secret-%s", utils.GetRandomString(5))
+
+		By("Waiting for external-secrets-operator controller-manager pod to be ready")
+		Expect(utils.VerifyPodsReadyByPrefix(ctx, clientset, operatorNamespace, []string{
+			"external-secrets-operator-controller-manager-",
+		})).To(Succeed())
+
+		By("Creating the externalsecrets.openshift.operator.io/cluster CR")
+		loader.CreateFromFile(testassets.ReadFile, externalSecrets, operatorNamespace)
 	})
 
 	AfterAll(func() {
-		//TODO: add any clean up required after the tests.
+		By("Deleting the externalsecrets.openshift.operator.io/cluster CR")
+		loader.DeleteFromFile(testassets.ReadFile, externalSecrets, operatorNamespace)
+
+		err := utils.DeleteAWSSecret(ctx, clientset, awsSecretName, awsSecretRegionName)
+		Expect(err).NotTo(HaveOccurred(), "failed to delete AWS secret test/e2e")
 	})
 
-	Context("Operator", func() {
-		It("should run successfully", func() {
-			var controllerPodName string
-
-			By("validating that the controller-manager pod is running as expected")
-			verifyControllerUp := func() error {
-				// Get pod name
-
-				cmd := exec.Command("oc", "get",
-					"pods", "-l", "control-plane=controller-manager",
-					"-o", "go-template={{ range .items }}"+
-						"{{ if not .metadata.deletionTimestamp }}"+
-						"{{ .metadata.name }}"+
-						"{{ \"\\n\" }}{{ end }}{{ end }}",
-					"-n", namespace,
-				)
-
-				podOutput, err := utils.Run(cmd)
-				ExpectWithOffset(2, err).NotTo(HaveOccurred())
-				podNames := utils.GetNonEmptyLines(string(podOutput))
-				if len(podNames) != 1 {
-					return fmt.Errorf("expect 1 controller pods running, but got %d", len(podNames))
-				}
-				controllerPodName = podNames[0]
-				ExpectWithOffset(2, controllerPodName).Should(ContainSubstring("controller-manager"))
-
-				// Validate pod status
-				cmd = exec.Command("oc", "get",
-					"pods", controllerPodName, "-o", "jsonpath={.status.phase}",
-					"-n", namespace,
-				)
-				status, err := utils.Run(cmd)
-				ExpectWithOffset(2, err).NotTo(HaveOccurred())
-				if string(status) != "Running" {
-					return fmt.Errorf("controller pod in %s status", status)
-				}
-				return nil
-			}
-			EventuallyWithOffset(1, verifyControllerUp, time.Minute, time.Second).Should(Succeed())
-		})
+	BeforeEach(func() {
+		By("Verifying ESO pods are running and ready")
+		Expect(utils.VerifyPodsReadyByPrefix(ctx, clientset, operandNamespace, []string{
+			"external-secrets-",
+			"external-secrets-cert-controller-",
+			"external-secrets-webhook-",
+		})).To(Succeed())
+	})
+
+	It("should create secrets mentioned in ExternalSecret using the referenced SecretStore", func() {
+		expectedSecretValue, err := utils.ReadExpectedSecretValue(expectedSecretValueFile)
+		Expect(err).To(Succeed())
+
+		By("Creating kubernetes secret to be used in PushSecret")
+		secretsAssetFunc := utils.ReplacePatternInAsset("${SECRET_VALUE}", base64.StdEncoding.EncodeToString(expectedSecretValue))
+		loader.CreateFromFile(secretsAssetFunc, awsSecretToPushFile, operandNamespace)
+		defer loader.DeleteFromFile(testassets.ReadFile, awsSecretToPushFile, operandNamespace)
+
+		By("Creating SecretStore")
+		loader.CreateFromFile(testassets.ReadFile, secretStoreFile, operandNamespace)
+		defer loader.DeleteFromFile(testassets.ReadFile, secretStoreFile, operandNamespace)
+
+		By("Waiting for SecretStore to become Ready")
+		Expect(utils.WaitForESOResourceReady(ctx, dynamicClient,
+			schema.GroupVersionResource{
+				Group:    "external-secrets.io",
+				Version:  "v1beta1",
+				Resource: "clustersecretstores",
+			},
+			"", "aws-secret-store", time.Minute,
+		)).To(Succeed())
+
+		By("Creating PushSecret")
+		assetFunc := utils.ReplacePatternInAsset("${AWS_SECRET_KEY_NAME}", awsSecretName)
+		loader.CreateFromFile(assetFunc, pushSecretFile, operandNamespace)
+		defer loader.DeleteFromFile(testassets.ReadFile, pushSecretFile, operandNamespace)
+
+		By("Waiting for PushSecret to become Ready")
+		Expect(utils.WaitForESOResourceReady(ctx, dynamicClient,
+			schema.GroupVersionResource{
+				Group:    "external-secrets.io",
+				Version:  "v1alpha1",
+				Resource: "pushsecrets",
+			},
+			operandNamespace, "aws-push-secret", time.Minute,
+		)).To(Succeed())
+
+		By("Creating ExternalSecret")
+		loader.CreateFromFile(assetFunc, externalSecretFile, operandNamespace)
+		defer loader.DeleteFromFile(testassets.ReadFile, externalSecretFile, operandNamespace)
+
+		By("Waiting for ExternalSecret to become Ready")
+		Expect(utils.WaitForESOResourceReady(ctx, dynamicClient,
+			schema.GroupVersionResource{
+				Group:    "external-secrets.io",
+				Version:  "v1beta1",
+				Resource: "externalsecrets",
+			},
+			operandNamespace, "aws-external-secret", time.Minute,
+		)).To(Succeed())
+
+		By("Waiting for target secret to be created with expected data")
+		Eventually(func(g Gomega) {
+			secret, err := loader.KubeClient.CoreV1().Secrets(operandNamespace).Get(ctx, "aws-secret", metav1.GetOptions{})
+			g.Expect(err).NotTo(HaveOccurred(), "should get aws-secret from namespace %s", operandNamespace)
+
+			val, ok := secret.Data["aws_secret_access_key"]
+			g.Expect(ok).To(BeTrue(), "aws_secret_access_key should be present in secret %s", secret.Name)
+
+			g.Expect(val).To(Equal(expectedSecretValue), "aws_secret_access_key does not match expected value")
+		}, time.Minute, 10*time.Second).Should(Succeed())
 	})
 })

test/e2e/testdata/aws_external_secret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
+  name: aws-external-secret
+  namespace: external-secrets
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: aws-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: aws-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: aws_secret_access_key  # This is the key in the Kubernetes Secret
+      remoteRef:
+        key: "${AWS_SECRET_KEY_NAME}"  # This is the name of the secret in AWS Secrets Manager
+        property: aws_secret_access_key  # This is the key inside the AWS secret JSON

test/e2e/testdata/aws_k8s_push_secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/name: aws-k8s-push-secret
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
+  name: aws-k8s-push-secret
+  namespace: external-secrets
+data:
+  aws_secret_access_key: ${SECRET_VALUE}
+type: Opaque