Excluding original data from templated secret

[Amet13]

Hey.
Is it possible to exclude source data from generated certificate?

I'm using this templating:

---
apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: microservices-repo
  namespace: argo-cd
spec:
  backendType: secretsManager
  data:
    - key: devops-kubernetes-secrets
      name: GITHUB_ORG_TOKEN
  template:
    metadata:
      labels:
        argocd.argoproj.io/secret-type: repository
    stringData:
      url: |
        https://github.com/lalala
      type: |
        git
      password: |
        <%= JSON.parse(data.GITHUB_ORG_TOKEN).GITHUB_ORG_TOKEN %>

I expect to get a secret like:

apiVersion: v1
data:
  password: somebase64=
  type: somebase64==
  url: somebase64==
kind: Secret
metadata:
  name: microservices-repo

But I'm getting:

apiVersion: v1
data:
  GITHUB_ORG_TOKEN: somebase64=
  password: somebase64=
  type: somebase64==
  url: somebase64==
kind: Secret
metadata:
  name: microservices-repo

Wanna exclude this one GITHUB_ORG_TOKEN, but didn't find any docs about it

[Flydiverny]

No, it does some merging so its always all included :)
If I remember correctly ESO ( https://external-secrets.io/ or https://github.com/external-secrets/external-secrets ) does this differently and only includes the fields in the template if you specify a template.

[Amet13]

Got you. Thanks!

[peter-svensson]

No, it does some merging so its always all included :) If I remember correctly ESO ( https://external-secrets.io/ or https://github.com/external-secrets/external-secrets ) does this differently and only includes the fields in the template if you specify a template.

I'm looking for this feature as well 😊
Is it something that will be supported in the future or is there something that has been explicitly decided against?

[Flydiverny]

@peter-svensson
Don't think we made any explicit decision regarding this however if ESO covers your need please see:

• KES is deprecated, migrate to ESO! #864