feat: extend and improve API

[ramizpolic]

Overview

This PR extends the API and adds support for advanced capabilities including bootstrapping, querying, and templating.

Example

## Defines how the secrets will be synced
sync:
  ## 1. Usage: Sync key from ref
  - secretRef:
      key: /source/credentials/username
    target: # If not specified, will be synced under the same key
      key: /target/example-1

  ## 2. Usage: Sync all keys from query
  - secretQuery:
      path: /source/credentials
      key:
        regexp: .*
    target: # If not specified, all keys will be synced under the same path
      keyPrefix: /target/example-2/

  ## 3. Usage: Sync key from ref with templating
  - secretRef:
      key: /source/credentials/password
    target:
      key: /target/example-3

    # Template defines how the secret will be synced to dest store.
    # Either "rawData" or "data" should be specified, not both.
    template:
      rawData: '{{ .Data }}'   # Save as raw (accepts multiline string)
      data:                    # Save as map (accepts nested values)
        example: '{{ .Data }}'

  ## 4. Usage: Sync all keys from query with templating
  - secretQuery:
      path: /source/credentials
      key:
        regexp: .*
    target:
      keyPrefix: /target/example-4/
    template:
      rawData: 'SECRET-PREFIX-{{ .Data }}'

  ## 5. Usage: Sync single key from query with templating
  - secretQuery:
      path: /source/credentials/query-data/
      key:
        regexp: (username|password)
    target:
      key: /target/example-5

    template:
      data:
        user: '{{ .Data.username }}'
        pass: '{{ .Data.password }}'

  ## 6. Usage: Sync single key from multiple sources with templating
  - secretSources:
    - name: username # Username mapping, available as ".Data.username"
      secretRef:
        key: /source/credentials/username

    - name: password # Password mapping, available as ".Data.password"
      secretRef:
        key: /source/credentials/password

    - name: dynamic_query # Query mapping, available as "Data.dynamic_query.<key>"
      secretQuery:
        path: /source/credentials
        key:
          regexp: .*

    target:
      key: /target/example-6

    template:
      data:
        username: '{{ .Data.username }}'
        password: '{{ .Data.password }}'
        userpass: '{{ .Data.dynamic_query.username }}/{{ .Data.dynamic_query.password }}'

Features

• Sync secret from reference, query, or combined into a single secret
• Sync secrets from query to multiple secrets
• Template secret values before sending them to the targeted secret store
• Simplifies API (removes unused Permissions, improves naming conventions, simplifies docs)

TODO

• Better validation
• Handle encoding/decoding
• Extend API to support
  • key collisions (trying to update the same key)
  • missing values (accessing dynamic query results)
  • syncing items from a (source) matrix
  • syncing constants (e.g. secrets from ENV)