Merge pull request #2965 from akhilmhdh/fix/broken-secret-creation

Resolve self signed error for mssql

backend/src/ee/routes/v1/index.ts

@@ -22,6 +22,7 @@ import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-rou
 import { registerSecretApprovalRequestRouter } from "./secret-approval-request-router";
 import { registerSecretRotationProviderRouter } from "./secret-rotation-provider-router";
 import { registerSecretRotationRouter } from "./secret-rotation-router";
+import { registerSecretRouter } from "./secret-router";
 import { registerSecretScanningRouter } from "./secret-scanning-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 import { registerSnapshotRouter } from "./snapshot-router";
@@ -92,6 +93,7 @@ export const registerV1EERoutes = async (server: FastifyZodProvider) => {
   await server.register(registerLdapRouter, { prefix: "/ldap" });
   await server.register(registerSecretScanningRouter, { prefix: "/secret-scanning" });
   await server.register(registerSecretRotationRouter, { prefix: "/secret-rotations" });
+  await server.register(registerSecretRouter, { prefix: "/secrets" });
   await server.register(registerSecretVersionRouter, { prefix: "/secret" });
   await server.register(registerGroupRouter, { prefix: "/groups" });
   await server.register(registerAuditLogStreamRouter, { prefix: "/audit-log-streams" });

backend/src/ee/routes/v1/secret-router.ts

@@ -0,0 +1,71 @@
+import z from "zod";
+
+import { ProjectPermissionActions } from "@app/ee/services/permission/project-permission";
+import { RAW_SECRETS } from "@app/lib/api-docs";
+import { removeTrailingSlash } from "@app/lib/fn";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const AccessListEntrySchema = z
+  .object({
+    allowedActions: z.nativeEnum(ProjectPermissionActions).array(),
+    id: z.string(),
+    membershipId: z.string(),
+    name: z.string()
+  })
+  .array();
+
+export const registerSecretRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:secretName/access-list",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get list of users, machine identities, and groups with access to a secret",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        secretName: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.secretName)
+      }),
+      querystring: z.object({
+        workspaceId: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.workspaceId),
+        environment: z.string().trim().describe(RAW_SECRETS.GET_ACCESS_LIST.environment),
+        secretPath: z
+          .string()
+          .trim()
+          .default("/")
+          .transform(removeTrailingSlash)
+          .describe(RAW_SECRETS.GET_ACCESS_LIST.secretPath)
+      }),
+      response: {
+        200: z.object({
+          groups: AccessListEntrySchema,
+          identities: AccessListEntrySchema,
+          users: AccessListEntrySchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secretName } = req.params;
+      const { secretPath, environment, workspaceId: projectId } = req.query;
+
+      return server.services.secret.getSecretAccessList({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        secretPath,
+        environment,
+        projectId,
+        secretName
+      });
+    }
+  });
+};

backend/src/ee/services/dynamic-secret/providers/sql-database.ts

@@ -34,6 +34,8 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
 
   const $getClient = async (providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>) => {
     const ssl = providerInputs.ca ? { rejectUnauthorized: false, ca: providerInputs.ca } : undefined;
+    const isMsSQLClient = providerInputs.client === SqlProviders.MsSQL;
+
     const db = knex({
       client: providerInputs.client,
       connection: {
@@ -43,7 +45,16 @@ export const SqlDatabaseProvider = (): TDynamicProviderFns => {
         user: providerInputs.username,
         password: providerInputs.password,
         ssl,
-        pool: { min: 0, max: 1 }
+        pool: { min: 0, max: 1 },
+        // @ts-expect-error this is because of knexjs type signature issue. This is directly passed to driver
+        // https://github.com/knex/knex/blob/b6507a7129d2b9fafebf5f831494431e64c6a8a0/lib/dialects/mssql/index.js#L66
+        // https://github.com/tediousjs/tedious/blob/ebb023ed90969a7ec0e4b036533ad52739d921f7/test/config.ci.ts#L19
+        options: isMsSQLClient
+          ? {
+              trustServerCertificate: !providerInputs.ca,
+              cryptoCredentialsDetails: providerInputs.ca ? { ca: providerInputs.ca } : {}
+            }
+          : undefined
       },
       acquireConnectionTimeout: EXTERNAL_REQUEST_TIMEOUT
     });

backend/src/ee/services/license/license-fns.ts

@@ -24,6 +24,7 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   rbac: false,
   customRateLimits: false,
   customAlerts: false,
+  secretAccessInsights: false,
   auditLogs: false,
   auditLogsRetentionDays: 0,
   auditLogStreams: false,

backend/src/ee/services/license/license-types.ts

@@ -48,6 +48,7 @@ export type TFeatureSet = {
   samlSSO: false;
   hsm: false;
   oidcSSO: false;
+  secretAccessInsights: false;
   scim: false;
   ldap: false;
   groups: false;

backend/src/ee/services/permission/permission-dal.ts

@@ -125,6 +125,404 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectGroupPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.GroupProjectMembership)
+        .join(TableName.Groups, `${TableName.Groups}.id`, `${TableName.GroupProjectMembership}.groupId`)
+        .join(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .where(`${TableName.GroupProjectMembership}.projectId`, "=", projectId)
+        .select(
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema("groupCustomRoles").as("groupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("groupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("groupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("groupProjectMembershipRoleTemporaryAccessEndTime")
+        );
+
+      const groupPermissions = sqlNestRelationships({
+        data: docs,
+        key: "groupId",
+        parentMapper: ({ groupId, groupName, membershipId }) => ({
+          groupId,
+          username: groupName,
+          id: membershipId
+        }),
+        childrenMapper: [
+          {
+            key: "groupProjectMembershipRoleId",
+            label: "groupRoles" as const,
+            mapper: ({
+              groupProjectMembershipRoleId,
+              groupProjectMembershipRole,
+              groupProjectMembershipRolePermission,
+              groupProjectMembershipRoleCustomRoleSlug,
+              groupProjectMembershipRoleIsTemporary,
+              groupProjectMembershipRoleTemporaryMode,
+              groupProjectMembershipRoleTemporaryAccessEndTime,
+              groupProjectMembershipRoleTemporaryAccessStartTime,
+              groupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: groupProjectMembershipRoleId,
+              role: groupProjectMembershipRole,
+              customRoleSlug: groupProjectMembershipRoleCustomRoleSlug,
+              permissions: groupProjectMembershipRolePermission,
+              temporaryRange: groupProjectMembershipRoleTemporaryRange,
+              temporaryMode: groupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: groupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: groupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: groupProjectMembershipRoleIsTemporary
+            })
+          }
+        ]
+      });
+
+      return groupPermissions
+        .map((groupPermission) => {
+          if (!groupPermission) return undefined;
+
+          const activeGroupRoles =
+            groupPermission?.groupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...groupPermission,
+            roles: activeGroupRoles
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectGroupPermissions" });
+    }
+  };
+
+  const getProjectUserPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.Users)
+        .where("isGhost", "=", false)
+        .leftJoin(TableName.GroupProjectMembership, (queryBuilder) => {
+          void queryBuilder.on(`${TableName.GroupProjectMembership}.projectId`, db.raw("?", [projectId]));
+        })
+        .leftJoin(
+          TableName.GroupProjectMembershipRole,
+          `${TableName.GroupProjectMembershipRole}.projectMembershipId`,
+          `${TableName.GroupProjectMembership}.id`
+        )
+        .leftJoin<TProjectRoles>(
+          { groupCustomRoles: TableName.ProjectRoles },
+          `${TableName.GroupProjectMembershipRole}.customRoleId`,
+          `groupCustomRoles.id`
+        )
+        .join(TableName.ProjectMembership, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectMembership}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectMembership}.userId`, `${TableName.Users}.id`);
+        })
+        .leftJoin(
+          TableName.ProjectUserMembershipRole,
+          `${TableName.ProjectUserMembershipRole}.projectMembershipId`,
+          `${TableName.ProjectMembership}.id`
+        )
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.ProjectUserMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(TableName.ProjectUserAdditionalPrivilege, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.ProjectUserAdditionalPrivilege}.projectId`, db.raw("?", [projectId]))
+            .andOn(`${TableName.ProjectUserAdditionalPrivilege}.userId`, `${TableName.Users}.id`);
+        })
+        .join<TProjects>(TableName.Project, `${TableName.Project}.id`, db.raw("?", [projectId]))
+        .join(TableName.Organization, `${TableName.Project}.orgId`, `${TableName.Organization}.id`)
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Users}.id`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.Organization}.id`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .select(
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("username").withSchema(TableName.Users).as("username"),
+          // groups specific
+          db.ref("id").withSchema(TableName.GroupProjectMembership).as("groupMembershipId"),
+          db.ref("createdAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.GroupProjectMembership).as("groupMembershipUpdatedAt"),
+          db.ref("slug").withSchema("groupCustomRoles").as("userGroupProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema("groupCustomRoles").as("userGroupProjectMembershipRolePermission"),
+          db.ref("id").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.GroupProjectMembershipRole).as("userGroupProjectMembershipRole"),
+          db
+            .ref("customRoleId")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleCustomRoleId"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.GroupProjectMembershipRole)
+            .as("userGroupProjectMembershipRoleTemporaryAccessEndTime"),
+          // user specific
+          db.ref("id").withSchema(TableName.ProjectMembership).as("membershipId"),
+          db.ref("createdAt").withSchema(TableName.ProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.ProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("userProjectMembershipRoleCustomRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles).as("userProjectCustomRolePermission"),
+          db.ref("id").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRoleId"),
+          db.ref("role").withSchema(TableName.ProjectUserMembershipRole).as("userProjectMembershipRole"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserMembershipRole)
+            .as("userProjectMembershipRoleTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesId"),
+          db
+            .ref("permissions")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryMode"),
+          db
+            .ref("isTemporary")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryRange"),
+          db.ref("userId").withSchema(TableName.ProjectUserAdditionalPrivilege).as("userAdditionalPrivilegesUserId"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.ProjectUserAdditionalPrivilege)
+            .as("userAdditionalPrivilegesTemporaryAccessEndTime"),
+          // general
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue"),
+          db.ref("authEnforced").withSchema(TableName.Organization).as("orgAuthEnforced"),
+          db.ref("orgId").withSchema(TableName.Project),
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("id").withSchema(TableName.Project).as("projectId")
+        );
+
+      const userPermissions = sqlNestRelationships({
+        data: docs,
+        key: "userId",
+        parentMapper: ({
+          orgId,
+          username,
+          orgAuthEnforced,
+          membershipId,
+          groupMembershipId,
+          membershipCreatedAt,
+          groupMembershipCreatedAt,
+          groupMembershipUpdatedAt,
+          membershipUpdatedAt,
+          projectType,
+          userId
+        }) => ({
+          orgId,
+          orgAuthEnforced,
+          userId,
+          projectId,
+          username,
+          projectType,
+          id: membershipId || groupMembershipId,
+          createdAt: membershipCreatedAt || groupMembershipCreatedAt,
+          updatedAt: membershipUpdatedAt || groupMembershipUpdatedAt
+        }),
+        childrenMapper: [
+          {
+            key: "userGroupProjectMembershipRoleId",
+            label: "userGroupRoles" as const,
+            mapper: ({
+              userGroupProjectMembershipRoleId,
+              userGroupProjectMembershipRole,
+              userGroupProjectMembershipRolePermission,
+              userGroupProjectMembershipRoleCustomRoleSlug,
+              userGroupProjectMembershipRoleIsTemporary,
+              userGroupProjectMembershipRoleTemporaryMode,
+              userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              userGroupProjectMembershipRoleTemporaryRange
+            }) => ({
+              id: userGroupProjectMembershipRoleId,
+              role: userGroupProjectMembershipRole,
+              customRoleSlug: userGroupProjectMembershipRoleCustomRoleSlug,
+              permissions: userGroupProjectMembershipRolePermission,
+              temporaryRange: userGroupProjectMembershipRoleTemporaryRange,
+              temporaryMode: userGroupProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userGroupProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userGroupProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userGroupProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userProjectMembershipRoleId",
+            label: "projectMembershipRoles" as const,
+            mapper: ({
+              userProjectMembershipRoleId,
+              userProjectMembershipRole,
+              userProjectCustomRolePermission,
+              userProjectMembershipRoleIsTemporary,
+              userProjectMembershipRoleTemporaryMode,
+              userProjectMembershipRoleTemporaryRange,
+              userProjectMembershipRoleTemporaryAccessEndTime,
+              userProjectMembershipRoleTemporaryAccessStartTime,
+              userProjectMembershipRoleCustomRoleSlug
+            }) => ({
+              id: userProjectMembershipRoleId,
+              role: userProjectMembershipRole,
+              customRoleSlug: userProjectMembershipRoleCustomRoleSlug,
+              permissions: userProjectCustomRolePermission,
+              temporaryRange: userProjectMembershipRoleTemporaryRange,
+              temporaryMode: userProjectMembershipRoleTemporaryMode,
+              temporaryAccessStartTime: userProjectMembershipRoleTemporaryAccessStartTime,
+              temporaryAccessEndTime: userProjectMembershipRoleTemporaryAccessEndTime,
+              isTemporary: userProjectMembershipRoleIsTemporary
+            })
+          },
+          {
+            key: "userAdditionalPrivilegesId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              userAdditionalPrivilegesId,
+              userAdditionalPrivilegesPermissions,
+              userAdditionalPrivilegesIsTemporary,
+              userAdditionalPrivilegesTemporaryMode,
+              userAdditionalPrivilegesTemporaryRange,
+              userAdditionalPrivilegesTemporaryAccessEndTime,
+              userAdditionalPrivilegesTemporaryAccessStartTime
+            }) => ({
+              id: userAdditionalPrivilegesId,
+              permissions: userAdditionalPrivilegesPermissions,
+              temporaryRange: userAdditionalPrivilegesTemporaryRange,
+              temporaryMode: userAdditionalPrivilegesTemporaryMode,
+              temporaryAccessStartTime: userAdditionalPrivilegesTemporaryAccessStartTime,
+              temporaryAccessEndTime: userAdditionalPrivilegesTemporaryAccessEndTime,
+              isTemporary: userAdditionalPrivilegesIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return userPermissions
+        .map((userPermission) => {
+          if (!userPermission) return undefined;
+          if (!userPermission?.userGroupRoles?.[0] && !userPermission?.projectMembershipRoles?.[0]) return undefined;
+
+          // when introducting cron mode change it here
+          const activeRoles =
+            userPermission?.projectMembershipRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeGroupRoles =
+            userPermission?.userGroupRoles?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          const activeAdditionalPrivileges =
+            userPermission?.additionalPrivileges?.filter(
+              ({ isTemporary, temporaryAccessEndTime }) =>
+                !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+            ) ?? [];
+
+          return {
+            ...userPermission,
+            roles: [...activeRoles, ...activeGroupRoles],
+            additionalPrivileges: activeAdditionalPrivileges
+          };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectUserPermissions" });
+    }
+  };
+
   const getProjectPermission = async (userId: string, projectId: string) => {
     try {
       const subQueryUserGroups = db(TableName.UserGroupMembership).where("userId", userId).select("groupId");
@@ -414,6 +812,163 @@ export const permissionDALFactory = (db: TDbClient) => {
     }
   };
 
+  const getProjectIdentityPermissions = async (projectId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.IdentityProjectMembership)
+        .join(
+          TableName.IdentityProjectMembershipRole,
+          `${TableName.IdentityProjectMembershipRole}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityProjectMembership}.identityId`)
+        .leftJoin(
+          TableName.ProjectRoles,
+          `${TableName.IdentityProjectMembershipRole}.customRoleId`,
+          `${TableName.ProjectRoles}.id`
+        )
+        .leftJoin(
+          TableName.IdentityProjectAdditionalPrivilege,
+          `${TableName.IdentityProjectAdditionalPrivilege}.projectMembershipId`,
+          `${TableName.IdentityProjectMembership}.id`
+        )
+        .join(
+          // Join the Project table to later select orgId
+          TableName.Project,
+          `${TableName.IdentityProjectMembership}.projectId`,
+          `${TableName.Project}.id`
+        )
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.Identity}.id`, `${TableName.IdentityMetadata}.identityId`)
+            .andOn(`${TableName.Project}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
+        .select(selectAllTableCols(TableName.IdentityProjectMembershipRole))
+        .select(
+          db.ref("id").withSchema(TableName.IdentityProjectMembership).as("membershipId"),
+          db.ref("id").withSchema(TableName.Identity).as("identityId"),
+          db.ref("name").withSchema(TableName.Identity).as("identityName"),
+          db.ref("orgId").withSchema(TableName.Project).as("orgId"), // Now you can select orgId from Project
+          db.ref("type").withSchema(TableName.Project).as("projectType"),
+          db.ref("createdAt").withSchema(TableName.IdentityProjectMembership).as("membershipCreatedAt"),
+          db.ref("updatedAt").withSchema(TableName.IdentityProjectMembership).as("membershipUpdatedAt"),
+          db.ref("slug").withSchema(TableName.ProjectRoles).as("customRoleSlug"),
+          db.ref("permissions").withSchema(TableName.ProjectRoles),
+          db.ref("id").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApId"),
+          db.ref("permissions").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApPermissions"),
+          db
+            .ref("temporaryMode")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryMode"),
+          db.ref("isTemporary").withSchema(TableName.IdentityProjectAdditionalPrivilege).as("identityApIsTemporary"),
+          db
+            .ref("temporaryRange")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryRange"),
+          db
+            .ref("temporaryAccessStartTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessStartTime"),
+          db
+            .ref("temporaryAccessEndTime")
+            .withSchema(TableName.IdentityProjectAdditionalPrivilege)
+            .as("identityApTemporaryAccessEndTime"),
+          db.ref("id").withSchema(TableName.IdentityMetadata).as("metadataId"),
+          db.ref("key").withSchema(TableName.IdentityMetadata).as("metadataKey"),
+          db.ref("value").withSchema(TableName.IdentityMetadata).as("metadataValue")
+        );
+
+      const permissions = sqlNestRelationships({
+        data: docs,
+        key: "identityId",
+        parentMapper: ({
+          membershipId,
+          membershipCreatedAt,
+          membershipUpdatedAt,
+          orgId,
+          identityName,
+          projectType,
+          identityId
+        }) => ({
+          id: membershipId,
+          identityId,
+          username: identityName,
+          projectId,
+          createdAt: membershipCreatedAt,
+          updatedAt: membershipUpdatedAt,
+          orgId,
+          projectType,
+          // just a prefilled value
+          orgAuthEnforced: false
+        }),
+        childrenMapper: [
+          {
+            key: "id",
+            label: "roles" as const,
+            mapper: (data) =>
+              IdentityProjectMembershipRoleSchema.extend({
+                permissions: z.unknown(),
+                customRoleSlug: z.string().optional().nullable()
+              }).parse(data)
+          },
+          {
+            key: "identityApId",
+            label: "additionalPrivileges" as const,
+            mapper: ({
+              identityApId,
+              identityApPermissions,
+              identityApIsTemporary,
+              identityApTemporaryMode,
+              identityApTemporaryRange,
+              identityApTemporaryAccessEndTime,
+              identityApTemporaryAccessStartTime
+            }) => ({
+              id: identityApId,
+              permissions: identityApPermissions,
+              temporaryRange: identityApTemporaryRange,
+              temporaryMode: identityApTemporaryMode,
+              temporaryAccessEndTime: identityApTemporaryAccessEndTime,
+              temporaryAccessStartTime: identityApTemporaryAccessStartTime,
+              isTemporary: identityApIsTemporary
+            })
+          },
+          {
+            key: "metadataId",
+            label: "metadata" as const,
+            mapper: ({ metadataKey, metadataValue, metadataId }) => ({
+              id: metadataId,
+              key: metadataKey,
+              value: metadataValue
+            })
+          }
+        ]
+      });
+
+      return permissions
+        .map((permission) => {
+          if (!permission) {
+            return undefined;
+          }
+
+          // when introducting cron mode change it here
+          const activeRoles = permission?.roles.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+          const activeAdditionalPrivileges = permission?.additionalPrivileges?.filter(
+            ({ isTemporary, temporaryAccessEndTime }) =>
+              !isTemporary || (isTemporary && temporaryAccessEndTime && new Date() < temporaryAccessEndTime)
+          );
+
+          return { ...permission, roles: activeRoles, additionalPrivileges: activeAdditionalPrivileges };
+        })
+        .filter((item): item is NonNullable<typeof item> => Boolean(item));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "GetProjectIdentityPermissions" });
+    }
+  };
+
   const getProjectIdentityPermission = async (identityId: string, projectId: string) => {
     try {
       const docs = await db
@@ -568,6 +1123,9 @@ export const permissionDALFactory = (db: TDbClient) => {
     getOrgPermission,
     getOrgIdentityPermission,
     getProjectPermission,
-    getProjectIdentityPermission
+    getProjectIdentityPermission,
+    getProjectUserPermissions,
+    getProjectIdentityPermissions,
+    getProjectGroupPermissions
   };
 };

backend/src/ee/services/permission/permission-service.ts

@@ -405,6 +405,123 @@ export const permissionServiceFactory = ({
         ForbidOnInvalidProjectType: (type: ProjectType) => void;
       };
 
+  const getProjectPermissions = async (projectId: string) => {
+    // fetch user permissions
+    const rawUserProjectPermissions = await permissionDAL.getProjectUserPermissions(projectId);
+    const userPermissions = rawUserProjectPermissions.map((userProjectPermission) => {
+      const rolePermissions =
+        userProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        userProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          userProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: userProjectPermission.userId,
+            username: userProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: userProjectPermission.userId,
+        name: userProjectPermission.username,
+        membershipId: userProjectPermission.id
+      };
+    });
+
+    // fetch identity permissions
+    const rawIdentityProjectPermissions = await permissionDAL.getProjectIdentityPermissions(projectId);
+    const identityPermissions = rawIdentityProjectPermissions.map((identityProjectPermission) => {
+      const rolePermissions =
+        identityProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const additionalPrivileges =
+        identityProjectPermission.additionalPrivileges?.map(({ permissions }) => ({
+          role: ProjectMembershipRole.Custom,
+          permissions
+        })) || [];
+
+      const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
+      const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+      const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+        objectify(
+          identityProjectPermission.metadata,
+          (i) => i.key,
+          (i) => i.value
+        )
+      );
+
+      const interpolateRules = templatedRules(
+        {
+          identity: {
+            id: identityProjectPermission.identityId,
+            username: identityProjectPermission.username,
+            metadata: metadataKeyValuePair
+          }
+        },
+        { data: false }
+      );
+      const permission = createMongoAbility<ProjectPermissionSet>(
+        JSON.parse(interpolateRules) as RawRuleOf<MongoAbility<ProjectPermissionSet>>[],
+        {
+          conditionsMatcher
+        }
+      );
+
+      return {
+        permission,
+        id: identityProjectPermission.identityId,
+        name: identityProjectPermission.username,
+        membershipId: identityProjectPermission.id
+      };
+    });
+
+    // fetch group permissions
+    const rawGroupProjectPermissions = await permissionDAL.getProjectGroupPermissions(projectId);
+    const groupPermissions = rawGroupProjectPermissions.map((groupProjectPermission) => {
+      const rolePermissions =
+        groupProjectPermission.roles?.map(({ role, permissions }) => ({ role, permissions })) || [];
+      const rules = buildProjectPermissionRules(rolePermissions);
+      const permission = createMongoAbility<ProjectPermissionSet>(rules, {
+        conditionsMatcher
+      });
+
+      return {
+        permission,
+        id: groupProjectPermission.groupId,
+        name: groupProjectPermission.username,
+        membershipId: groupProjectPermission.id
+      };
+    });
+
+    return {
+      userPermissions,
+      identityPermissions,
+      groupPermissions
+    };
+  };
+
   const getProjectPermission = async <T extends ActorType>(
     type: T,
     id: string,
@@ -455,6 +572,7 @@ export const permissionServiceFactory = ({
     getOrgPermission,
     getUserProjectPermission,
     getProjectPermission,
+    getProjectPermissions,
     getOrgPermissionByRole,
     getProjectPermissionByRole,
     buildOrgPermission,

backend/src/ee/services/secret-rotation/secret-rotation-queue/secret-rotation-queue.ts

@@ -180,6 +180,8 @@ export const secretRotationQueueFactory = ({
           provider.template.client === TDbProviderClients.MsSqlServer
             ? ({
                 encrypt: appCfg.ENABLE_MSSQL_SECRET_ROTATION_ENCRYPT,
+                // when ca is provided use that
+                trustServerCertificate: !ca,
                 cryptoCredentialsDetails: ca ? { ca } : {}
               } as Record<string, unknown>)
             : undefined;

backend/src/lib/api-docs/constants.ts

@@ -741,6 +741,12 @@ export const RAW_SECRETS = {
     workspaceId: "The ID of the project where the secret is located.",
     environment: "The slug of the environment where the the secret is located.",
     secretPath: "The folder path where the secret is located."
+  },
+  GET_ACCESS_LIST: {
+    secretName: "The name of the secret to get the access list for.",
+    workspaceId: "The ID of the project where the secret is located.",
+    environment: "The slug of the environment where the the secret is located.",
+    secretPath: "The folder path where the secret is located."
   }
 } as const;
 

backend/src/server/routes/index.ts

@@ -1033,7 +1033,8 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     secretApprovalRequestSecretDAL,
     secretV2BridgeService,
-    secretApprovalRequestService
+    secretApprovalRequestService,
+    licenseService
   });
 
   const secretSharingService = secretSharingServiceFactory({

backend/src/server/routes/v3/secret-router.ts

@@ -36,6 +36,12 @@ const SecretReferenceNodeTree: z.ZodType<TSecretReferenceNode> = SecretReference
   children: z.lazy(() => SecretReferenceNodeTree.array())
 });
 
+const SecretNameSchema = z
+  .string()
+  .trim()
+  .min(1)
+  .refine((el) => !el.includes(" "), "Secret name cannot contain spaces.");
+
 export const registerSecretRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -51,7 +57,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.ATTACH_TAGS.secretName)
+        secretName: SecretNameSchema.describe(SECRETS.ATTACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.ATTACH_TAGS.projectSlug),
@@ -114,7 +120,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(SECRETS.DETACH_TAGS.secretName)
+        secretName: z.string().describe(SECRETS.DETACH_TAGS.secretName)
       }),
       body: z.object({
         projectSlug: z.string().trim().describe(SECRETS.DETACH_TAGS.projectSlug),
@@ -442,7 +448,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.CREATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.CREATE.workspaceId),
@@ -549,7 +555,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName)
+        secretName: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.UPDATE.workspaceId),
@@ -575,7 +581,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .optional()
           .nullable()
           .describe(RAW_SECRETS.UPDATE.secretReminderRepeatDays),
-        newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+        newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
         secretComment: z.string().optional().describe(RAW_SECRETS.UPDATE.secretComment)
       }),
       response: {
@@ -660,7 +666,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         }
       ],
       params: z.object({
-        secretName: z.string().trim().describe(RAW_SECRETS.DELETE.secretName)
+        secretName: z.string().min(1).describe(RAW_SECRETS.DELETE.secretName)
       }),
       body: z.object({
         workspaceId: z.string().trim().describe(RAW_SECRETS.DELETE.workspaceId),
@@ -1855,7 +1861,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.CREATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.CREATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.CREATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
@@ -1956,14 +1962,14 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.UPDATE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.UPDATE.secretName),
+            secretKey: SecretNameSchema.describe(RAW_SECRETS.UPDATE.secretName),
             secretValue: z
               .string()
               .transform((val) => (val.at(-1) === "\n" ? `${val.trim()}\n` : val.trim()))
               .describe(RAW_SECRETS.UPDATE.secretValue),
             secretComment: z.string().trim().optional().describe(RAW_SECRETS.UPDATE.secretComment),
             skipMultilineEncoding: z.boolean().optional().describe(RAW_SECRETS.UPDATE.skipMultilineEncoding),
-            newSecretName: z.string().min(1).optional().describe(RAW_SECRETS.UPDATE.newSecretName),
+            newSecretName: SecretNameSchema.optional().describe(RAW_SECRETS.UPDATE.newSecretName),
             tagIds: z.string().array().optional().describe(RAW_SECRETS.UPDATE.tagIds),
             secretReminderNote: z.string().optional().nullable().describe(RAW_SECRETS.UPDATE.secretReminderNote),
             secretMetadata: ResourceMetadataSchema.optional(),
@@ -2062,7 +2068,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
           .describe(RAW_SECRETS.DELETE.secretPath),
         secrets: z
           .object({
-            secretKey: z.string().trim().describe(RAW_SECRETS.DELETE.secretName),
+            secretKey: z.string().describe(RAW_SECRETS.DELETE.secretName),
             type: z.nativeEnum(SecretType).default(SecretType.Shared)
           })
           .array()

backend/src/services/integration-auth/integration-team.ts

@@ -1,3 +1,5 @@
+import { AxiosResponse } from "axios";
+
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 
@@ -11,19 +13,27 @@ const getTeamsGitLab = async ({ url, accessToken }: { url: string; accessToken:
   const gitLabApiUrl = url ? `${url}/api` : IntegrationUrls.GITLAB_API_URL;
 
   let teams: Team[] = [];
-  const res = (
-    await request.get<{ name: string; id: string }[]>(`${gitLabApiUrl}/v4/groups`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json"
+  let page: number = 1;
+  while (page > 0) {
+    // eslint-disable-next-line no-await-in-loop
+    const { data, headers }: AxiosResponse<{ name: string; id: string }[]> = await request.get(
+      `${gitLabApiUrl}/v4/groups?page=${page}`,
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json"
+        }
       }
-    })
-  ).data;
+    );
 
-  teams = res.map((t) => ({
-    name: t.name,
-    id: t.id.toString()
-  }));
+    page = Number(headers["x-next-page"] ?? "");
+    teams = teams.concat(
+      data.map((t) => ({
+        name: t.name,
+        id: t.id.toString()
+      }))
+    );
+  }
 
   return teams;
 };

backend/src/services/secret/secret-service.ts

@@ -11,6 +11,7 @@ import {
   SecretsSchema,
   SecretType
 } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { TSecretApprovalPolicyServiceFactory } from "@app/ee/services/secret-approval-policy/secret-approval-policy-service";
@@ -69,6 +70,7 @@ import {
   TDeleteSecretRawDTO,
   TGetASecretDTO,
   TGetASecretRawDTO,
+  TGetSecretAccessListDTO,
   TGetSecretsDTO,
   TGetSecretsRawDTO,
   TGetSecretVersionsDTO,
@@ -94,7 +96,7 @@ type TSecretServiceFactoryDep = {
   >;
   secretV2BridgeService: TSecretV2BridgeServiceFactory;
   secretBlindIndexDAL: TSecretBlindIndexDALFactory;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getProjectPermissions">;
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretQueueService: Pick<
     TSecretQueueFactory,
@@ -113,6 +115,7 @@ type TSecretServiceFactoryDep = {
     TSecretApprovalRequestSecretDALFactory,
     "insertMany" | "insertApprovalSecretTags"
   >;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TSecretServiceFactory = ReturnType<typeof secretServiceFactory>;
@@ -134,7 +137,8 @@ export const secretServiceFactory = ({
   secretApprovalRequestDAL,
   secretApprovalRequestSecretDAL,
   secretV2BridgeService,
-  secretApprovalRequestService
+  secretApprovalRequestService,
+  licenseService
 }: TSecretServiceFactoryDep) => {
   const getSecretReference = async (projectId: string) => {
     // if bot key missing means e2e still exist
@@ -1153,6 +1157,71 @@ export const secretServiceFactory = ({
     return secretV2BridgeService.getSecretReferenceTree(dto);
   };
 
+  const getSecretAccessList = async (dto: TGetSecretAccessListDTO) => {
+    const { environment, secretPath, secretName, projectId } = dto;
+    const plan = await licenseService.getPlan(dto.actorOrgId);
+    if (!plan.secretAccessInsights) {
+      throw new BadRequestError({
+        message: "Failed to fetch secret access list due to plan restriction. Upgrade your plan."
+      });
+    }
+
+    const secret = await secretV2BridgeService.getSecretByName({
+      actor: dto.actor,
+      actorId: dto.actorId,
+      actorOrgId: dto.actorOrgId,
+      actorAuthMethod: dto.actorAuthMethod,
+      projectId,
+      secretName,
+      path: secretPath,
+      environment,
+      type: "shared"
+    });
+
+    const { userPermissions, identityPermissions, groupPermissions } = await permissionService.getProjectPermissions(
+      dto.projectId
+    );
+
+    const attachAllowedActions = (
+      entityPermission:
+        | (typeof userPermissions)[number]
+        | (typeof identityPermissions)[number]
+        | (typeof groupPermissions)[number]
+    ) => {
+      const allowedActions = [
+        ProjectPermissionActions.Read,
+        ProjectPermissionActions.Delete,
+        ProjectPermissionActions.Create,
+        ProjectPermissionActions.Edit
+      ].filter((action) =>
+        entityPermission.permission.can(
+          action,
+          subject(ProjectPermissionSub.Secrets, {
+            environment,
+            secretPath,
+            secretName,
+            secretTags: secret?.tags?.map((el) => el.slug)
+          })
+        )
+      );
+
+      return {
+        ...entityPermission,
+        allowedActions
+      };
+    };
+
+    const usersWithAccess = userPermissions.map(attachAllowedActions).filter((user) => user.allowedActions.length > 0);
+    const identitiesWithAccess = identityPermissions
+      .map(attachAllowedActions)
+      .filter((identity) => identity.allowedActions.length > 0);
+    const groupsWithAccess = groupPermissions
+      .map(attachAllowedActions)
+      .filter((group) => group.allowedActions.length > 0);
+
+    return { users: usersWithAccess, identities: identitiesWithAccess, groups: groupsWithAccess };
+  };
+
   const getSecretsRaw = async ({
     projectId,
     path,
@@ -2946,6 +3015,7 @@ export const secretServiceFactory = ({
     getSecretsCountMultiEnv,
     getSecretsRawMultiEnv,
     getSecretReferenceTree,
-    getSecretsRawByFolderMappings
+    getSecretsRawByFolderMappings,
+    getSecretAccessList
   };
 };

backend/src/services/secret/secret-types.ts

@@ -190,6 +190,12 @@ export type TGetSecretsRawDTO = {
   keys?: string[];
 } & TProjectPermission;
 
+export type TGetSecretAccessListDTO = {
+  environment: string;
+  secretPath: string;
+  secretName: string;
+} & TProjectPermission;
+
 export type TGetASecretRawDTO = {
   secretName: string;
   path: string;

cli/packages/cmd/run.go

@@ -419,22 +419,23 @@ func executeCommandWithWatchMode(commandFlag string, args []string, watchModeInt
 
 	for {
 		<-recheckSecretsChannel
-		watchMutex.Lock()
+		func() {
+			watchMutex.Lock()
+			defer watchMutex.Unlock()
 
-		newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
-		if err != nil {
-			log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
-			continue
-		}
+			newEnvironmentVariables, err := fetchAndFormatSecretsForShell(request, projectConfigDir, secretOverriding, token)
+			if err != nil {
+				log.Error().Err(err).Msg("[HOT RELOAD] Failed to fetch secrets")
+				return
+			}
 
-		if newEnvironmentVariables.ETag != currentETag {
-			runCommandWithWatcher(newEnvironmentVariables)
-		} else {
-			log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
-		}
-
-		watchMutex.Unlock()
+			if newEnvironmentVariables.ETag != currentETag {
+				runCommandWithWatcher(newEnvironmentVariables)
+			} else {
+				log.Debug().Msg("[HOT RELOAD] No changes detected in secrets, not reloading process")
+			}
 
+		}()
 	}
 }
 

docs/integrations/platforms/kubernetes/infisical-dynamic-secret-crd.mdx

@@ -0,0 +1,437 @@
+---
+sidebarTitle: "InfisicalDynamicSecret CRD"
+title: "InfisicalDynamicSecret CRD"
+description: "Learn how to generate dynamic secret leases in Infisical and sync them to your Kubernetes cluster."
+---
+## Overview 
+
+The **InfisicalDynamicSecret** CRD allows you to easily create and manage dynamic secret leases in Infisical and automatically sync them to your Kubernetes cluster as native **Kubernetes Secret** resources. 
+This means any Pod, Deployment, or other Kubernetes resource can make use of dynamic secrets from Infisical just like any other K8s secret. 
+
+This CRD offers the following features:
+- **Generate a dynamic secret lease** in Infisical and track its lifecycle.
+- **Write** the dynamic secret from Infisical to your cluster as native Kubernetes secret.
+- **Automatically rotate** the dyanmic secret value before it expires to make sure your cluster always has valid credentials.
+- **Optionally trigger redeployments** of any workloads that consume the secret if you enable auto-reload.
+
+### Prerequisites
+- The operator is installed on to your Kubernetes cluster
+- You have already configured a dynamic secret in Infisical
+
+## Configure Dynamic Secret CRD
+
+The example below shows a sample **InfisicalDynamicSecret** CRD that creates a dynamic secret lease in Infisical, and syncs the lease to your Kubernetes cluster.
+
+```yaml dynamic-secret-crd.yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalDynamicSecret
+metadata:
+  name: infisicaldynamicsecret
+spec:
+  hostAPI: https://app.infisical.com/api # Optional, defaults to https://app.infisical.com/api
+
+  dynamicSecret:
+    secretName: <dynamic-secret-name>
+    projectId: <project-id>
+    secretsPath: <path/to/dynamic-secret> # Root directory is /
+    environmentSlug: <env-slug>
+
+  # Lease revocation policy defines what should happen to leases created by the operator if the CRD is deleted.
+  # If set to "Revoke", leases will be revoked when the InfisicalDynamicSecret CRD is deleted.
+  leaseRevocationPolicy: Revoke
+
+  # Lease TTL defines how long the lease should last for the dynamic secret.
+  # This value must be less than 1 day, and if a max TTL is defined on the dynamic secret, it must be below the max TTL.
+  leaseTTL: 1m
+
+  # A reference to the secret that the dynamic secret lease should be stored in.
+  # If the secret doesn't exist, it will automatically be created.
+  managedSecretReference:
+    secretName: <secret-name>
+    secretNamespace: default # Must be the same namespace as the InfisicalDynamicSecret CRD.
+    creationPolicy: Orphan
+
+  # Only have one authentication method defined or you are likely to run into authentication issues.
+  # Remove all except one authentication method.
+  authentication:
+    awsIamAuth:
+      identityId: <machine-identity-id>
+    azureAuth:
+      identityId: <machine-identity-id>
+    gcpIamAuth:
+      identityId: <machine-identity-id>
+      serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
+    gcpIdTokenAuth:
+      identityId: <machine-identity-id>
+    kubernetesAuth:
+      identityId: <machine-identity-id>
+      serviceAccountRef:
+        name: <secret-name>
+        namespace: <secret-namespace>
+    universalAuth:
+      credentialsRef:
+        secretName: <secret-name> # universal-auth-credentials
+        secretNamespace: <secret-namespace> # default
+```
+
+Apply the InfisicalDynamicSecret CRD to your cluster.
+```bash
+kubectl apply -f dynamic-secret-crd.yaml
+```
+
+After applying the InfisicalDynamicSecret CRD, you should notice that the dynamic secret lease has been created in Infisical and synced to your Kubernetes cluster. You can verify that the lease has been created by doing:
+```bash
+kubectl get secret <managed-secret-name> -o yaml
+```
+
+After getting the secret, you should should see that the secret has data that contains the lease credentials.
+```yaml
+apiVersion: v1
+data:
+  DB_PASSWORD: VHhETjZ4c2xsTXpOSWdPYW5LLlRyNEc2alVKYml6WiQjQS0tNTdodyREM3ZLZWtYSi4hTkdyS0F+TVFsLU9CSA==
+  DB_USERNAME: cHg4Z0dJTUVBcHdtTW1aYnV3ZWRsekJRRll6cW4wFEE=
+kind: Secret
+# .....
+```
+
+### InfisicalDynamicSecret CRD properties
+
+<Accordion title="hostAPI">
+  If you are fetching secrets from a self-hosted instance of Infisical set the value of `hostAPI` to 
+  ` https://your-self-hosted-instace.com/api`
+
+  When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
+
+  <Accordion title="Advanced use case">
+    If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend's service directly without having to route through the public internet. 
+    To achieve this, use the following address for the hostAPI field:
+    
+    ``` bash
+    http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
+    ```
+
+    Make sure to replace `<backend-svc-name>` and `<namespace>` with the appropriate values for your backend service and namespace.
+
+  </Accordion>
+</Accordion>
+
+<Accordion title="leaseTTL">
+  The `leaseTTL` is a string-formatted duration that defines the time the lease should last for the dynamic secret.
+
+  The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.
+
+  The following units are supported:
+  - `s` for seconds (must be at least 5 seconds)
+  - `m` for minutes
+  - `h` for hours
+  - `d` for days
+
+  <Note>
+    The lease duration at most be 1 day (24 hours). And the TTL must be less than the max TTL defined on the dynamic secret.
+  </Note>
+</Accordion>
+
+<Accordion title="managedSecretReference">
+  The `managedSecretReference` field is used to define the Kubernetes secret where the dynamic secret lease should be stored. The required fields are `secretName` and `secretNamespace`.
+
+  ```yaml
+  spec:
+    managedSecretReference:
+      secretName: <secret-name>
+      secretNamespace: default
+  ```
+
+  <Accordion title="managedSecretReference.secretName">
+    The name of the Kubernetes secret where the dynamic secret lease should be stored.
+  </Accordion>
+
+  <Accordion title="managedSecretReference.secretNamespace">
+    The namespace of the Kubernetes secret where the dynamic secret lease should be stored.
+  </Accordion>
+
+  <Accordion title="managedSecretReference.creationPolicy">
+    Creation polices allow you to control whether or not owner references should be added to the managed Kubernetes secret that is generated by the Infisical operator. 
+    This is useful for tools such as ArgoCD, where every resource requires an owner reference; otherwise, it will be pruned automatically.
+
+    #### Available options
+    - `Orphan` (default)
+    - `Owner`
+
+    <Tip>
+      When creation policy is set to `Owner`, the `InfisicalSecret` CRD must be in
+      the same namespace as where the managed kubernetes secret.
+    </Tip>
+
+    This field is optional.
+  </Accordion>
+
+  <Accordion title="managedSecretReference.secretType">
+    Override the default Opaque type for managed secrets with this field. Useful for creating kubernetes.io/dockerconfigjson secrets.
+
+    This field is optional.
+  </Accordion>
+
+</Accordion>
+
+<Accordion title="leaseRevocationPolicy">
+
+  The field is optional and will default to `None` if not defined.
+
+  The lease revocation policy defines what the operator should do with the leases created by the operator, when the InfisicalDynamicSecret CRD is deleted.
+
+  Valid values are `None` and `Revoke`.
+
+  Behavior of each policy:
+  - `None`: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.
+  - `Revoke`: The operator will revoke the leases created by the operator when the InfisicalDynamicSecret CRD is deleted.
+
+  ```yaml
+  spec:
+    leaseRevocationPolicy: Revoke
+  ```
+</Accordion>
+
+<Accordion title="dynamicSecret">
+  The `dynamicSecret` field is used to specify which dynamic secret to create leases for. The required fields are `secretName`, `projectId`, `secretsPath`, and `environmentSlug`.
+  
+  ```yaml
+  spec:
+    dynamicSecret:
+      secretName: <dynamic-secret-name>
+      projectId: <project-id>
+      environmentSlug: <env-slug>
+      secretsPath: <secrets-path>
+  ```
+
+  <Accordion title="dynamicSecret.secretName">
+    The name of the dynamic secret.
+  </Accordion>
+
+  <Accordion title="dynamicSecret.projectId">
+    The project ID of where the dynamic secret is stored in Infisical.
+  </Accordion>
+
+  <Accordion title="dynamicSecret.environmentSlug">
+    The environment slug of where the dynamic secret is stored in Infisical.
+  </Accordion>
+
+  <Accordion title="dynamicSecret.secretsPath">
+    The path of where the dynamic secret is stored in Infisical. The root path is `/`.
+  </Accordion>
+
+</Accordion>
+
+<Accordion title="authentication">
+
+  The `authentication` field dictates which authentication method to use when pushing secrets to Infisical.
+  The available authentication methods are `universalAuth`, `kubernetesAuth`, `awsIamAuth`, `azureAuth`, `gcpIdTokenAuth`, and `gcpIamAuth`.
+
+
+  <Accordion title="universalAuth">
+    The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider.
+    [Read more about Universal Auth](/documentation/platform/identities/universal-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `credentialsRef`: The name and namespace of the Kubernetes secret that stores the service token.
+    - `credentialsRef.secretName`: The name of the Kubernetes secret.
+    - `credentialsRef.secretNamespace`: The namespace of the Kubernetes secret.
+
+    Example:
+
+    ```yaml
+      # infisical-push-secret.yaml
+      spec:
+        universalAuth:
+          credentialsRef:
+            secretName: <secret-name> 
+            secretNamespace: <secret-namespace>
+    ```
+
+    ```yaml
+      # machine-identity-credentials.yaml
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: universal-auth-credentials
+      type: Opaque
+      stringData:
+        clientId: <machine-identity-client-id>
+        clientSecret: <machine-identity-client-secret>
+    ```
+
+  </Accordion>
+  <Accordion title="kubernetesAuth">
+    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
+    [Read more about Kubernetes Auth](/documentation/platform/identities/kubernetes-auth).
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `serviceAccountRef`: The name and namespace of the service account that will be used to authenticate with Infisical.
+    - `serviceAccountRef.name`: The name of the service account.
+    - `serviceAccountRef.namespace`: The namespace of the service account.
+
+    Example:
+
+    ```yaml
+      spec:
+        kubernetesAuth:
+          identityId: <machine-identity-id>
+          serviceAccountRef:
+            name: <secret-name>
+            namespace: <secret-namespace>
+    ```
+  </Accordion>
+
+  <Accordion title="awsIamAuth">
+    The AWS IAM machine identity authentication method is used to authenticate with Infisical.
+    [Read more about AWS IAM Auth](/documentation/platform/identities/aws-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        authentication:
+          awsIamAuth:
+            identityId: <machine-identity-id>
+    ```
+
+  </Accordion>
+  <Accordion title="azureAuth">
+    The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment.
+    [Read more about Azure Auth](/documentation/platform/identities/azure-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        authentication:
+          azureAuth:
+            identityId: <machine-identity-id>
+    ```
+  </Accordion>
+  <Accordion title="gcpIamAuth">
+    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
+    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
+
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `serviceAccountKeyFilePath`: The path to the GCP service account key file.
+
+    Example:
+
+    ```yaml
+      spec:
+        gcpIamAuth:
+          identityId: <machine-identity-id>
+          serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
+    ```
+  </Accordion>
+  <Accordion title="gcpIdTokenAuth">
+    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
+    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        gcpIdTokenAuth:
+          identityId: <machine-identity-id>
+    ```
+  </Accordion>
+
+</Accordion>
+
+
+<Accordion title="tls">
+  This block defines the TLS settings to use for connecting to the Infisical
+  instance.
+  
+  Fields:
+  <Accordion title="caRef">
+    This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+
+    Valid fields:
+    - `secretName`: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+    - `secretNamespace`: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+    - `key`: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+
+    Example:
+
+    ```yaml
+      tls:
+        caRef:
+          secretName: custom-ca-certificate
+          secretNamespace: default
+          key: ca.crt
+    ```
+  </Accordion>
+
+</Accordion>
+
+
+### Applying the InfisicalDynamicSecret CRD to your cluster
+
+Once you have configured the `InfisicalDynamicSecret` CRD with the required fields, you can apply it to your cluster. After applying, you should notice that a lease has been created in Infisical and synced to your Kubernetes cluster.
+
+```bash
+kubectl apply -f dynamic-secret-crd.yaml
+```
+
+## Auto redeployment
+
+Deployments referring to Kubernetes secrets containing Infisical dynamic secrets don't automatically reload when the dynamic secret lease expires. This means your deployment may use expired dynamic secrets unless manually redeployed.
+To address this, we've added functionality to automatically redeploy your deployment when the associated Kubernetes secret containing your Infisical dynamic secret updates.
+
+#### Enabling auto redeploy
+
+To enable auto redeployment you simply have to add the following annotation to the deployment that consumes a managed secret
+
+```yaml
+secrets.infisical.com/auto-reload: "true"
+```
+
+<Accordion title="Deployment example with auto redeploy enabled">
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+  annotations: 
+    secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        envFrom:
+        - secretRef:
+            name: managed-secret # The name of your managed secret, the same that you're using in your InfisicalDynamicSecret CRD (spec.managedSecretReference.secretName)
+        ports:
+        - containerPort: 80
+```
+</Accordion>
+<Info>
+  #### How it works 
+  When the lease changes, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. 
+  Then, for each deployment that has this annotation present, a rolling update will be triggered. A redeployment won't happen if the lease is renewed, only if it's recreated.
+</Info>

docs/integrations/platforms/kubernetes/infisical-push-secret-crd.mdx

@@ -0,0 +1,400 @@
+---
+sidebarTitle: "InfisicalPushSecret CRD"
+title: "Using the InfisicalPushSecret CRD"
+description: "Learn how to use the InfisicalPushSecret CRD to push and manage secrets in Infisical."
+---
+
+
+## Push Secrets to Infisical
+
+
+### Example usage
+
+Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.
+
+After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.
+
+Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.
+
+```yaml infisical-push-secret.yaml
+  apiVersion: secrets.infisical.com/v1alpha1
+  kind: InfisicalPushSecret
+  metadata:
+    name: infisical-push-secret-demo
+  spec:
+    resyncInterval: 1m
+    hostAPI: https://app.infisical.com/api
+
+    # Optional, defaults to no replacement.
+    updatePolicy: Replace # If set to replace, existing secrets inside Infisical will be replaced by the value of the PushSecret on sync.
+
+    # Optional, defaults to no deletion.
+    deletionPolicy: Delete # If set to delete, the secret(s) inside Infisical managed by the operator, will be deleted if the InfisicalPushSecret CRD is deleted.
+
+    destination:
+      projectId: <project-id>
+      environmentSlug: <env-slug>
+      secretsPath: <secret-path>
+
+    push:
+      secret:
+        secretName: push-secret-demo # Secret CRD
+        secretNamespace: default
+
+    # Only have one authentication method defined or you are likely to run into authentication issues.
+    # Remove all except one authentication method.
+    authentication:
+      awsIamAuth:
+        identityId: <machine-identity-id>
+      azureAuth:
+        identityId: <machine-identity-id>
+      gcpIamAuth:
+        identityId: <machine-identity-id>
+        serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
+      gcpIdTokenAuth:
+        identityId: <machine-identity-id>
+      kubernetesAuth:
+        identityId: <machine-identity-id>
+        serviceAccountRef:
+          name: <secret-name>
+          namespace: <secret-namespace>
+      universalAuth:
+        credentialsRef:
+          secretName: <secret-name> # universal-auth-credentials
+          secretNamespace: <secret-namespace> # default
+```
+
+```yaml source-secret.yaml
+  apiVersion: v1
+  kind: Secret
+  metadata:
+    name: push-secret-demo
+    namespace: default
+  stringData: # can also be "data", but needs to be base64 encoded
+    API_KEY: some-api-key
+    DATABASE_URL: postgres://127.0.0.1:5432
+    ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
+```
+
+```bash
+  kubectl apply -f source-secret.yaml
+```
+
+After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.
+
+```bash
+  kubectl apply -f infisical-push-secret.yaml
+```
+
+After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.
+
+
+### InfisicalPushSecret CRD properties
+
+<Accordion title="hostAPI">
+  If you are fetching secrets from a self-hosted instance of Infisical set the value of `hostAPI` to 
+  ` https://your-self-hosted-instace.com/api`
+
+  When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
+
+  <Accordion title="Advanced use case">
+    If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend's service directly without having to route through the public internet. 
+    To achieve this, use the following address for the hostAPI field:
+    
+    ``` bash
+    http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
+    ```
+
+    Make sure to replace `<backend-svc-name>` and `<namespace>` with the appropriate values for your backend service and namespace.
+
+  </Accordion>
+</Accordion>
+
+<Accordion title="resyncInterval">
+
+  The `resyncInterval` is a string-formatted duration that defines the time between each resync.
+
+  The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.
+
+  The following units are supported:
+  - `s` for seconds (must be at least 5 seconds)
+  - `m` for minutes
+  - `h` for hours
+  - `d` for days
+  - `w` for weeks
+
+  The default value is `1m` (1 minute).
+
+  Valid intervals examples:
+  ```yaml
+  resyncInterval: 5s # 10 seconds
+  resyncInterval: 10s # 10 seconds
+  resyncInterval: 5m # 5 minutes
+  resyncInterval: 1h # 1 hour
+  resyncInterval: 1d # 1 day
+  ```
+</Accordion>
+
+<Accordion title="updatePolicy">
+
+  The field is optional and will default to `None` if not defined.
+
+  The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.
+
+  Valid values are `None` and `Replace`.
+
+  Behavior of each policy:
+  - `None`: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.
+  - `Replace`: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.
+
+  ```yaml
+  spec:
+    updatePolicy: Replace
+  ```
+</Accordion>
+
+<Accordion title="deletionPolicy">
+
+  This field is optional and will default to `None` if not defined.
+
+  The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.
+
+  Valid values are `None` and `Delete`.
+
+  Behavior of each policy:
+  - `None`: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.
+  - `Delete`: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.
+
+  ```yaml
+  spec:
+    deletionPolicy: Delete
+  ```
+</Accordion>
+
+<Accordion title="destination">
+  The `destination` field is used to specify where you want to create the secrets in Infisical. The required fields are `projectId`, `environmentSlug`, and `secretsPath`.
+  
+  ```yaml
+  spec:
+    destination:
+      projectId: <project-id>
+      environmentSlug: <env-slug>
+      secretsPath: <secrets-path>
+  ```
+
+  <Accordion title="destination.projectId">
+    The project ID where you want to create the secrets in Infisical.
+  </Accordion>
+
+  <Accordion title="destination.environmentSlug">
+    The environment slug where you want to create the secrets in Infisical.
+  </Accordion>
+
+  <Accordion title="destination.secretsPath">
+    The path where you want to create the secrets in Infisical. The root path is `/`.
+  </Accordion>
+
+</Accordion>
+
+<Accordion title="push">
+  The `push` field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the `push` field is shown below.
+  
+
+
+  <Accordion title="secret">
+    The `secret` field is used to define the Kubernetes secret you want to push to Infisical. The required fields are `secretName` and `secretNamespace`.
+
+
+
+    Example usage of the `push.secret` field: 
+
+    ```yaml infisical-push-secret.yaml
+      push:
+        secret:
+          secretName: push-secret-demo
+          secretNamespace: default
+    ```
+
+    ```yaml push-secret-demo.yaml
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: push-secret-demo
+        namespace: default
+      # Pass in the secrets you wish to push to Infisical
+      stringData:
+        API_KEY: some-api-key
+        DATABASE_URL: postgres://127.0.0.1:5432
+        ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
+    ```
+
+  </Accordion>
+</Accordion>
+
+<Accordion title="authentication">
+
+  The `authentication` field dictates which authentication method to use when pushing secrets to Infisical.
+  The available authentication methods are `universalAuth`, `kubernetesAuth`, `awsIamAuth`, `azureAuth`, `gcpIdTokenAuth`, and `gcpIamAuth`.
+
+
+  <Accordion title="universalAuth">
+    The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider.
+    [Read more about Universal Auth](/documentation/platform/identities/universal-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `credentialsRef`: The name and namespace of the Kubernetes secret that stores the service token.
+    - `credentialsRef.secretName`: The name of the Kubernetes secret.
+    - `credentialsRef.secretNamespace`: The namespace of the Kubernetes secret.
+
+    Example:
+
+    ```yaml
+      # infisical-push-secret.yaml
+      spec:
+        universalAuth:
+          credentialsRef:
+            secretName: <secret-name> 
+            secretNamespace: <secret-namespace>
+    ```
+
+    ```yaml
+      # machine-identity-credentials.yaml
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: universal-auth-credentials
+      type: Opaque
+      stringData:
+        clientId: <machine-identity-client-id>
+        clientSecret: <machine-identity-client-secret>
+    ```
+
+  </Accordion>
+  <Accordion title="kubernetesAuth">
+    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
+    [Read more about Kubernetes Auth](/documentation/platform/identities/kubernetes-auth).
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `serviceAccountRef`: The name and namespace of the service account that will be used to authenticate with Infisical.
+    - `serviceAccountRef.name`: The name of the service account.
+    - `serviceAccountRef.namespace`: The namespace of the service account.
+
+    Example:
+
+    ```yaml
+      spec:
+        kubernetesAuth:
+          identityId: <machine-identity-id>
+          serviceAccountRef:
+            name: <secret-name>
+            namespace: <secret-namespace>
+    ```
+  </Accordion>
+
+  <Accordion title="awsIamAuth">
+    The AWS IAM machine identity authentication method is used to authenticate with Infisical.
+    [Read more about AWS IAM Auth](/documentation/platform/identities/aws-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        authentication:
+          awsIamAuth:
+            identityId: <machine-identity-id>
+    ```
+
+  </Accordion>
+  <Accordion title="azureAuth">
+    The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment.
+    [Read more about Azure Auth](/documentation/platform/identities/azure-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        authentication:
+          azureAuth:
+            identityId: <machine-identity-id>
+    ```
+  </Accordion>
+  <Accordion title="gcpIamAuth">
+    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
+    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
+
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+    - `serviceAccountKeyFilePath`: The path to the GCP service account key file.
+
+    Example:
+
+    ```yaml
+      spec:
+        gcpIamAuth:
+          identityId: <machine-identity-id>
+          serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
+    ```
+  </Accordion>
+  <Accordion title="gcpIdTokenAuth">
+    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
+    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
+
+    Valid fields:
+    - `identityId`: The identity ID of the machine identity you created.
+
+    Example:
+
+    ```yaml
+      spec:
+        gcpIdTokenAuth:
+          identityId: <machine-identity-id>
+    ```
+  </Accordion>
+
+</Accordion>
+
+
+<Accordion title="tls">
+  This block defines the TLS settings to use for connecting to the Infisical
+  instance.
+  
+  Fields:
+  <Accordion title="caRef">
+    This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+
+    Valid fields:
+    - `secretName`: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+    - `secretNamespace`: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+    - `key`: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
+
+    Example:
+
+    ```yaml
+      tls:
+        caRef:
+          secretName: custom-ca-certificate
+          secretNamespace: default
+          key: ca.crt
+    ```
+  </Accordion>
+
+</Accordion>
+
+
+### Applying the InfisicalPushSecret CRD to your cluster
+
+Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.
+After applying, you should notice that the secrets have been pushed to Infisical.
+
+```bash
+  kubectl apply -f source-push-secret.yaml # The secret that you're referencing in the InfisicalPushSecret CRD push.secret field
+  kubectl apply -f example-infisical-push-secret-crd.yaml # The InfisicalPushSecret CRD itself
+```

docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx

@@ -1,109 +1,9 @@
 ---
-title: "Kubernetes Operator"
-description: "How to use Infisical to inject secrets into Kubernetes clusters."
+sidebarTitle: "InfisicalSecret CRD"
+title: "InfisicalSecret CRD"
+description: "Learn how to use the InfisicalSecret CRD to fetch secrets from Infisical and store them as native Kubernetes secret resource"
 ---
 
-![title](../../images/k8-diagram.png)
-
-The Infisical Secrets Operator is a Kubernetes controller that retrieves secrets from Infisical and stores them in a designated cluster.
-It uses an `InfisicalSecret` resource to specify authentication and storage methods.
-The operator continuously updates secrets and can also reload dependent deployments automatically.
-
-<Note>
-  If you are already using the External Secrets operator, you can view the
-  integration documentation for it
-  [here](https://external-secrets.io/latest/provider/infisical/).
-</Note>
-
-## Install Operator
-
-The operator can be install via [Helm](https://helm.sh) or [kubectl](https://github.com/kubernetes/kubectl)
-
-<Tabs>
-	 <Tab title="Helm (recommended)">
-		**Install the latest Infisical Helm repository**
-    ```bash
-    helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
-      
-    helm repo update
-    ```
-
-    **Install the Helm chart**
-
-    To select a specific version, view the  application versions [here](https://hub.docker.com/r/infisical/kubernetes-operator/tags) and chart versions [here](https://cloudsmith.io/~infisical/repos/helm-charts/packages/detail/helm/secrets-operator/#versions)
-
-    ```bash
-    helm install --generate-name infisical-helm-charts/secrets-operator
-    ```
-
-    ```bash
-    # Example installing app version v0.2.0 and chart version 0.1.4
-    helm install --generate-name infisical-helm-charts/secrets-operator --version=0.1.4 --set controllerManager.manager.image.tag=v0.2.0
-    ```
-
-    **Namespace-scoped Installation**
-
-    The operator can be configured to watch and manage secrets in a specific namespace instead of having cluster-wide access. This is useful for:
-
-    - **Enhanced Security**: Limit the operator's permissions to only specific namespaces instead of cluster-wide access
-    - **Multi-tenant Clusters**: Run separate operator instances for different teams or applications
-    - **Resource Isolation**: Ensure operators in different namespaces don't interfere with each other
-    - **Development & Testing**: Run development and production operators side by side in isolated namespaces
-
-    **Note**: For multiple namespace-scoped installations, only the first installation should install CRDs. Subsequent installations should set `installCRDs: false` to avoid conflicts.
-
-    ```bash
-    # First namespace installation (with CRDs)
-    helm install operator-namespace1 infisical-helm-charts/secrets-operator \
-      --namespace first-namespace \
-      --set scopedNamespace=first-namespace \
-      --set scopedRBAC=true
-
-    # Subsequent namespace installations
-    helm install operator-namespace2 infisical-helm-charts/secrets-operator \
-      --namespace another-namespace \
-      --set scopedNamespace=another-namespace \
-      --set scopedRBAC=true \
-      --set installCRDs=false
-    ```
-
-    When scoped to a namespace, the operator will:
-
-    - Only watch InfisicalSecrets in the specified namespace
-    - Only create/update Kubernetes secrets in that namespace
-    - Only access deployments in that namespace
-
-    The default configuration gives cluster-wide access:
-
-    ```yaml
-    installCRDs: true # Install CRDs (set to false for additional namespace installations)
-    scopedNamespace: "" # Empty for cluster-wide access
-    scopedRBAC: false # Cluster-wide permissions
-    ```
-
-    If you want to install operators in multiple namespaces simultaneously:
-    - Make sure to set `installCRDs: false` for all but one of the installations to avoid conflicts, as CRDs are cluster-wide resources.
-    - Use unique release names for each installation (e.g., operator-namespace1, operator-namespace2).
-
-   </Tab>
-  <Tab title="Kubectl">
-  For production deployments, it is highly recommended to set the version of the Kubernetes operator manually instead of pointing to the latest version.
-  Doing so will help you avoid accidental updates to the newest release which may introduce unintended breaking changes. View all application versions [here](https://hub.docker.com/r/infisical/kubernetes-operator/tags).
-
-The command below will install the most recent version of the Kubernetes operator.
-However, to set the version manually, download the manifest and set the image tag version of `infisical/kubernetes-operator` according to your desired version.
-
-Once you apply the manifest, the operator will be installed in `infisical-operator-system` namespace.
-
-    ```
-    kubectl apply -f https://raw.githubusercontent.com/Infisical/infisical/main/k8-operator/kubectl-install/install-secrets-operator.yaml
-    	```
-
-   </Tab>
-</Tabs>
-
-## Sync Infisical Secrets to your cluster
-
 Once you have installed the operator to your cluster, you'll need to create a `InfisicalSecret` custom resource definition (CRD).
 
 ```yaml example-infisical-secret-crd.yaml
@@ -789,48 +689,6 @@ This is useful for tools such as ArgoCD, where every resource requires an owner
 
 </Accordion>
 
-### Propagating labels & annotations
-
-The operator will transfer all labels & annotations present on the `InfisicalSecret` CRD to the managed Kubernetes secret to be created.
-Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
-
-<Accordion title="Example propagation">
-```yaml
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  name: infisicalsecret-sample
-  labels:
-    label-to-be-passed-to-managed-secret: sample-value
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
-spec:
-  ..
-  authentication:
-    ...
-  managedSecretReference:
-    ...
-```
-
-This would result in the following managed secret to be created:
-
-```yaml
-apiVersion: v1
-data: ...
-kind: Secret
-metadata:
-  annotations:
-    example.com/annotation-to-be-passed-to-managed-secret: sample-value
-    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
-  labels:
-    label-to-be-passed-to-managed-secret: sample-value
-  name: managed-token
-  namespace: default
-type: Opaque
-```
-
-</Accordion>
-
 ### Apply the InfisicalSecret CRD to your cluster
 
 Once you have configured the InfisicalSecret CRD with the required fields, you can apply it to your cluster.
@@ -854,7 +712,7 @@ kubectl get secrets -n <namespace of managed secret>
   1 minutes.
 </Info>
 
-### Using managed secret in your deployment
+## Using managed secret in your deployment
 
 Incorporating the managed secret created by the operator into your deployment can be achieved through several methods.
 Here, we will highlight three of the most common ways to utilize it. Learn more about Kubernetes secrets [here](https://kubernetes.io/docs/concepts/configuration/secret/)
@@ -996,25 +854,6 @@ spec:
 
 </Accordion>
 
-### Connecting to instances with private/self-signed certificate
-
-To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the `InfisicalSecret` CRD
-to point to a CA certificate stored in a Kubernetes secret resource.
-
-```yaml
----
-spec:
-  hostAPI: https://app.infisical.com/api
-  resyncInterval: 10
-  tls:
-    caRef:
-      secretName: custom-ca-certificate
-      secretNamespace: default
-      key: ca.crt
-  authentication:
----
-```
-
 The definition file of the Kubernetes secret for the CA certificate can be structured like the following:
 
 ```yaml
@@ -1081,503 +920,44 @@ spec:
   Then, for each deployment that has this annotation present, a rolling update will be triggered.
 </Info>
 
-## Push Secrets to Infisical
+## Propagating labels & annotations
 
+The operator will transfer all labels & annotations present on the `InfisicalSecret` CRD to the managed Kubernetes secret to be created.
+Thus, if a specific label is required on the resulting secret, it can be applied as demonstrated in the following example:
 
-### Example usage
-
-Below is a sample InfisicalPushSecret CRD that pushes secrets defined in a Kubernetes secret to Infisical.
-
-After filling out the fields in the InfisicalPushSecret CRD, you can apply it directly to your cluster.
-
-Before applying the InfisicalPushSecret CRD, you need to create a Kubernetes secret containing the secrets you want to push to Infisical. An example can be seen below the InfisicalPushSecret CRD.
-
-```bash
-  kubectl apply -f source-secret.yaml
-```
-
-After applying the soruce-secret.yaml file, you are ready to apply the InfisicalPushSecret CRD.
-
-```bash
-  kubectl apply -f infisical-push-secret.yaml
-```
-
-After applying the InfisicalPushSecret CRD, you should notice that the secrets you have defined in your source-secret.yaml file have been pushed to your specified destination in Infisical.
-
-```yaml infisical-push-secret.yaml
-  apiVersion: secrets.infisical.com/v1alpha1
-  kind: InfisicalPushSecret
-  metadata:
-    name: infisical-push-secret-demo
-  spec:
-    resyncInterval: 1m
-    hostAPI: https://app.infisical.com/api
-
-    # Optional, defaults to no replacement.
-    updatePolicy: Replace # If set to replace, existing secrets inside Infisical will be replaced by the value of the PushSecret on sync.
-
-    # Optional, defaults to no deletion.
-    deletionPolicy: Delete # If set to delete, the secret(s) inside Infisical managed by the operator, will be deleted if the InfisicalPushSecret CRD is deleted.
-
-    destination:
-      projectId: <project-id>
-      environmentSlug: <env-slug>
-      secretsPath: <secret-path>
-
-    push:
-      secret:
-        secretName: push-secret-demo # Secret CRD
-        secretNamespace: default
-
-    # Only have one authentication method defined or you are likely to run into authentication issues.
-    # Remove all except one authentication method.
-    authentication:
-      awsIamAuth:
-        identityId: <machine-identity-id>
-      azureAuth:
-        identityId: <machine-identity-id>
-      gcpIamAuth:
-        identityId: <machine-identity-id>
-        serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
-      gcpIdTokenAuth:
-        identityId: <machine-identity-id>
-      kubernetesAuth:
-        identityId: <machine-identity-id>
-        serviceAccountRef:
-          name: <secret-name>
-          namespace: <secret-namespace>
-      universalAuth:
-        credentialsRef:
-          secretName: <secret-name> # universal-auth-credentials
-          secretNamespace: <secret-namespace> # default
-```
-
-```yaml source-secret.yaml
-  apiVersion: v1
-  kind: Secret
-  metadata:
-    name: push-secret-demo
-    namespace: default
-  stringData: # can also be "data", but needs to be base64 encoded
-    API_KEY: some-api-key
-    DATABASE_URL: postgres://127.0.0.1:5432
-    ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
-```
-
-### InfisicalPushSecret CRD properties
-
-<Accordion title="hostAPI">
-  If you are fetching secrets from a self-hosted instance of Infisical set the value of `hostAPI` to 
-  ` https://your-self-hosted-instace.com/api`
-
-  When `hostAPI` is not defined the operator fetches secrets from Infisical Cloud.
-
-  <Accordion title="Advanced use case">
-    If you have installed your Infisical instance within the same cluster as the Infisical operator, you can optionally access the Infisical backend's service directly without having to route through the public internet. 
-    To achieve this, use the following address for the hostAPI field:
-    
-    ``` bash
-    http://<backend-svc-name>.<namespace>.svc.cluster.local:4000/api
-    ```
-
-    Make sure to replace `<backend-svc-name>` and `<namespace>` with the appropriate values for your backend service and namespace.
-
-  </Accordion>
-</Accordion>
-
-<Accordion title="resyncInterval">
-
-  The `resyncInterval` is a string-formatted duration that defines the time between each resync.
-
-  The format of the field is `[duration][unit]` where `duration` is a number and `unit` is a string representing the unit of time.
-
-  The following units are supported:
-  - `s` for seconds (must be at least 5 seconds)
-  - `m` for minutes
-  - `h` for hours
-  - `d` for days
-  - `w` for weeks
-
-  The default value is `1m` (1 minute).
-
-  Valid intervals examples:
-  ```yaml
-  resyncInterval: 5s # 10 seconds
-  resyncInterval: 10s # 10 seconds
-  resyncInterval: 5m # 5 minutes
-  resyncInterval: 1h # 1 hour
-  resyncInterval: 1d # 1 day
-  ```
-</Accordion>
-
-<Accordion title="updatePolicy">
-
-  The field is optional and will default to `None` if not defined.
-
-  The update policy defines how the operator should handle conflicting secrets when pushing secrets to Infisical.
-
-  Valid values are `None` and `Replace`.
-
-  Behavior of each policy:
-  - `None`: The operator will not override existing secrets in Infisical. If a secret with the same key already exists, the operator will skip pushing that secret, and the secret will not be managed by the operator.
-  - `Replace`: The operator will replace existing secrets in Infisical with the new secrets. If a secret with the same key already exists, the operator will update the secret with the new value.
-
-  ```yaml
-  spec:
-    updatePolicy: Replace
-  ```
-</Accordion>
-
-<Accordion title="deletionPolicy">
-
-  This field is optional and will default to `None` if not defined.
-
-  The deletion policy defines what the operator should do in case the InfisicalPushSecret CRD is deleted.
-
-  Valid values are `None` and `Delete`.
-
-  Behavior of each policy:
-  - `None`: The operator will not delete the secrets in Infisical when the InfisicalPushSecret CRD is deleted.
-  - `Delete`: The operator will delete the secrets in Infisical that are managed by the operator when the InfisicalPushSecret CRD is deleted.
-
-  ```yaml
-  spec:
-    deletionPolicy: Delete
-  ```
-</Accordion>
-
-<Accordion title="destination">
-  The `destination` field is used to specify where you want to create the secrets in Infisical. The required fields are `projectId`, `environmentSlug`, and `secretsPath`.
-  
-  ```yaml
-  spec:
-    destination:
-      projectId: <project-id>
-      environmentSlug: <env-slug>
-      secretsPath: <secrets-path>
-  ```
-
-  <Accordion title="destination.projectId">
-    The project ID where you want to create the secrets in Infisical.
-  </Accordion>
-
-  <Accordion title="destination.environmentSlug">
-    The environment slug where you want to create the secrets in Infisical.
-  </Accordion>
-
-  <Accordion title="destination.secretsPath">
-    The path where you want to create the secrets in Infisical. The root path is `/`.
-  </Accordion>
-
-</Accordion>
-
-<Accordion title="push">
-  The `push` field is used to define what you want to push to Infisical. Currently the operator only supports pushing Kubernetes secrets to Infisical. An example of the `push` field is shown below.
-  
-
-
-  <Accordion title="secret">
-    The `secret` field is used to define the Kubernetes secret you want to push to Infisical. The required fields are `secretName` and `secretNamespace`.
-
-
-
-    Example usage of the `push.secret` field: 
-
-    ```yaml infisical-push-secret.yaml
-      push:
-        secret:
-          secretName: push-secret-demo
-          secretNamespace: default
-    ```
-
-    ```yaml push-secret-demo.yaml
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: push-secret-demo
-        namespace: default
-      # Pass in the secrets you wish to push to Infisical
-      stringData:
-        API_KEY: some-api-key
-        DATABASE_URL: postgres://127.0.0.1:5432
-        ENCRYPTION_KEY: fabcc12-a22-facbaa4-11aa568aab
-    ```
-
-  </Accordion>
-</Accordion>
-
-<Accordion title="authentication">
-
-  The `authentication` field dictates which authentication method to use when pushing secrets to Infisical.
-  The available authentication methods are `universalAuth`, `kubernetesAuth`, `awsIamAuth`, `azureAuth`, `gcpIdTokenAuth`, and `gcpIamAuth`.
-
-
-  <Accordion title="universalAuth">
-    The universal authentication method is one of the easiest ways to get started with Infisical. Universal Auth works anywhere and is not tied to any specific cloud provider.
-    [Read more about Universal Auth](/documentation/platform/identities/universal-auth).
-
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-    - `credentialsRef`: The name and namespace of the Kubernetes secret that stores the service token.
-    - `credentialsRef.secretName`: The name of the Kubernetes secret.
-    - `credentialsRef.secretNamespace`: The namespace of the Kubernetes secret.
-
-    Example:
-
-    ```yaml
-      # infisical-push-secret.yaml
-      spec:
-        universalAuth:
-          credentialsRef:
-            secretName: <secret-name> 
-            secretNamespace: <secret-namespace>
-    ```
-
-    ```yaml
-      # machine-identity-credentials.yaml
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        name: universal-auth-credentials
-      type: Opaque
-      stringData:
-        clientId: <machine-identity-client-id>
-        clientSecret: <machine-identity-client-secret>
-    ```
-
-  </Accordion>
-  <Accordion title="kubernetesAuth">
-    The Kubernetes machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within a Kubernetes environment.
-    [Read more about Kubernetes Auth](/documentation/platform/identities/kubernetes-auth).
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-    - `serviceAccountRef`: The name and namespace of the service account that will be used to authenticate with Infisical.
-    - `serviceAccountRef.name`: The name of the service account.
-    - `serviceAccountRef.namespace`: The namespace of the service account.
-
-    Example:
-
-    ```yaml
-      spec:
-        kubernetesAuth:
-          identityId: <machine-identity-id>
-          serviceAccountRef:
-            name: <secret-name>
-            namespace: <secret-namespace>
-    ```
-  </Accordion>
-
-  <Accordion title="awsIamAuth">
-    The AWS IAM machine identity authentication method is used to authenticate with Infisical.
-    [Read more about AWS IAM Auth](/documentation/platform/identities/aws-auth).
-
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-
-    Example:
-
-    ```yaml
-      spec:
-        authentication:
-          awsIamAuth:
-            identityId: <machine-identity-id>
-    ```
-
-  </Accordion>
-  <Accordion title="azureAuth">
-    The AWS IAM machine identity authentication method is used to authenticate with Infisical. Azure Auth can only be used from within an Azure environment.
-    [Read more about Azure Auth](/documentation/platform/identities/azure-auth).
-
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-
-    Example:
-
-    ```yaml
-      spec:
-        authentication:
-          azureAuth:
-            identityId: <machine-identity-id>
-    ```
-  </Accordion>
-  <Accordion title="gcpIamAuth">
-    The GCP IAM machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used both within and outside GCP environments.
-    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
-
-
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-    - `serviceAccountKeyFilePath`: The path to the GCP service account key file.
-
-    Example:
-
-    ```yaml
-      spec:
-        gcpIamAuth:
-          identityId: <machine-identity-id>
-          serviceAccountKeyFilePath: </path-to-service-account-key-file.json>
-    ```
-  </Accordion>
-  <Accordion title="gcpIdTokenAuth">
-    The GCP ID Token machine identity authentication method is used to authenticate with Infisical. The identity ID is stored in a field in the InfisicalSecret resource. This authentication method can only be used within GCP environments.
-    [Read more about Azure Auth](/documentation/platform/identities/gcp-auth).
-
-    Valid fields:
-    - `identityId`: The identity ID of the machine identity you created.
-
-    Example:
-
-    ```yaml
-      spec:
-        gcpIdTokenAuth:
-          identityId: <machine-identity-id>
-    ```
-  </Accordion>
-
-</Accordion>
-
-
-<Accordion title="tls">
-  This block defines the TLS settings to use for connecting to the Infisical
-  instance.
-  
-  Fields:
-  <Accordion title="caRef">
-    This block defines the reference to the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
-
-    Valid fields:
-    - `secretName`: The name of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
-    - `secretNamespace`: The namespace of the Kubernetes secret containing the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
-    - `key`: The name of the key in the Kubernetes secret which contains the value of the CA certificate to use for connecting to the Infisical instance with SSL/TLS.
-
-    Example:
-
-    ```yaml
-      tls:
-        caRef:
-          secretName: custom-ca-certificate
-          secretNamespace: default
-          key: ca.crt
-    ```
-  </Accordion>
-
-</Accordion>
-
-
-### Applying the InfisicalPushSecret CRD to your cluster
-
-Once you have configured the `InfisicalPushSecret` CRD with the required fields, you can apply it to your cluster.
-After applying, you should notice that the secrets have been pushed to Infisical.
-
-```bash
-  kubectl apply -f source-push-secret.yaml # The secret that you're referencing in the InfisicalPushSecret CRD push.secret field
-  kubectl apply -f example-infisical-push-secret-crd.yaml # The InfisicalPushSecret CRD itself
-```
-
-### Connecting to instances with private/self-signed certificate
-
-To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the `InfisicalPushSecret` CRD
-to point to a CA certificate stored in a Kubernetes secret resource.
-
+<Accordion title="Example propagation">
 ```yaml
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: infisicalsecret-sample
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "sample-value"
 spec:
-  hostAPI: https://app.infisical.com/api
-  resyncInterval: 30s
-  tls:
-    caRef:
-      secretName: custom-ca-certificate
-      secretNamespace: default
-      key: ca.crt
+  ..
   authentication:
-    # ... 
+    ...
+  managedSecretReference:
+    ...
 ```
 
-
-## Global configuration
-
-To configure global settings that will apply to all instances of `InfisicalSecret`, you can define these configurations in a Kubernetes ConfigMap.
-For example, you can configure all `InfisicalSecret` instances to fetch secrets from a single backend API without specifying the `hostAPI` parameter for each instance.
-
-### Available global properties
-
-| Property | Description                                                                       | Default value                 |
-| -------- | --------------------------------------------------------------------------------- | ----------------------------- |
-| hostAPI  | If `hostAPI` in `InfisicalSecret` instance is left empty, this value will be used | https://app.infisical.com/api |
-
-### Applying global configurations
-
-All global configurations must reside in a Kubernetes ConfigMap named `infisical-config` in the namespace `infisical-operator-system`.
-To apply global configuration to the operator, copy the following yaml into `infisical-config.yaml` file.
-
-```yaml infisical-config.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: infisical-operator-system
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: infisical-config
-  namespace: infisical-operator-system
-data:
-  hostAPI: https://example.com/api # <-- global hostAPI
-```
-
-Then apply this change via kubectl by running the following
-
-```bash
-kubectl apply -f infisical-config.yaml
-```
-
-## Troubleshoot operator
-
-If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
-It will continue attempting to reconnect to the API indefinitely.
-The InfisicalSecret resource uses the `status.conditions` field to report its current state and any errors encountered.
+This would result in the following managed secret to be created:
 
 ```yaml
-$ kubectl get infisicalSecrets
-NAME                     AGE
-infisicalsecret-sample   12s
-
-$ kubectl describe infisicalSecret infisicalsecret-sample
-...
-Spec:
-...
-Status:
-  Conditions:
-    Last Transition Time:  2022-12-18T04:29:09Z
-    Message:               Infisical controller has located the Infisical token in provided Kubernetes secret
-    Reason:                OK
-    Status:                True
-    Type:                  secrets.infisical.com/LoadedInfisicalToken
-    Last Transition Time:  2022-12-18T04:29:10Z
-    Message:               Failed to update secret because: 400 Bad Request
-    Reason:                Error
-    Status:                False
-    Type:                  secrets.infisical.com/ReadyToSyncSecrets
-Events:                    <none>
+apiVersion: v1
+data: ...
+kind: Secret
+metadata:
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: sample-value
+    secrets.infisical.com/version: W/"3f1-ZyOSsrCLGSkAhhCkY2USPu2ivRw"
+  labels:
+    label-to-be-passed-to-managed-secret: sample-value
+  name: managed-token
+  namespace: default
+type: Opaque
 ```
 
-## Uninstall Operator
-
-The managed secret created by the operator will not be deleted when the operator is uninstalled.
-
-<Tabs>
-	 <Tab title="Helm">
-		Install Infisical Helm repository 
-    ```bash
-    helm uninstall <release name>
-    ```
-   </Tab>
-	 <Tab title="Kubectl">
-		```
-    kubectl delete -f https://raw.githubusercontent.com/Infisical/infisical/main/k8-operator/kubectl-install/install-secrets-operator.yaml
-		```
-   </Tab>
-</Tabs>
-
-## Useful Articles
-
-- [Managing secrets in OpenShift with Infisical](https://xphyr.net/post/infisical_ocp/)
+</Accordion>

docs/integrations/platforms/kubernetes/overview.mdx

@@ -0,0 +1,195 @@
+---
+title: "Kubernetes Operator"
+sidebarTitle: "Overview"
+description: "How to use Infisical to inject, push, and manage secrets within Kubernetes clusters"
+---
+
+The Infisical Operator is a collection of Kubernetes controllers that streamline how secrets are managed between Infisical and your Kubernetes cluster. 
+It provides multiple Custom Resource Definitions (CRDs) which enable you to:
+
+- **Sync** secrets from Infisical into Kubernetes (`InfisicalSecret`).
+- **Push** new secrets from Kubernetes to Infisical (`InfisicalPushSecret`).
+- **Manage** dynamic secrets and automatically create time-bound leases (`InfisicalDynamicSecret`).
+
+When these CRDs are configured, the Infisical Operator will continuously monitors for changes and performs necessary updates to keep your Kubernetes secrets up to date. 
+It can also automatically reload dependent Deployments resources whenever relevant secrets are updated.
+
+<Note>
+  If you are already using the External Secrets operator, you can view the
+  integration documentation for it
+  [here](https://external-secrets.io/latest/provider/infisical/).
+</Note>
+
+## Install 
+
+The operator can be install via [Helm](https://helm.sh). Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.
+
+**Install the latest Helm repository**
+```bash
+helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
+```
+
+```bash  
+helm repo update
+```
+
+The operator can be installed either cluster-wide or restricted to a specific namespace. 
+If you require stronger isolation and stricter access controls, a namespace-scoped installation may make more sense.
+
+<Tabs>
+  <Tab title="Cluster Wide Installation">
+    ```bash
+    helm install --generate-name infisical-helm-charts/secrets-operator
+    ```
+  </Tab>
+  <Tab title="Namespace Scoped Installation">
+    The operator can be configured to watch and manage secrets in a specific namespace instead of having cluster-wide access. This is useful for:
+
+    - **Enhanced Security**: Limit the operator's permissions to only specific namespaces instead of cluster-wide access
+    - **Multi-tenant Clusters**: Run separate operator instances for different teams or applications
+    - **Resource Isolation**: Ensure operators in different namespaces don't interfere with each other
+    - **Development & Testing**: Run development and production operators side by side in isolated namespaces
+
+    **Note**: For multiple namespace-scoped installations, only the first installation should install CRDs. Subsequent installations should set `installCRDs: false` to avoid conflicts.
+
+    ```bash
+    # First namespace installation (with CRDs)
+    helm install operator-namespace1 infisical-helm-charts/secrets-operator \
+      --namespace first-namespace \
+      --set scopedNamespace=first-namespace \
+      --set scopedRBAC=true
+
+    # Subsequent namespace installations
+    helm install operator-namespace2 infisical-helm-charts/secrets-operator \
+      --namespace another-namespace \
+      --set scopedNamespace=another-namespace \
+      --set scopedRBAC=true \
+      --set installCRDs=false
+    ```
+
+    When scoped to a namespace, the operator will:
+
+    - Only watch InfisicalSecrets in the specified namespace
+    - Only create/update Kubernetes secrets in that namespace
+    - Only access deployments in that namespace
+
+    The default configuration gives cluster-wide access:
+
+    ```yaml
+    installCRDs: true # Install CRDs (set to false for additional namespace installations)
+    scopedNamespace: "" # Empty for cluster-wide access
+    scopedRBAC: false # Cluster-wide permissions
+    ```
+
+    If you want to install operators in multiple namespaces simultaneously:
+    - Make sure to set `installCRDs: false` for all but one of the installations to avoid conflicts, as CRDs are cluster-wide resources.
+    - Use unique release names for each installation (e.g., operator-namespace1, operator-namespace2).
+
+  </Tab>
+</Tabs>
+
+## Custom Resource Definitions
+
+Currently the operator supports the following CRD's. We are constantly expanding the functionality of the operator, and this list will be updated as new CRD's are added.
+
+1. [InfisicalSecret](/integrations/platforms/kubernetes/infisical-secret-crd): Sync secrets from Infisical to a Kubernetes secret.
+2. [InfisicalPushSecret](/integrations/platforms/kubernetes/infisical-push-secret-crd): Push secrets from a Kubernetes secret to Infisical.
+3. [InfisicalDynamicSecret](/integrations/platforms/kubernetes/infisical-dynamic-secret-crd): Sync dynamic secrets and create leases automatically in Kubernetes.
+
+## General Configuration
+### Private/self-signed certificate
+To connect to Infisical instances behind a private/self-signed certificate, you can configure the TLS settings in the CRD
+to point to a CA certificate stored in a Kubernetes secret resource.
+
+```yaml
+---
+spec:
+  hostAPI: https://app.infisical.com/api
+  tls:
+    caRef:
+      secretName: custom-ca-certificate
+      secretNamespace: default
+      key: ca.crt
+---
+```
+
+
+## Global configuration
+
+To configure global settings that will apply to all instances of `InfisicalSecret`, you can define these configurations in a Kubernetes ConfigMap.
+For example, you can configure all `InfisicalSecret` instances to fetch secrets from a single backend API without specifying the `hostAPI` parameter for each instance.
+
+### Available global properties
+
+| Property | Description                                                                       | Default value                 |
+| -------- | --------------------------------------------------------------------------------- | ----------------------------- |
+| hostAPI  | If `hostAPI` in `InfisicalSecret` instance is left empty, this value will be used | https://app.infisical.com/api |
+
+### Applying global configurations
+
+All global configurations must reside in a Kubernetes ConfigMap named `infisical-config` in the namespace `infisical-operator-system`.
+To apply global configuration to the operator, copy the following yaml into `infisical-config.yaml` file.
+
+```yaml infisical-config.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: infisical-operator-system
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: infisical-config
+  namespace: infisical-operator-system
+data:
+  hostAPI: https://example.com/api # <-- global hostAPI
+```
+
+Then apply this change via kubectl by running the following
+
+```bash
+kubectl apply -f infisical-config.yaml
+```
+
+## Troubleshoot operator
+
+If the operator is unable to fetch secrets from the API, it will not affect the managed Kubernetes secret.
+It will continue attempting to reconnect to the API indefinitely.
+The InfisicalSecret resource uses the `status.conditions` field to report its current state and any errors encountered.
+
+```yaml
+$ kubectl get infisicalSecrets
+NAME                     AGE
+infisicalsecret-sample   12s
+
+$ kubectl describe infisicalSecret infisicalsecret-sample
+...
+Spec:
+...
+Status:
+  Conditions:
+    Last Transition Time:  2022-12-18T04:29:09Z
+    Message:               Infisical controller has located the Infisical token in provided Kubernetes secret
+    Reason:                OK
+    Status:                True
+    Type:                  secrets.infisical.com/LoadedInfisicalToken
+    Last Transition Time:  2022-12-18T04:29:10Z
+    Message:               Failed to update secret because: 400 Bad Request
+    Reason:                Error
+    Status:                False
+    Type:                  secrets.infisical.com/ReadyToSyncSecrets
+Events:                    <none>
+```
+
+## Uninstall Operator
+
+The managed secret created by the operator will not be deleted when the operator is uninstalled.
+
+<Tabs>
+	 <Tab title="Helm">
+		Install Infisical Helm repository 
+    ```bash
+    helm uninstall <release name>
+    ```
+   </Tab>
+</Tabs>

docs/mint.json

@@ -349,7 +349,15 @@
         {
           "group": "Container orchestrators",
           "pages": [
-            "integrations/platforms/kubernetes",
+            {
+              "group": "Kubernetes",
+              "pages": [
+                "integrations/platforms/kubernetes/overview",
+                "integrations/platforms/kubernetes/infisical-secret-crd",
+                "integrations/platforms/kubernetes/infisical-push-secret-crd",
+                "integrations/platforms/kubernetes/infisical-dynamic-secret-crd"
+              ]
+            },
             "integrations/platforms/kubernetes-csi",
             "integrations/platforms/docker-swarm-with-agent",
             "integrations/platforms/ecs-with-agent"

frontend/src/hooks/api/secrets/queries.tsx

@@ -10,6 +10,7 @@ import { useToggle } from "@app/hooks/useToggle";
 import { ERROR_NOT_ALLOWED_READ_SECRETS } from "./constants";
 import {
   GetSecretVersionsDTO,
+  SecretAccessListEntry,
   SecretType,
   SecretV3Raw,
   SecretV3RawResponse,
@@ -18,6 +19,7 @@ import {
   TGetProjectSecretsAllEnvDTO,
   TGetProjectSecretsDTO,
   TGetProjectSecretsKey,
+  TGetSecretAccessListDTO,
   TGetSecretReferenceTreeDTO,
   TSecretReferenceTraceNode
 } from "./types";
@@ -27,6 +29,13 @@ export const secretKeys = {
   getProjectSecret: ({ workspaceId, environment, secretPath }: TGetProjectSecretsKey) =>
     [{ workspaceId, environment, secretPath }, "secrets"] as const,
   getSecretVersion: (secretId: string) => [{ secretId }, "secret-versions"] as const,
+  getSecretAccessList: ({
+    workspaceId,
+    environment,
+    secretPath,
+    secretKey
+  }: TGetSecretAccessListDTO) =>
+    ["secret-access-list", { workspaceId, environment, secretPath, secretKey }] as const,
   getSecretReferenceTree: (dto: TGetSecretReferenceTreeDTO) => ["secret-reference-tree", dto]
 };
 
@@ -232,6 +241,27 @@ export const useGetSecretVersion = (dto: GetSecretVersionsDTO) =>
     }, [])
   });
 
+export const useGetSecretAccessList = (dto: TGetSecretAccessListDTO) =>
+  useQuery({
+    enabled: Boolean(dto.secretKey),
+    queryKey: secretKeys.getSecretAccessList(dto),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<{
+        groups: SecretAccessListEntry[];
+        identities: SecretAccessListEntry[];
+        users: SecretAccessListEntry[];
+      }>(`/api/v1/secrets/${dto.secretKey}/access-list`, {
+        params: {
+          workspaceId: dto.workspaceId,
+          environment: dto.environment,
+          secretPath: dto.secretPath
+        }
+      });
+
+      return data;
+    }
+  });
+
 const fetchSecretReferenceTree = async ({
   secretPath,
   projectId,

frontend/src/hooks/api/secrets/types.ts

@@ -1,3 +1,5 @@
+import { ProjectPermissionActions } from "@app/context";
+
 import type { WsTag } from "../tags/types";
 
 export enum SecretType {
@@ -125,6 +127,13 @@ export type GetSecretVersionsDTO = {
   offset: number;
 };
 
+export type TGetSecretAccessListDTO = {
+  workspaceId: string;
+  environment: string;
+  secretPath: string;
+  secretKey: string;
+};
+
 export type TCreateSecretsV3DTO = {
   secretKey: string;
   secretValue: string;
@@ -231,3 +240,10 @@ export type TSecretReferenceTraceNode = {
   secretPath: string;
   children: TSecretReferenceTraceNode[];
 };
+
+export type SecretAccessListEntry = {
+  allowedActions: ProjectPermissionActions[];
+  id: string;
+  membershipId: string;
+  name: string;
+};

frontend/src/hooks/api/subscriptions/types.ts

@@ -23,6 +23,7 @@ export type SubscriptionPlan = {
   workspacesUsed: number;
   environmentLimit: number;
   samlSSO: boolean;
+  secretAccessInsights: boolean;
   hsm: boolean;
   oidcSSO: boolean;
   scim: boolean;

frontend/src/pages/secret-manager/OverviewPage/OverviewPage.tsx

@@ -340,7 +340,14 @@ export const OverviewPage = () => {
         const pathSegment = secretPath.split("/").filter(Boolean);
         const parentPath = `/${pathSegment.slice(0, -1).join("/")}`;
         const folderName = pathSegment.at(-1);
-        if (folderName && parentPath) {
+        const canCreateFolder = permission.can(
+          ProjectPermissionActions.Create,
+          subject(ProjectPermissionSub.SecretFolders, {
+            environment: env,
+            secretPath: parentPath
+          })
+        );
+        if (folderName && parentPath && canCreateFolder) {
           await createFolder({
             projectId: workspaceId,
             path: parentPath,

frontend/src/pages/secret-manager/SecretDashboardPage/components/SecretListView/SecretDetailSidebar.tsx

@@ -13,8 +13,10 @@ import {
 } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
+import { Link } from "@tanstack/react-router";
 import { format } from "date-fns";
 
+import { UpgradePlanModal } from "@app/components/license/UpgradePlanModal";
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 import {
@@ -36,10 +38,17 @@ import {
   Tooltip
 } from "@app/components/v2";
 import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
-import { ProjectPermissionActions, ProjectPermissionSub, useProjectPermission } from "@app/context";
-import { useToggle } from "@app/hooks";
+import {
+  ProjectPermissionActions,
+  ProjectPermissionSub,
+  useProjectPermission,
+  useWorkspace
+} from "@app/context";
+import { usePopUp, useToggle } from "@app/hooks";
 import { useGetSecretVersion } from "@app/hooks/api";
+import { useGetSecretAccessList } from "@app/hooks/api/secrets/queries";
 import { SecretV3RawSanitized, WsTag } from "@app/hooks/api/types";
+import { ProjectType } from "@app/hooks/api/workspace/types";
 
 import { CreateReminderForm } from "./CreateReminderForm";
 import { formSchema, SecretActionType, TFormSchema } from "./SecretListView.utils";
@@ -87,7 +96,12 @@ export const SecretDetailSidebar = ({
     values: secret
   });
 
+  const { handlePopUpToggle, popUp, handlePopUpOpen } = usePopUp([
+    "secretAccessUpgradePlan"
+  ] as const);
+
   const { permission } = useProjectPermission();
+  const { currentWorkspace } = useWorkspace();
 
   const tagFields = useFieldArray({
     control,
@@ -137,6 +151,13 @@ export const SecretDetailSidebar = ({
     secretId: secret?.id
   });
 
+  const { data: secretAccessList, isPending } = useGetSecretAccessList({
+    workspaceId: currentWorkspace.id,
+    environment,
+    secretPath,
+    secretKey
+  });
+
   const handleOverrideClick = () => {
     if (isOverridden) {
       // override need not be flagged delete if it was never saved in server
@@ -191,6 +212,13 @@ export const SecretDetailSidebar = ({
           }
         }}
       />
+      <UpgradePlanModal
+        isOpen={popUp.secretAccessUpgradePlan.isOpen}
+        onOpenChange={(isUpgradeModalOpen) =>
+          handlePopUpToggle("secretAccessUpgradePlan", isUpgradeModalOpen)
+        }
+        text="Secret access analysis is only available on Infisical's Pro plan and above."
+      />
       <Drawer
         onOpenChange={(state) => {
           if (isOpen && isDirty) {
@@ -553,8 +581,117 @@ export const SecretDetailSidebar = ({
                   ))}
                 </div>
               </div>
+              <div className="dark mb-4 flex-grow text-sm text-bunker-300">
+                <div className="mb-2">
+                  Access List
+                  <Tooltip
+                    content="Lists all users, machine identities, and groups that have been granted any permission level (read, create, edit, or delete) for this secret."
+                    className="z-[100]"
+                  >
+                    <FontAwesomeIcon icon={faCircleQuestion} className="ml-1" size="sm" />
+                  </Tooltip>
+                </div>
+                {isPending && (
+                  <Button className="w-full px-2 py-1" variant="outline_bg" isDisabled>
+                    Analyze Access
+                  </Button>
+                )}
+                {!isPending && secretAccessList === undefined && (
+                  <Button
+                    className="w-full px-2 py-1"
+                    variant="outline_bg"
+                    onClick={() => {
+                      handlePopUpOpen("secretAccessUpgradePlan");
+                    }}
+                  >
+                    Analyze Access
+                  </Button>
+                )}
+                {!isPending && secretAccessList && (
+                  <div className="flex max-h-72 flex-col space-y-2 overflow-y-auto overflow-x-hidden rounded-md border border-mineshaft-600 bg-bunker-800 p-2 dark:[color-scheme:dark]">
+                    {secretAccessList.users.length > 0 && (
+                      <div className="pb-3">
+                        <div className="mb-2 font-bold">Users</div>
+                        <div className="flex flex-wrap gap-2">
+                          {secretAccessList.users.map((user) => (
+                            <div className="rounded-md bg-bunker-500 px-1">
+                              <Tooltip content={user.allowedActions.join(", ")} className="z-[100]">
+                                <Link
+                                  to={
+                                    `/${ProjectType.SecretManager}/$projectId/members/$membershipId` as const
+                                  }
+                                  params={{
+                                    projectId: currentWorkspace.id,
+                                    membershipId: user.membershipId
+                                  }}
+                                  className="text-secondary/80 text-sm hover:text-primary"
+                                >
+                                  {user.name}
+                                </Link>
+                              </Tooltip>
+                            </div>
+                          ))}
+                        </div>
+                      </div>
+                    )}
+                    {secretAccessList.identities.length > 0 && (
+                      <div className="pb-3">
+                        <div className="mb-2 font-bold">Identities</div>
+                        <div className="flex flex-wrap gap-2">
+                          {secretAccessList.identities.map((identity) => (
+                            <div className="rounded-md bg-bunker-500 px-1">
+                              <Tooltip
+                                content={identity.allowedActions.join(", ")}
+                                className="z-[100]"
+                              >
+                                <Link
+                                  to={
+                                    `/${ProjectType.SecretManager}/$projectId/identities/$identityId` as const
+                                  }
+                                  params={{
+                                    projectId: currentWorkspace.id,
+                                    identityId: identity.id
+                                  }}
+                                  className="text-secondary/80 text-sm hover:text-primary"
+                                >
+                                  {identity.name}
+                                </Link>
+                              </Tooltip>
+                            </div>
+                          ))}
+                        </div>
+                      </div>
+                    )}
+                    {secretAccessList.groups.length > 0 && (
+                      <div className="pb-3">
+                        <div className="mb-2 font-bold">Groups</div>
+                        <div className="flex flex-wrap gap-2">
+                          {secretAccessList.groups.map((group) => (
+                            <div className="rounded-md bg-bunker-500 px-1">
+                              <Tooltip
+                                content={group.allowedActions.join(", ")}
+                                className="z-[100]"
+                              >
+                                <Link
+                                  to={"/organization/groups/$groupId" as const}
+                                  params={{
+                                    groupId: group.id
+                                  }}
+                                  className="text-secondary/80 text-sm hover:text-primary"
+                                >
+                                  {group.name}
+                                </Link>
+                              </Tooltip>
+                            </div>
+                          ))}
+                        </div>
+                      </div>
+                    )}
+                  </div>
+                )}
+              </div>
               <div className="flex flex-col space-y-4">
-                <div className="flex items-center space-x-4">
+                <div className="mb-2 flex items-center space-x-4">
                   <ProjectPermissionCan
                     I={ProjectPermissionActions.Edit}
                     a={subject(ProjectPermissionSub.Secrets, {

helm-charts/secrets-operator/Chart.yaml

@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v0.8.0
+version: v0.8.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.8.0"
+appVersion: "v0.8.1"

helm-charts/secrets-operator/templates/infisicaldynamicsecret-crd.yaml

@@ -0,0 +1,310 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: infisicaldynamicsecrets.secrets.infisical.com
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  labels:
+  {{- include "secrets-operator.labels" . | nindent 4 }}
+spec:
+  group: secrets.infisical.com
+  names:
+    kind: InfisicalDynamicSecret
+    listKind: InfisicalDynamicSecretList
+    plural: infisicaldynamicsecrets
+    singular: infisicaldynamicsecret
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: InfisicalDynamicSecret is the Schema for the infisicaldynamicsecrets
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: InfisicalDynamicSecretSpec defines the desired state of InfisicalDynamicSecret.
+            properties:
+              authentication:
+                properties:
+                  awsIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  azureAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      resource:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  gcpIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      serviceAccountKeyFilePath:
+                        type: string
+                    required:
+                    - identityId
+                    - serviceAccountKeyFilePath
+                    type: object
+                  gcpIdTokenAuth:
+                    properties:
+                      identityId:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  kubernetesAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      serviceAccountRef:
+                        properties:
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - name
+                        - namespace
+                        type: object
+                    required:
+                    - identityId
+                    - serviceAccountRef
+                    type: object
+                  universalAuth:
+                    properties:
+                      credentialsRef:
+                        properties:
+                          secretName:
+                            description: The name of the Kubernetes Secret
+                            type: string
+                          secretNamespace:
+                            description: The name space where the Kubernetes Secret
+                              is located
+                            type: string
+                        required:
+                        - secretName
+                        - secretNamespace
+                        type: object
+                    required:
+                    - credentialsRef
+                    type: object
+                type: object
+              dynamicSecret:
+                properties:
+                  environmentSlug:
+                    type: string
+                  projectId:
+                    type: string
+                  secretName:
+                    type: string
+                  secretsPath:
+                    type: string
+                required:
+                - environmentSlug
+                - projectId
+                - secretName
+                - secretsPath
+                type: object
+              hostAPI:
+                type: string
+              leaseRevocationPolicy:
+                type: string
+              leaseTTL:
+                type: string
+              managedSecretReference:
+                properties:
+                  creationPolicy:
+                    default: Orphan
+                    description: 'The Kubernetes Secret creation policy. Enum with values:
+                      ''Owner'', ''Orphan''. Owner creates the secret and sets .metadata.ownerReferences
+                      of the InfisicalSecret CRD that created it. Orphan will not set
+                      the secret owner. This will result in the secret being orphaned
+                      and not deleted when the resource is deleted.'
+                    type: string
+                  secretName:
+                    description: The name of the Kubernetes Secret
+                    type: string
+                  secretNamespace:
+                    description: The name space where the Kubernetes Secret is located
+                    type: string
+                  secretType:
+                    default: Opaque
+                    description: 'The Kubernetes Secret type (experimental feature).
+                      More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
+                    type: string
+                  template:
+                    description: The template to transform the secret data
+                    properties:
+                      data:
+                        additionalProperties:
+                          type: string
+                        description: The template key values
+                        type: object
+                      includeAllSecrets:
+                        description: This injects all retrieved secrets into the top
+                          level of your template. Secrets defined in the template will
+                          take precedence over the injected ones.
+                        type: boolean
+                    type: object
+                required:
+                - secretName
+                - secretNamespace
+                type: object
+              tls:
+                properties:
+                  caRef:
+                    description: Reference to secret containing CA cert
+                    properties:
+                      key:
+                        description: The name of the secret property with the CA certificate
+                          value
+                        type: string
+                      secretName:
+                        description: The name of the Kubernetes Secret
+                        type: string
+                      secretNamespace:
+                        description: The namespace where the Kubernetes Secret is located
+                        type: string
+                    required:
+                    - key
+                    - secretName
+                    - secretNamespace
+                    type: object
+                type: object
+            required:
+            - authentication
+            - dynamicSecret
+            - leaseRevocationPolicy
+            - leaseTTL
+            - managedSecretReference
+            type: object
+          status:
+            description: InfisicalDynamicSecretStatus defines the observed state of
+              InfisicalDynamicSecret.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a foo's
+                    current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating details
+                        about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers of
+                        specific condition types may define expected values and meanings
+                        for this field, and whether the values are considered a guaranteed
+                        API. The value should be a CamelCase string. This field may
+                        not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              dynamicSecretId:
+                type: string
+              lease:
+                properties:
+                  creationTimestamp:
+                    format: date-time
+                    type: string
+                  expiresAt:
+                    format: date-time
+                    type: string
+                  id:
+                    type: string
+                  version:
+                    format: int64
+                    type: integer
+                required:
+                - creationTimestamp
+                - expiresAt
+                - id
+                - version
+                type: object
+              maxTTL:
+                description: The MaxTTL can be null, if it's null, there's no max TTL
+                  and we should never have to renew.
+                type: string
+            required:
+            - conditions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

helm-charts/secrets-operator/templates/infisicalpushsecret-crd.yaml

@@ -90,7 +90,6 @@ spec:
                     - serviceAccountRef
                     type: object
                   universalAuth:
-                    description: PushSecretUniversalAuth defines universal authentication
                     properties:
                       credentialsRef:
                         properties:

helm-charts/secrets-operator/templates/manager-rbac.yaml

@@ -51,6 +51,32 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - secrets.infisical.com
   resources:

helm-charts/secrets-operator/values.yaml

@@ -32,7 +32,7 @@ controllerManager:
           - ALL
     image:
       repository: infisical/kubernetes-operator
-      tag: v0.8.0
+      tag: v0.8.1
     resources:
       limits:
         cpu: 500m

k8-operator/PROJECT

@@ -26,4 +26,13 @@ resources:
     kind: InfisicalPushSecretSecret
     path: github.com/Infisical/infisical/k8-operator/api/v1alpha1
     version: v1alpha1
+  - api:
+      crdVersion: v1
+      namespaced: true
+    controller: true
+    domain: infisical.com
+    group: secrets
+    kind: InfisicalDynamicSecret
+    path: github.com/Infisical/infisical/k8-operator/api/v1alpha1
+    version: v1alpha1
 version: "3"

k8-operator/api/v1alpha1/common.go

@@ -0,0 +1,109 @@
+package v1alpha1
+
+type GenericInfisicalAuthentication struct {
+	// +kubebuilder:validation:Optional
+	UniversalAuth GenericUniversalAuth `json:"universalAuth,omitempty"`
+	// +kubebuilder:validation:Optional
+	KubernetesAuth GenericKubernetesAuth `json:"kubernetesAuth,omitempty"`
+	// +kubebuilder:validation:Optional
+	AwsIamAuth GenericAwsIamAuth `json:"awsIamAuth,omitempty"`
+	// +kubebuilder:validation:Optional
+	AzureAuth GenericAzureAuth `json:"azureAuth,omitempty"`
+	// +kubebuilder:validation:Optional
+	GcpIdTokenAuth GenericGcpIdTokenAuth `json:"gcpIdTokenAuth,omitempty"`
+	// +kubebuilder:validation:Optional
+	GcpIamAuth GenericGcpIamAuth `json:"gcpIamAuth,omitempty"`
+}
+
+type GenericUniversalAuth struct {
+	// +kubebuilder:validation:Required
+	CredentialsRef KubeSecretReference `json:"credentialsRef"`
+}
+
+type GenericAwsIamAuth struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+}
+
+type GenericAzureAuth struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Optional
+	Resource string `json:"resource,omitempty"`
+}
+
+type GenericGcpIdTokenAuth struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+}
+
+type GenericGcpIamAuth struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Required
+	ServiceAccountKeyFilePath string `json:"serviceAccountKeyFilePath"`
+}
+
+type GenericKubernetesAuth struct {
+	// +kubebuilder:validation:Required
+	IdentityID string `json:"identityId"`
+	// +kubebuilder:validation:Required
+	ServiceAccountRef KubernetesServiceAccountRef `json:"serviceAccountRef"`
+}
+
+type TLSConfig struct {
+	// Reference to secret containing CA cert
+	// +kubebuilder:validation:Optional
+	CaRef CaReference `json:"caRef,omitempty"`
+}
+
+type CaReference struct {
+	// The name of the Kubernetes Secret
+	// +kubebuilder:validation:Required
+	SecretName string `json:"secretName"`
+
+	// The namespace where the Kubernetes Secret is located
+	// +kubebuilder:validation:Required
+	SecretNamespace string `json:"secretNamespace"`
+
+	// +kubebuilder:validation:Required
+	// The name of the secret property with the CA certificate value
+	SecretKey string `json:"key"`
+}
+
+type KubeSecretReference struct {
+	// The name of the Kubernetes Secret
+	// +kubebuilder:validation:Required
+	SecretName string `json:"secretName"`
+
+	// The name space where the Kubernetes Secret is located
+	// +kubebuilder:validation:Required
+	SecretNamespace string `json:"secretNamespace"`
+}
+
+type ManagedKubeSecretConfig struct {
+	// The name of the Kubernetes Secret
+	// +kubebuilder:validation:Required
+	SecretName string `json:"secretName"`
+
+	// The name space where the Kubernetes Secret is located
+	// +kubebuilder:validation:Required
+	SecretNamespace string `json:"secretNamespace"`
+
+	// The Kubernetes Secret type (experimental feature). More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=Opaque
+	SecretType string `json:"secretType"`
+
+	// The Kubernetes Secret creation policy.
+	// Enum with values: 'Owner', 'Orphan'.
+	// Owner creates the secret and sets .metadata.ownerReferences of the InfisicalSecret CRD that created it.
+	// Orphan will not set the secret owner. This will result in the secret being orphaned and not deleted when the resource is deleted.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default:=Orphan
+	CreationPolicy string `json:"creationPolicy"`
+
+	// The template to transform the secret data
+	// +kubebuilder:validation:Optional
+	Template *InfisicalSecretTemplate `json:"template,omitempty"`
+}

k8-operator/api/v1alpha1/infisicaldynamicsecret_types.go

@@ -0,0 +1,99 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type InfisicalDynamicSecretLease struct {
+	ID                string      `json:"id"`
+	Version           int64       `json:"version"`
+	CreationTimestamp metav1.Time `json:"creationTimestamp"`
+	ExpiresAt         metav1.Time `json:"expiresAt"`
+}
+
+type DynamicSecretDetails struct {
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Immutable
+	SecretName string `json:"secretName"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Immutable
+	SecretPath string `json:"secretsPath"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Immutable
+	EnvironmentSlug string `json:"environmentSlug"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Immutable
+	ProjectID string `json:"projectId"`
+}
+
+// InfisicalDynamicSecretSpec defines the desired state of InfisicalDynamicSecret.
+type InfisicalDynamicSecretSpec struct {
+	// +kubebuilder:validation:Required
+	ManagedSecretReference ManagedKubeSecretConfig `json:"managedSecretReference"` // The destination to store the lease in.
+
+	// +kubebuilder:validation:Required
+	Authentication GenericInfisicalAuthentication `json:"authentication"` // The authentication to use for authenticating with Infisical.
+
+	// +kubebuilder:validation:Required
+	DynamicSecret DynamicSecretDetails `json:"dynamicSecret"` // The dynamic secret to create the lease for. Required.
+
+	LeaseRevocationPolicy string `json:"leaseRevocationPolicy"` // Revoke will revoke the lease when the resource is deleted. Optional, will default to no revocation.
+	LeaseTTL              string `json:"leaseTTL"`              // The TTL of the lease in seconds. Optional, will default to the dynamic secret default TTL.
+
+	// +kubebuilder:validation:Optional
+	HostAPI string `json:"hostAPI"`
+
+	// +kubebuilder:validation:Optional
+	TLS TLSConfig `json:"tls"`
+}
+
+// InfisicalDynamicSecretStatus defines the observed state of InfisicalDynamicSecret.
+type InfisicalDynamicSecretStatus struct {
+	Conditions []metav1.Condition `json:"conditions"`
+
+	Lease           *InfisicalDynamicSecretLease `json:"lease,omitempty"`
+	DynamicSecretID string                       `json:"dynamicSecretId,omitempty"`
+	// The MaxTTL can be null, if it's null, there's no max TTL and we should never have to renew.
+	MaxTTL string `json:"maxTTL,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// InfisicalDynamicSecret is the Schema for the infisicaldynamicsecrets API.
+type InfisicalDynamicSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   InfisicalDynamicSecretSpec   `json:"spec,omitempty"`
+	Status InfisicalDynamicSecretStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// InfisicalDynamicSecretList contains a list of InfisicalDynamicSecret.
+type InfisicalDynamicSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []InfisicalDynamicSecret `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&InfisicalDynamicSecret{}, &InfisicalDynamicSecretList{})
+}

k8-operator/api/v1alpha1/infisicalpushsecret_types.go

@@ -16,64 +16,6 @@ type InfisicalPushSecretDestination struct {
 	ProjectID string `json:"projectId"`
 }
 
-type PushSecretTlsConfig struct {
-	// Reference to secret containing CA cert
-	// +kubebuilder:validation:Optional
-	CaRef CaReference `json:"caRef,omitempty"`
-}
-
-// PushSecretUniversalAuth defines universal authentication
-type PushSecretUniversalAuth struct {
-	// +kubebuilder:validation:Required
-	CredentialsRef KubeSecretReference `json:"credentialsRef"`
-}
-
-type PushSecretAwsIamAuth struct {
-	// +kubebuilder:validation:Required
-	IdentityID string `json:"identityId"`
-}
-
-type PushSecretAzureAuth struct {
-	// +kubebuilder:validation:Required
-	IdentityID string `json:"identityId"`
-	// +kubebuilder:validation:Optional
-	Resource string `json:"resource,omitempty"`
-}
-
-type PushSecretGcpIdTokenAuth struct {
-	// +kubebuilder:validation:Required
-	IdentityID string `json:"identityId"`
-}
-
-type PushSecretGcpIamAuth struct {
-	// +kubebuilder:validation:Required
-	IdentityID string `json:"identityId"`
-	// +kubebuilder:validation:Required
-	ServiceAccountKeyFilePath string `json:"serviceAccountKeyFilePath"`
-}
-
-type PushSecretKubernetesAuth struct {
-	// +kubebuilder:validation:Required
-	IdentityID string `json:"identityId"`
-	// +kubebuilder:validation:Required
-	ServiceAccountRef KubernetesServiceAccountRef `json:"serviceAccountRef"`
-}
-
-type PushSecretAuthentication struct {
-	// +kubebuilder:validation:Optional
-	UniversalAuth PushSecretUniversalAuth `json:"universalAuth,omitempty"`
-	// +kubebuilder:validation:Optional
-	KubernetesAuth PushSecretKubernetesAuth `json:"kubernetesAuth,omitempty"`
-	// +kubebuilder:validation:Optional
-	AwsIamAuth PushSecretAwsIamAuth `json:"awsIamAuth,omitempty"`
-	// +kubebuilder:validation:Optional
-	AzureAuth PushSecretAzureAuth `json:"azureAuth,omitempty"`
-	// +kubebuilder:validation:Optional
-	GcpIdTokenAuth PushSecretGcpIdTokenAuth `json:"gcpIdTokenAuth,omitempty"`
-	// +kubebuilder:validation:Optional
-	GcpIamAuth PushSecretGcpIamAuth `json:"gcpIamAuth,omitempty"`
-}
-
 type SecretPush struct {
 	// +kubebuilder:validation:Required
 	Secret KubeSecretReference `json:"secret"`
@@ -92,7 +34,7 @@ type InfisicalPushSecretSpec struct {
 	Destination InfisicalPushSecretDestination `json:"destination"`
 
 	// +kubebuilder:validation:Optional
-	Authentication PushSecretAuthentication `json:"authentication"`
+	Authentication GenericInfisicalAuthentication `json:"authentication"`
 
 	// +kubebuilder:validation:Required
 	Push SecretPush `json:"push"`
@@ -104,7 +46,7 @@ type InfisicalPushSecretSpec struct {
 	HostAPI string `json:"hostAPI"`
 
 	// +kubebuilder:validation:Optional
-	TLS PushSecretTlsConfig `json:"tls"`
+	TLS TLSConfig `json:"tls"`
 }
 
 // InfisicalPushSecretStatus defines the observed state of InfisicalPushSecret

k8-operator/api/v1alpha1/infisicalsecret_types.go

@@ -116,43 +116,6 @@ type MachineIdentityScopeInWorkspace struct {
 	Recursive bool `json:"recursive"`
 }
 
-type KubeSecretReference struct {
-	// The name of the Kubernetes Secret
-	// +kubebuilder:validation:Required
-	SecretName string `json:"secretName"`
-
-	// The name space where the Kubernetes Secret is located
-	// +kubebuilder:validation:Required
-	SecretNamespace string `json:"secretNamespace"`
-}
-
-type MangedKubeSecretConfig struct {
-	// The name of the Kubernetes Secret
-	// +kubebuilder:validation:Required
-	SecretName string `json:"secretName"`
-
-	// The name space where the Kubernetes Secret is located
-	// +kubebuilder:validation:Required
-	SecretNamespace string `json:"secretNamespace"`
-
-	// The Kubernetes Secret type (experimental feature). More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default:=Opaque
-	SecretType string `json:"secretType"`
-
-	// The Kubernetes Secret creation policy.
-	// Enum with values: 'Owner', 'Orphan'.
-	// Owner creates the secret and sets .metadata.ownerReferences of the InfisicalSecret CRD that created it.
-	// Orphan will not set the secret owner. This will result in the secret being orphaned and not deleted when the resource is deleted.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default:=Orphan
-	CreationPolicy string `json:"creationPolicy"`
-
-	// The template to transform the secret data
-	// +kubebuilder:validation:Optional
-	Template *InfisicalSecretTemplate `json:"template,omitempty"`
-}
-
 type InfisicalSecretTemplate struct {
 	// This injects all retrieved secrets into the top level of your template.
 	// Secrets defined in the template will take precedence over the injected ones.
@@ -163,26 +126,6 @@ type InfisicalSecretTemplate struct {
 	Data map[string]string `json:"data,omitempty"`
 }
 
-type CaReference struct {
-	// The name of the Kubernetes Secret
-	// +kubebuilder:validation:Required
-	SecretName string `json:"secretName"`
-
-	// The namespace where the Kubernetes Secret is located
-	// +kubebuilder:validation:Required
-	SecretNamespace string `json:"secretNamespace"`
-
-	// +kubebuilder:validation:Required
-	// The name of the secret property with the CA certificate value
-	SecretKey string `json:"key"`
-}
-
-type TLSConfig struct {
-	// Reference to secret containing CA cert
-	// +kubebuilder:validation:Optional
-	CaRef CaReference `json:"caRef,omitempty"`
-}
-
 // InfisicalSecretSpec defines the desired state of InfisicalSecret
 type InfisicalSecretSpec struct {
 	// +kubebuilder:validation:Optional
@@ -192,7 +135,7 @@ type InfisicalSecretSpec struct {
 	Authentication Authentication `json:"authentication"`
 
 	// +kubebuilder:validation:Required
-	ManagedSecretReference MangedKubeSecretConfig `json:"managedSecretReference"`
+	ManagedSecretReference ManagedKubeSecretConfig `json:"managedSecretReference"`
 
 	// +kubebuilder:default:=60
 	ResyncInterval int `json:"resyncInterval"`

k8-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -96,6 +96,21 @@ func (in *CaReference) DeepCopy() *CaReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DynamicSecretDetails) DeepCopyInto(out *DynamicSecretDetails) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicSecretDetails.
+func (in *DynamicSecretDetails) DeepCopy() *DynamicSecretDetails {
+	if in == nil {
+		return nil
+	}
+	out := new(DynamicSecretDetails)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GCPIdTokenAuthDetails) DeepCopyInto(out *GCPIdTokenAuthDetails) {
 	*out = *in
@@ -128,6 +143,241 @@ func (in *GcpIamAuthDetails) DeepCopy() *GcpIamAuthDetails {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericAwsIamAuth) DeepCopyInto(out *GenericAwsIamAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericAwsIamAuth.
+func (in *GenericAwsIamAuth) DeepCopy() *GenericAwsIamAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericAwsIamAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericAzureAuth) DeepCopyInto(out *GenericAzureAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericAzureAuth.
+func (in *GenericAzureAuth) DeepCopy() *GenericAzureAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericAzureAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericGcpIamAuth) DeepCopyInto(out *GenericGcpIamAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericGcpIamAuth.
+func (in *GenericGcpIamAuth) DeepCopy() *GenericGcpIamAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericGcpIamAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericGcpIdTokenAuth) DeepCopyInto(out *GenericGcpIdTokenAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericGcpIdTokenAuth.
+func (in *GenericGcpIdTokenAuth) DeepCopy() *GenericGcpIdTokenAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericGcpIdTokenAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericInfisicalAuthentication) DeepCopyInto(out *GenericInfisicalAuthentication) {
+	*out = *in
+	out.UniversalAuth = in.UniversalAuth
+	out.KubernetesAuth = in.KubernetesAuth
+	out.AwsIamAuth = in.AwsIamAuth
+	out.AzureAuth = in.AzureAuth
+	out.GcpIdTokenAuth = in.GcpIdTokenAuth
+	out.GcpIamAuth = in.GcpIamAuth
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericInfisicalAuthentication.
+func (in *GenericInfisicalAuthentication) DeepCopy() *GenericInfisicalAuthentication {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericInfisicalAuthentication)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericKubernetesAuth) DeepCopyInto(out *GenericKubernetesAuth) {
+	*out = *in
+	out.ServiceAccountRef = in.ServiceAccountRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericKubernetesAuth.
+func (in *GenericKubernetesAuth) DeepCopy() *GenericKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericUniversalAuth) DeepCopyInto(out *GenericUniversalAuth) {
+	*out = *in
+	out.CredentialsRef = in.CredentialsRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericUniversalAuth.
+func (in *GenericUniversalAuth) DeepCopy() *GenericUniversalAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericUniversalAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalDynamicSecret) DeepCopyInto(out *InfisicalDynamicSecret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalDynamicSecret.
+func (in *InfisicalDynamicSecret) DeepCopy() *InfisicalDynamicSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalDynamicSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InfisicalDynamicSecret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalDynamicSecretLease) DeepCopyInto(out *InfisicalDynamicSecretLease) {
+	*out = *in
+	in.CreationTimestamp.DeepCopyInto(&out.CreationTimestamp)
+	in.ExpiresAt.DeepCopyInto(&out.ExpiresAt)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalDynamicSecretLease.
+func (in *InfisicalDynamicSecretLease) DeepCopy() *InfisicalDynamicSecretLease {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalDynamicSecretLease)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalDynamicSecretList) DeepCopyInto(out *InfisicalDynamicSecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]InfisicalDynamicSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalDynamicSecretList.
+func (in *InfisicalDynamicSecretList) DeepCopy() *InfisicalDynamicSecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalDynamicSecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *InfisicalDynamicSecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalDynamicSecretSpec) DeepCopyInto(out *InfisicalDynamicSecretSpec) {
+	*out = *in
+	in.ManagedSecretReference.DeepCopyInto(&out.ManagedSecretReference)
+	out.Authentication = in.Authentication
+	out.DynamicSecret = in.DynamicSecret
+	out.TLS = in.TLS
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalDynamicSecretSpec.
+func (in *InfisicalDynamicSecretSpec) DeepCopy() *InfisicalDynamicSecretSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalDynamicSecretSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalDynamicSecretStatus) DeepCopyInto(out *InfisicalDynamicSecretStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Lease != nil {
+		in, out := &in.Lease, &out.Lease
+		*out = new(InfisicalDynamicSecretLease)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalDynamicSecretStatus.
+func (in *InfisicalDynamicSecretStatus) DeepCopy() *InfisicalDynamicSecretStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalDynamicSecretStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InfisicalPushSecret) DeepCopyInto(out *InfisicalPushSecret) {
 	*out = *in
@@ -435,7 +685,7 @@ func (in *MachineIdentityScopeInWorkspace) DeepCopy() *MachineIdentityScopeInWor
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MangedKubeSecretConfig) DeepCopyInto(out *MangedKubeSecretConfig) {
+func (in *ManagedKubeSecretConfig) DeepCopyInto(out *ManagedKubeSecretConfig) {
 	*out = *in
 	if in.Template != nil {
 		in, out := &in.Template, &out.Template
@@ -444,141 +694,12 @@ func (in *MangedKubeSecretConfig) DeepCopyInto(out *MangedKubeSecretConfig) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MangedKubeSecretConfig.
-func (in *MangedKubeSecretConfig) DeepCopy() *MangedKubeSecretConfig {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedKubeSecretConfig.
+func (in *ManagedKubeSecretConfig) DeepCopy() *ManagedKubeSecretConfig {
 	if in == nil {
 		return nil
 	}
-	out := new(MangedKubeSecretConfig)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretAuthentication) DeepCopyInto(out *PushSecretAuthentication) {
-	*out = *in
-	out.UniversalAuth = in.UniversalAuth
-	out.KubernetesAuth = in.KubernetesAuth
-	out.AwsIamAuth = in.AwsIamAuth
-	out.AzureAuth = in.AzureAuth
-	out.GcpIdTokenAuth = in.GcpIdTokenAuth
-	out.GcpIamAuth = in.GcpIamAuth
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretAuthentication.
-func (in *PushSecretAuthentication) DeepCopy() *PushSecretAuthentication {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretAuthentication)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretAwsIamAuth) DeepCopyInto(out *PushSecretAwsIamAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretAwsIamAuth.
-func (in *PushSecretAwsIamAuth) DeepCopy() *PushSecretAwsIamAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretAwsIamAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretAzureAuth) DeepCopyInto(out *PushSecretAzureAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretAzureAuth.
-func (in *PushSecretAzureAuth) DeepCopy() *PushSecretAzureAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretAzureAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretGcpIamAuth) DeepCopyInto(out *PushSecretGcpIamAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretGcpIamAuth.
-func (in *PushSecretGcpIamAuth) DeepCopy() *PushSecretGcpIamAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretGcpIamAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretGcpIdTokenAuth) DeepCopyInto(out *PushSecretGcpIdTokenAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretGcpIdTokenAuth.
-func (in *PushSecretGcpIdTokenAuth) DeepCopy() *PushSecretGcpIdTokenAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretGcpIdTokenAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretKubernetesAuth) DeepCopyInto(out *PushSecretKubernetesAuth) {
-	*out = *in
-	out.ServiceAccountRef = in.ServiceAccountRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretKubernetesAuth.
-func (in *PushSecretKubernetesAuth) DeepCopy() *PushSecretKubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretKubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretTlsConfig) DeepCopyInto(out *PushSecretTlsConfig) {
-	*out = *in
-	out.CaRef = in.CaRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretTlsConfig.
-func (in *PushSecretTlsConfig) DeepCopy() *PushSecretTlsConfig {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretTlsConfig)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretUniversalAuth) DeepCopyInto(out *PushSecretUniversalAuth) {
-	*out = *in
-	out.CredentialsRef = in.CredentialsRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretUniversalAuth.
-func (in *PushSecretUniversalAuth) DeepCopy() *PushSecretUniversalAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretUniversalAuth)
+	out := new(ManagedKubeSecretConfig)
 	in.DeepCopyInto(out)
 	return out
 }

k8-operator/config/crd/bases/secrets.infisical.com_infisicaldynamicsecrets.yaml

@@ -0,0 +1,306 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+  creationTimestamp: null
+  name: infisicaldynamicsecrets.secrets.infisical.com
+spec:
+  group: secrets.infisical.com
+  names:
+    kind: InfisicalDynamicSecret
+    listKind: InfisicalDynamicSecretList
+    plural: infisicaldynamicsecrets
+    singular: infisicaldynamicsecret
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: InfisicalDynamicSecret is the Schema for the infisicaldynamicsecrets
+          API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: InfisicalDynamicSecretSpec defines the desired state of InfisicalDynamicSecret.
+            properties:
+              authentication:
+                properties:
+                  awsIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  azureAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      resource:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  gcpIamAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      serviceAccountKeyFilePath:
+                        type: string
+                    required:
+                    - identityId
+                    - serviceAccountKeyFilePath
+                    type: object
+                  gcpIdTokenAuth:
+                    properties:
+                      identityId:
+                        type: string
+                    required:
+                    - identityId
+                    type: object
+                  kubernetesAuth:
+                    properties:
+                      identityId:
+                        type: string
+                      serviceAccountRef:
+                        properties:
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - name
+                        - namespace
+                        type: object
+                    required:
+                    - identityId
+                    - serviceAccountRef
+                    type: object
+                  universalAuth:
+                    properties:
+                      credentialsRef:
+                        properties:
+                          secretName:
+                            description: The name of the Kubernetes Secret
+                            type: string
+                          secretNamespace:
+                            description: The name space where the Kubernetes Secret
+                              is located
+                            type: string
+                        required:
+                        - secretName
+                        - secretNamespace
+                        type: object
+                    required:
+                    - credentialsRef
+                    type: object
+                type: object
+              dynamicSecret:
+                properties:
+                  environmentSlug:
+                    type: string
+                  projectId:
+                    type: string
+                  secretName:
+                    type: string
+                  secretsPath:
+                    type: string
+                required:
+                - environmentSlug
+                - projectId
+                - secretName
+                - secretsPath
+                type: object
+              hostAPI:
+                type: string
+              leaseRevocationPolicy:
+                type: string
+              leaseTTL:
+                type: string
+              managedSecretReference:
+                properties:
+                  creationPolicy:
+                    default: Orphan
+                    description: 'The Kubernetes Secret creation policy. Enum with
+                      values: ''Owner'', ''Orphan''. Owner creates the secret and
+                      sets .metadata.ownerReferences of the InfisicalSecret CRD that
+                      created it. Orphan will not set the secret owner. This will
+                      result in the secret being orphaned and not deleted when the
+                      resource is deleted.'
+                    type: string
+                  secretName:
+                    description: The name of the Kubernetes Secret
+                    type: string
+                  secretNamespace:
+                    description: The name space where the Kubernetes Secret is located
+                    type: string
+                  secretType:
+                    default: Opaque
+                    description: 'The Kubernetes Secret type (experimental feature).
+                      More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
+                    type: string
+                  template:
+                    description: The template to transform the secret data
+                    properties:
+                      data:
+                        additionalProperties:
+                          type: string
+                        description: The template key values
+                        type: object
+                      includeAllSecrets:
+                        description: This injects all retrieved secrets into the top
+                          level of your template. Secrets defined in the template
+                          will take precedence over the injected ones.
+                        type: boolean
+                    type: object
+                required:
+                - secretName
+                - secretNamespace
+                type: object
+              tls:
+                properties:
+                  caRef:
+                    description: Reference to secret containing CA cert
+                    properties:
+                      key:
+                        description: The name of the secret property with the CA certificate
+                          value
+                        type: string
+                      secretName:
+                        description: The name of the Kubernetes Secret
+                        type: string
+                      secretNamespace:
+                        description: The namespace where the Kubernetes Secret is
+                          located
+                        type: string
+                    required:
+                    - key
+                    - secretName
+                    - secretNamespace
+                    type: object
+                type: object
+            required:
+            - authentication
+            - dynamicSecret
+            - leaseRevocationPolicy
+            - leaseTTL
+            - managedSecretReference
+            type: object
+          status:
+            description: InfisicalDynamicSecretStatus defines the observed state of
+              InfisicalDynamicSecret.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              dynamicSecretId:
+                type: string
+              lease:
+                properties:
+                  creationTimestamp:
+                    format: date-time
+                    type: string
+                  expiresAt:
+                    format: date-time
+                    type: string
+                  id:
+                    type: string
+                  version:
+                    format: int64
+                    type: integer
+                required:
+                - creationTimestamp
+                - expiresAt
+                - id
+                - version
+                type: object
+              maxTTL:
+                description: The MaxTTL can be null, if it's null, there's no max
+                  TTL and we should never have to renew.
+                type: string
+            required:
+            - conditions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

k8-operator/config/crd/bases/secrets.infisical.com_infisicalpushsecrets.yaml

@@ -90,7 +90,6 @@ spec:
                     - serviceAccountRef
                     type: object
                   universalAuth:
-                    description: PushSecretUniversalAuth defines universal authentication
                     properties:
                       credentialsRef:
                         properties:

k8-operator/config/crd/kustomization.yaml

@@ -4,6 +4,7 @@
 resources:
   - bases/secrets.infisical.com_infisicalsecrets.yaml
   - bases/secrets.infisical.com_infisicalpushsecrets.yaml
+  - bases/secrets.infisical.com_infisicaldynamicsecrets.yaml
 #+kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:

k8-operator/config/rbac/infisicaldynamicsecret_editor_role.yaml

@@ -0,0 +1,27 @@
+# permissions for end users to edit infisicaldynamicsecrets.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: k8-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: infisicaldynamicsecret-editor-role
+rules:
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/status
+  verbs:
+  - get

k8-operator/config/rbac/infisicaldynamicsecret_viewer_role.yaml

@@ -0,0 +1,23 @@
+# permissions for end users to view infisicaldynamicsecrets.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: k8-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: infisicaldynamicsecret-viewer-role
+rules:
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/status
+  verbs:
+  - get

k8-operator/config/rbac/role.yaml

@@ -44,6 +44,32 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - secrets.infisical.com
+  resources:
+  - infisicaldynamicsecrets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - secrets.infisical.com
   resources:

k8-operator/config/samples/crd/infisicaldynamicsecret/dynamicSecret.yaml

@@ -0,0 +1,27 @@
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalDynamicSecret
+metadata:
+  name: infisicaldynamicsecret-demo
+spec:
+  hostAPI: https://app.infisical.com/api
+
+  dynamicSecret:
+    secretName: <dynamic-secret-name>
+    projectId: <project-id>
+    secretsPath: <secret-path>
+    environmentSlug: <env-slug>
+
+  leaseRevocationPolicy: Revoke # Revoke or None. Revoke will revoke leases created by the operator if the CRD is deleted.
+  leaseTTL: 1m # TTL for the leases created. Must be below 24 hours.
+
+  # Reference to the secret that you want to store the lease credentials in. If a secret with the name specified name does not exist, it will automatically be created.
+  managedSecretReference:
+    secretName: lease
+    secretNamespace: default
+    creationPolicy: Orphan # Orphan or Owner
+
+  authentication:
+    universalAuth:
+      credentialsRef:
+        secretName: universal-auth-credentials # universal-auth-credentials
+        secretNamespace: default # default

k8-operator/config/samples/crd/pushsecret/pushSecret.yaml

@@ -1,7 +1,7 @@
 apiVersion: secrets.infisical.com/v1alpha1
 kind: InfisicalPushSecret
 metadata:
-  name: infisical-push-secret-demo
+  name: infisical-api-secret-sample-push
 spec:
   resyncInterval: 1m
   hostAPI: https://app.infisical.com/api

k8-operator/controllers/infisicaldynamicsecret/conditions.go

@@ -0,0 +1,146 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func (r *InfisicalDynamicSecretReconciler) SetReconcileAutoRedeploymentConditionStatus(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, numDeployments int, errorToConditionOn error) {
+	if infisicalDynamicSecret.Status.Conditions == nil {
+		infisicalDynamicSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if errorToConditionOn == nil {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/AutoRedeployReady",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: fmt.Sprintf("Infisical has found %v deployments which are ready to be auto redeployed when dynamic secret lease changes", numDeployments),
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/AutoRedeployReady",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed reconcile deployments because: %v", errorToConditionOn),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalDynamicSecret)
+	if err != nil {
+		logger.Error(err, "Could not set condition for AutoRedeployReady")
+	}
+}
+
+func (r *InfisicalDynamicSecretReconciler) SetAuthenticatedConditionStatus(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, errorToConditionOn error) {
+	if infisicalDynamicSecret.Status.Conditions == nil {
+		infisicalDynamicSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if errorToConditionOn == nil {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/Authenticated",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: "Infisical has successfully authenticated with the Infisical API",
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/Authenticated",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed to authenticate with Infisical API because: %v", errorToConditionOn),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalDynamicSecret)
+	if err != nil {
+		logger.Error(err, "Could not set condition for Authenticated")
+	}
+}
+
+func (r *InfisicalDynamicSecretReconciler) SetLeaseRenewalConditionStatus(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, errorToConditionOn error) {
+	if infisicalDynamicSecret.Status.Conditions == nil {
+		infisicalDynamicSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if errorToConditionOn == nil {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/LeaseRenewal",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: "Infisical has successfully renewed the lease",
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/LeaseRenewal",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed to renew the lease because: %v", errorToConditionOn),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalDynamicSecret)
+	if err != nil {
+		logger.Error(err, "Could not set condition for LeaseRenewal")
+	}
+}
+
+func (r *InfisicalDynamicSecretReconciler) SetCreatedLeaseConditionStatus(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, errorToConditionOn error) {
+	if infisicalDynamicSecret.Status.Conditions == nil {
+		infisicalDynamicSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if errorToConditionOn == nil {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/LeaseCreated",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: "Infisical has successfully created the lease",
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/LeaseCreated",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed to create the lease because: %v", errorToConditionOn),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalDynamicSecret)
+	if err != nil {
+		logger.Error(err, "Could not set condition for LeaseCreated")
+	}
+}
+
+func (r *InfisicalDynamicSecretReconciler) SetReconcileConditionStatus(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, errorToConditionOn error) {
+	if infisicalDynamicSecret.Status.Conditions == nil {
+		infisicalDynamicSecret.Status.Conditions = []metav1.Condition{}
+	}
+
+	if errorToConditionOn == nil {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/Reconcile",
+			Status:  metav1.ConditionTrue,
+			Reason:  "OK",
+			Message: "Infisical has successfully reconciled the InfisicalDynamicSecret",
+		})
+	} else {
+		meta.SetStatusCondition(&infisicalDynamicSecret.Status.Conditions, metav1.Condition{
+			Type:    "secrets.infisical.com/Reconcile",
+			Status:  metav1.ConditionFalse,
+			Reason:  "Error",
+			Message: fmt.Sprintf("Failed to reconcile the InfisicalDynamicSecret because: %v", errorToConditionOn),
+		})
+	}
+
+	err := r.Client.Status().Update(ctx, infisicalDynamicSecret)
+	if err != nil {
+		logger.Error(err, "Could not set condition for Reconcile")
+	}
+}

k8-operator/controllers/infisicaldynamicsecret/infisicaldynamicsecret_controller.go

@@ -0,0 +1,214 @@
+package controllers
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"time"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+
+	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	"github.com/Infisical/infisical/k8-operator/packages/api"
+	"github.com/Infisical/infisical/k8-operator/packages/constants"
+	controllerhelpers "github.com/Infisical/infisical/k8-operator/packages/controllerhelpers"
+	"github.com/Infisical/infisical/k8-operator/packages/util"
+	"github.com/go-logr/logr"
+)
+
+// InfisicalDynamicSecretReconciler reconciles a InfisicalDynamicSecret object
+type InfisicalDynamicSecretReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+
+	BaseLogger logr.Logger
+	Random     *rand.Rand
+}
+
+var infisicalDynamicSecretsResourceVariablesMap map[string]util.ResourceVariables = make(map[string]util.ResourceVariables)
+
+func (r *InfisicalDynamicSecretReconciler) GetLogger(req ctrl.Request) logr.Logger {
+	return r.BaseLogger.WithValues("infisicaldynamicsecret", req.NamespacedName)
+}
+
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets/finalizers,verbs=update
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;delete
+// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=list;watch;get;update
+// +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch
+
+func (r *InfisicalDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+
+	logger := r.GetLogger(req)
+
+	var infisicalDynamicSecretCRD secretsv1alpha1.InfisicalDynamicSecret
+	requeueTime := time.Second * 5
+
+	err := r.Get(ctx, req.NamespacedName, &infisicalDynamicSecretCRD)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			logger.Info("Infisical Dynamic Secret CRD not found")
+			return ctrl.Result{
+				Requeue: false,
+			}, nil
+		} else {
+			logger.Error(err, "Unable to fetch Infisical Dynamic Secret CRD from cluster")
+			return ctrl.Result{
+				RequeueAfter: requeueTime,
+			}, nil
+		}
+	}
+
+	// Add finalizer if it doesn't exist
+	if !controllerutil.ContainsFinalizer(&infisicalDynamicSecretCRD, constants.INFISICAL_DYNAMIC_SECRET_FINALIZER_NAME) {
+		controllerutil.AddFinalizer(&infisicalDynamicSecretCRD, constants.INFISICAL_DYNAMIC_SECRET_FINALIZER_NAME)
+		if err := r.Update(ctx, &infisicalDynamicSecretCRD); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
+	// Check if it's being deleted
+	if !infisicalDynamicSecretCRD.DeletionTimestamp.IsZero() {
+		logger.Info("Handling deletion of InfisicalDynamicSecret")
+		if controllerutil.ContainsFinalizer(&infisicalDynamicSecretCRD, constants.INFISICAL_DYNAMIC_SECRET_FINALIZER_NAME) {
+			// We remove finalizers before running deletion logic to be completely safe from stuck resources
+			infisicalDynamicSecretCRD.ObjectMeta.Finalizers = []string{}
+			if err := r.Update(ctx, &infisicalDynamicSecretCRD); err != nil {
+				logger.Error(err, fmt.Sprintf("Error removing finalizers from InfisicalDynamicSecret %s", infisicalDynamicSecretCRD.Name))
+				return ctrl.Result{}, err
+			}
+
+			err := r.HandleLeaseRevocation(ctx, logger, &infisicalDynamicSecretCRD)
+
+			if infisicalDynamicSecretsResourceVariablesMap != nil {
+				if rv, ok := infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecretCRD.GetUID())]; ok {
+					rv.CancelCtx()
+					delete(infisicalDynamicSecretsResourceVariablesMap, string(infisicalDynamicSecretCRD.GetUID()))
+				}
+			}
+
+			if err != nil {
+				return ctrl.Result{}, err // Even if this fails, we still want to delete the CRD
+			}
+
+		}
+		return ctrl.Result{}, nil
+	}
+
+	// Get modified/default config
+	infisicalConfig, err := controllerhelpers.GetInfisicalConfigMap(ctx, r.Client)
+	if err != nil {
+		logger.Error(err, fmt.Sprintf("unable to fetch infisical-config. Will requeue after [requeueTime=%v]", requeueTime))
+		return ctrl.Result{
+			RequeueAfter: requeueTime,
+		}, nil
+	}
+
+	if infisicalDynamicSecretCRD.Spec.HostAPI == "" {
+		api.API_HOST_URL = infisicalConfig["hostAPI"]
+	} else {
+		api.API_HOST_URL = util.AppendAPIEndpoint(infisicalDynamicSecretCRD.Spec.HostAPI)
+	}
+
+	if infisicalDynamicSecretCRD.Spec.TLS.CaRef.SecretName != "" {
+		api.API_CA_CERTIFICATE, err = r.getInfisicalCaCertificateFromKubeSecret(ctx, infisicalDynamicSecretCRD)
+		if err != nil {
+			logger.Error(err, fmt.Sprintf("unable to fetch CA certificate. Will requeue after [requeueTime=%v]", requeueTime))
+			return ctrl.Result{
+				RequeueAfter: requeueTime,
+			}, nil
+		}
+
+		logger.Info("Using custom CA certificate...")
+	} else {
+		api.API_CA_CERTIFICATE = ""
+	}
+
+	nextReconcile, err := r.ReconcileInfisicalDynamicSecret(ctx, logger, &infisicalDynamicSecretCRD)
+	r.SetReconcileConditionStatus(ctx, logger, &infisicalDynamicSecretCRD, err)
+
+	if err == nil && nextReconcile.Seconds() >= 5 {
+		requeueTime = nextReconcile
+	}
+
+	if err != nil {
+		logger.Error(err, fmt.Sprintf("unable to reconcile Infisical Push Secret. Will requeue after [requeueTime=%v]", requeueTime))
+		return ctrl.Result{
+			RequeueAfter: requeueTime,
+		}, nil
+	}
+
+	numDeployments, err := controllerhelpers.ReconcileDeploymentsWithManagedSecrets(ctx, r.Client, logger, infisicalDynamicSecretCRD.Spec.ManagedSecretReference)
+	r.SetReconcileAutoRedeploymentConditionStatus(ctx, logger, &infisicalDynamicSecretCRD, numDeployments, err)
+
+	if err != nil {
+		logger.Error(err, fmt.Sprintf("unable to reconcile auto redeployment. Will requeue after [requeueTime=%v]", requeueTime))
+		return ctrl.Result{
+			RequeueAfter: requeueTime,
+		}, nil
+	}
+
+	// Sync again after the specified time
+	logger.Info(fmt.Sprintf("Next reconciliation in [requeueTime=%v]", requeueTime))
+	return ctrl.Result{
+		RequeueAfter: requeueTime,
+	}, nil
+}
+
+func (r *InfisicalDynamicSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
+
+	// Custom predicate that allows both spec changes and deletions
+	specChangeOrDelete := predicate.Funcs{
+		UpdateFunc: func(e event.UpdateEvent) bool {
+			// Only reconcile if spec/generation changed
+
+			isSpecOrGenerationChange := e.ObjectOld.GetGeneration() != e.ObjectNew.GetGeneration()
+
+			if isSpecOrGenerationChange {
+				if infisicalDynamicSecretsResourceVariablesMap != nil {
+					if rv, ok := infisicalDynamicSecretsResourceVariablesMap[string(e.ObjectNew.GetUID())]; ok {
+						rv.CancelCtx()
+						delete(infisicalDynamicSecretsResourceVariablesMap, string(e.ObjectNew.GetUID()))
+					}
+				}
+			}
+
+			return isSpecOrGenerationChange
+		},
+		DeleteFunc: func(e event.DeleteEvent) bool {
+			// Always reconcile on deletion
+
+			if infisicalDynamicSecretsResourceVariablesMap != nil {
+				if rv, ok := infisicalDynamicSecretsResourceVariablesMap[string(e.Object.GetUID())]; ok {
+					rv.CancelCtx()
+					delete(infisicalDynamicSecretsResourceVariablesMap, string(e.Object.GetUID()))
+				}
+			}
+
+			return true
+		},
+		CreateFunc: func(e event.CreateEvent) bool {
+			// Reconcile on creation
+			return true
+		},
+		GenericFunc: func(e event.GenericEvent) bool {
+			// Ignore generic events
+			return false
+		},
+	}
+
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&secretsv1alpha1.InfisicalDynamicSecret{}, builder.WithPredicates(
+			specChangeOrDelete,
+		)).
+		Complete(r)
+}

k8-operator/controllers/infisicaldynamicsecret/infisicaldynamicsecret_helper.go

@@ -0,0 +1,463 @@
+package controllers
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	"github.com/Infisical/infisical/k8-operator/packages/api"
+	"github.com/Infisical/infisical/k8-operator/packages/constants"
+	"github.com/Infisical/infisical/k8-operator/packages/util"
+	"github.com/go-logr/logr"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	corev1 "k8s.io/api/core/v1"
+
+	infisicalSdk "github.com/infisical/go-sdk"
+	k8Errors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (r *InfisicalDynamicSecretReconciler) createInfisicalManagedKubeSecret(ctx context.Context, logger logr.Logger, infisicalDynamicSecret v1alpha1.InfisicalDynamicSecret, versionAnnotationValue string) error {
+	secretType := infisicalDynamicSecret.Spec.ManagedSecretReference.SecretType
+
+	// copy labels and annotations from InfisicalSecret CRD
+	labels := map[string]string{}
+	for k, v := range infisicalDynamicSecret.Labels {
+		labels[k] = v
+	}
+
+	annotations := map[string]string{}
+	systemPrefixes := []string{"kubectl.kubernetes.io/", "kubernetes.io/", "k8s.io/", "helm.sh/"}
+	for k, v := range infisicalDynamicSecret.Annotations {
+		isSystem := false
+		for _, prefix := range systemPrefixes {
+			if strings.HasPrefix(k, prefix) {
+				isSystem = true
+				break
+			}
+		}
+		if !isSystem {
+			annotations[k] = v
+		}
+	}
+
+	annotations[constants.SECRET_VERSION_ANNOTATION] = versionAnnotationValue
+
+	// create a new secret as specified by the managed secret spec of CRD
+	newKubeSecretInstance := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        infisicalDynamicSecret.Spec.ManagedSecretReference.SecretName,
+			Namespace:   infisicalDynamicSecret.Spec.ManagedSecretReference.SecretNamespace,
+			Annotations: annotations,
+			Labels:      labels,
+		},
+		Type: corev1.SecretType(secretType),
+	}
+
+	if infisicalDynamicSecret.Spec.ManagedSecretReference.CreationPolicy == "Owner" {
+		// Set InfisicalSecret instance as the owner and controller of the managed secret
+		err := ctrl.SetControllerReference(&infisicalDynamicSecret, newKubeSecretInstance, r.Scheme)
+		if err != nil {
+			return err
+		}
+	}
+
+	err := r.Client.Create(ctx, newKubeSecretInstance)
+	if err != nil {
+		return fmt.Errorf("unable to create the managed Kubernetes secret : %w", err)
+	}
+
+	logger.Info(fmt.Sprintf("Successfully created a managed Kubernetes secret. [type: %s]", secretType))
+	return nil
+}
+
+func (r *InfisicalDynamicSecretReconciler) handleAuthentication(ctx context.Context, infisicalSecret v1alpha1.InfisicalDynamicSecret, infisicalClient infisicalSdk.InfisicalClientInterface) (util.AuthenticationDetails, error) {
+	authStrategies := map[util.AuthStrategyType]func(ctx context.Context, reconcilerClient client.Client, secretCrd util.SecretAuthInput, infisicalClient infisicalSdk.InfisicalClientInterface) (util.AuthenticationDetails, error){
+		util.AuthStrategy.UNIVERSAL_MACHINE_IDENTITY:    util.HandleUniversalAuth,
+		util.AuthStrategy.KUBERNETES_MACHINE_IDENTITY:   util.HandleKubernetesAuth,
+		util.AuthStrategy.AWS_IAM_MACHINE_IDENTITY:      util.HandleAwsIamAuth,
+		util.AuthStrategy.AZURE_MACHINE_IDENTITY:        util.HandleAzureAuth,
+		util.AuthStrategy.GCP_ID_TOKEN_MACHINE_IDENTITY: util.HandleGcpIdTokenAuth,
+		util.AuthStrategy.GCP_IAM_MACHINE_IDENTITY:      util.HandleGcpIamAuth,
+	}
+
+	for authStrategy, authHandler := range authStrategies {
+		authDetails, err := authHandler(ctx, r.Client, util.SecretAuthInput{
+			Secret: infisicalSecret,
+			Type:   util.SecretCrd.INFISICAL_DYNAMIC_SECRET,
+		}, infisicalClient)
+
+		if err == nil {
+			return authDetails, nil
+		}
+
+		if !errors.Is(err, util.ErrAuthNotApplicable) {
+			return util.AuthenticationDetails{}, fmt.Errorf("authentication failed for strategy [%s] [err=%w]", authStrategy, err)
+		}
+	}
+
+	return util.AuthenticationDetails{}, fmt.Errorf("no authentication method provided")
+
+}
+
+func (r *InfisicalDynamicSecretReconciler) getInfisicalCaCertificateFromKubeSecret(ctx context.Context, infisicalSecret v1alpha1.InfisicalDynamicSecret) (caCertificate string, err error) {
+
+	caCertificateFromKubeSecret, err := util.GetKubeSecretByNamespacedName(ctx, r.Client, types.NamespacedName{
+		Namespace: infisicalSecret.Spec.TLS.CaRef.SecretNamespace,
+		Name:      infisicalSecret.Spec.TLS.CaRef.SecretName,
+	})
+
+	if k8Errors.IsNotFound(err) {
+		return "", fmt.Errorf("kubernetes secret containing custom CA certificate cannot be found. [err=%s]", err)
+	}
+
+	if err != nil {
+		return "", fmt.Errorf("something went wrong when fetching your CA certificate [err=%s]", err)
+	}
+
+	caCertificateFromSecret := string(caCertificateFromKubeSecret.Data[infisicalSecret.Spec.TLS.CaRef.SecretKey])
+
+	return caCertificateFromSecret, nil
+}
+
+func (r *InfisicalDynamicSecretReconciler) getResourceVariables(infisicalDynamicSecret v1alpha1.InfisicalDynamicSecret) util.ResourceVariables {
+
+	var resourceVariables util.ResourceVariables
+
+	if _, ok := infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecret.UID)]; !ok {
+
+		ctx, cancel := context.WithCancel(context.Background())
+
+		client := infisicalSdk.NewInfisicalClient(ctx, infisicalSdk.Config{
+			SiteUrl:       api.API_HOST_URL,
+			CaCertificate: api.API_CA_CERTIFICATE,
+			UserAgent:     api.USER_AGENT_NAME,
+		})
+
+		infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecret.UID)] = util.ResourceVariables{
+			InfisicalClient: client,
+			CancelCtx:       cancel,
+			AuthDetails:     util.AuthenticationDetails{},
+		}
+
+		resourceVariables = infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecret.UID)]
+
+	} else {
+		resourceVariables = infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecret.UID)]
+	}
+
+	return resourceVariables
+}
+
+func (r *InfisicalDynamicSecretReconciler) CreateDynamicSecretLease(ctx context.Context, logger logr.Logger, infisicalClient infisicalSdk.InfisicalClientInterface, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, destination *corev1.Secret) error {
+	project, err := util.GetProjectByID(infisicalClient.Auth().GetAccessToken(), infisicalDynamicSecret.Spec.DynamicSecret.ProjectID)
+	if err != nil {
+		return err
+	}
+
+	request := infisicalSdk.CreateDynamicSecretLeaseOptions{
+		DynamicSecretName: infisicalDynamicSecret.Spec.DynamicSecret.SecretName,
+		ProjectSlug:       project.Slug,
+		SecretPath:        infisicalDynamicSecret.Spec.DynamicSecret.SecretPath,
+		EnvironmentSlug:   infisicalDynamicSecret.Spec.DynamicSecret.EnvironmentSlug,
+	}
+
+	if infisicalDynamicSecret.Spec.LeaseTTL != "" {
+		request.TTL = infisicalDynamicSecret.Spec.LeaseTTL
+	}
+
+	leaseData, dynamicSecret, lease, err := infisicalClient.DynamicSecrets().Leases().Create(request)
+
+	if err != nil {
+		return fmt.Errorf("unable to create lease [err=%s]", err)
+	}
+
+	newLeaseStatus := &v1alpha1.InfisicalDynamicSecretLease{
+		ID:                lease.Id,
+		ExpiresAt:         metav1.NewTime(lease.ExpireAt),
+		CreationTimestamp: metav1.NewTime(time.Now()),
+		Version:           int64(lease.Version),
+	}
+
+	infisicalDynamicSecret.Status.DynamicSecretID = dynamicSecret.Id
+	infisicalDynamicSecret.Status.MaxTTL = dynamicSecret.MaxTTL
+	infisicalDynamicSecret.Status.Lease = newLeaseStatus
+
+	// write the leaseData to the destination secret
+	destinationData := map[string]string{}
+
+	for key, value := range leaseData {
+		if strValue, ok := value.(string); ok {
+			destinationData[key] = strValue
+		} else {
+			return fmt.Errorf("unable to convert value to string for key %s", key)
+		}
+	}
+
+	destination.StringData = destinationData
+	destination.Annotations[constants.SECRET_VERSION_ANNOTATION] = fmt.Sprintf("%s-%d", lease.Id, lease.Version)
+
+	if err := r.Client.Update(ctx, destination); err != nil {
+		return fmt.Errorf("unable to update destination secret [err=%s]", err)
+	}
+
+	logger.Info(fmt.Sprintf("New lease successfully created [leaseId=%s]", lease.Id))
+	return nil
+}
+
+func (r *InfisicalDynamicSecretReconciler) RenewDynamicSecretLease(ctx context.Context, logger logr.Logger, infisicalClient infisicalSdk.InfisicalClientInterface, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret, destination *corev1.Secret) error {
+	project, err := util.GetProjectByID(infisicalClient.Auth().GetAccessToken(), infisicalDynamicSecret.Spec.DynamicSecret.ProjectID)
+	if err != nil {
+		return err
+	}
+
+	request := infisicalSdk.RenewDynamicSecretLeaseOptions{
+		LeaseId:         infisicalDynamicSecret.Status.Lease.ID,
+		ProjectSlug:     project.Slug,
+		SecretPath:      infisicalDynamicSecret.Spec.DynamicSecret.SecretPath,
+		EnvironmentSlug: infisicalDynamicSecret.Spec.DynamicSecret.EnvironmentSlug,
+	}
+
+	if infisicalDynamicSecret.Spec.LeaseTTL != "" {
+		request.TTL = infisicalDynamicSecret.Spec.LeaseTTL
+	}
+
+	lease, err := infisicalClient.DynamicSecrets().Leases().RenewById(request)
+
+	if err != nil {
+
+		if strings.Contains(err.Error(), "TTL cannot be larger than max ttl") || // Case 1: TTL is larger than the max TTL
+			strings.Contains(err.Error(), "Dynamic secret lease with ID") { // Case 2: The lease has already expired and has been deleted
+			return constants.ErrInvalidLease
+		}
+
+		return fmt.Errorf("unable to renew lease [err=%s]", err)
+	}
+
+	infisicalDynamicSecret.Status.Lease.ExpiresAt = metav1.NewTime(lease.ExpireAt)
+
+	// update the infisicalDynamicSecret status
+	if err := r.Client.Status().Update(ctx, infisicalDynamicSecret); err != nil {
+		return fmt.Errorf("unable to update InfisicalDynamicSecret status [err=%s]", err)
+	}
+
+	logger.Info(fmt.Sprintf("Lease successfully renewed [leaseId=%s]", lease.Id))
+	return nil
+
+}
+
+func (r *InfisicalDynamicSecretReconciler) updateResourceVariables(infisicalDynamicSecret v1alpha1.InfisicalDynamicSecret, resourceVariables util.ResourceVariables) {
+	infisicalDynamicSecretsResourceVariablesMap[string(infisicalDynamicSecret.UID)] = resourceVariables
+}
+
+func (r *InfisicalDynamicSecretReconciler) HandleLeaseRevocation(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret) error {
+	if infisicalDynamicSecret.Spec.LeaseRevocationPolicy != string(constants.DYNAMIC_SECRET_LEASE_REVOCATION_POLICY_ENABLED) {
+		return nil
+	}
+
+	resourceVariables := r.getResourceVariables(*infisicalDynamicSecret)
+	infisicalClient := resourceVariables.InfisicalClient
+
+	logger.Info("Authenticating for lease revocation")
+	authDetails, err := r.handleAuthentication(ctx, *infisicalDynamicSecret, infisicalClient)
+
+	if err != nil {
+		return fmt.Errorf("unable to authenticate for lease revocation [err=%s]", err)
+	}
+
+	r.updateResourceVariables(*infisicalDynamicSecret, util.ResourceVariables{
+		InfisicalClient: infisicalClient,
+		CancelCtx:       resourceVariables.CancelCtx,
+		AuthDetails:     authDetails,
+	})
+
+	if infisicalDynamicSecret.Status.Lease == nil {
+		return nil
+	}
+
+	project, err := util.GetProjectByID(infisicalClient.Auth().GetAccessToken(), infisicalDynamicSecret.Spec.DynamicSecret.ProjectID)
+
+	if err != nil {
+		return err
+	}
+
+	infisicalClient.DynamicSecrets().Leases().DeleteById(infisicalSdk.DeleteDynamicSecretLeaseOptions{
+		LeaseId:         infisicalDynamicSecret.Status.Lease.ID,
+		ProjectSlug:     project.Slug,
+		SecretPath:      infisicalDynamicSecret.Spec.DynamicSecret.SecretPath,
+		EnvironmentSlug: infisicalDynamicSecret.Spec.DynamicSecret.EnvironmentSlug,
+	})
+
+	// update the destination data to remove the lease data
+	destination, err := util.GetKubeSecretByNamespacedName(ctx, r.Client, types.NamespacedName{
+		Name:      infisicalDynamicSecret.Spec.ManagedSecretReference.SecretName,
+		Namespace: infisicalDynamicSecret.Spec.ManagedSecretReference.SecretNamespace,
+	})
+
+	if err != nil {
+		return fmt.Errorf("unable to fetch destination secret [err=%s]", err)
+	}
+
+	destination.Data = map[string][]byte{}
+
+	if err := r.Client.Update(ctx, destination); err != nil {
+		return fmt.Errorf("unable to update destination secret [err=%s]", err)
+	}
+
+	logger.Info(fmt.Sprintf("Lease successfully revoked [leaseId=%s]", infisicalDynamicSecret.Status.Lease.ID))
+
+	return nil
+}
+
+func (r *InfisicalDynamicSecretReconciler) ReconcileInfisicalDynamicSecret(ctx context.Context, logger logr.Logger, infisicalDynamicSecret *v1alpha1.InfisicalDynamicSecret) (time.Duration, error) {
+
+	resourceVariables := r.getResourceVariables(*infisicalDynamicSecret)
+	infisicalClient := resourceVariables.InfisicalClient
+	cancelCtx := resourceVariables.CancelCtx
+	authDetails := resourceVariables.AuthDetails
+
+	defaultNextReconcile := 5 * time.Second
+	nextReconcile := defaultNextReconcile
+
+	var err error
+
+	if authDetails.AuthStrategy == "" {
+		logger.Info("No authentication strategy found. Attempting to authenticate")
+		authDetails, err = r.handleAuthentication(ctx, *infisicalDynamicSecret, infisicalClient)
+		r.SetAuthenticatedConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+
+		if err != nil {
+			return nextReconcile, fmt.Errorf("unable to authenticate [err=%s]", err)
+		}
+
+		r.updateResourceVariables(*infisicalDynamicSecret, util.ResourceVariables{
+			InfisicalClient: infisicalClient,
+			CancelCtx:       cancelCtx,
+			AuthDetails:     authDetails,
+		})
+	}
+
+	destination, err := util.GetKubeSecretByNamespacedName(ctx, r.Client, types.NamespacedName{
+		Name:      infisicalDynamicSecret.Spec.ManagedSecretReference.SecretName,
+		Namespace: infisicalDynamicSecret.Spec.ManagedSecretReference.SecretNamespace,
+	})
+
+	if err != nil {
+		if k8Errors.IsNotFound(err) {
+
+			annotationValue := ""
+			if infisicalDynamicSecret.Status.Lease != nil {
+				annotationValue = fmt.Sprintf("%s-%d", infisicalDynamicSecret.Status.Lease.ID, infisicalDynamicSecret.Status.Lease.Version)
+			}
+
+			r.createInfisicalManagedKubeSecret(ctx, logger, *infisicalDynamicSecret, annotationValue)
+
+			destination, err = util.GetKubeSecretByNamespacedName(ctx, r.Client, types.NamespacedName{
+				Name:      infisicalDynamicSecret.Spec.ManagedSecretReference.SecretName,
+				Namespace: infisicalDynamicSecret.Spec.ManagedSecretReference.SecretNamespace,
+			})
+
+			if err != nil {
+				return nextReconcile, fmt.Errorf("unable to fetch destination secret after creation [err=%s]", err)
+			}
+
+		} else {
+			return nextReconcile, fmt.Errorf("unable to fetch destination secret")
+		}
+	}
+
+	if infisicalDynamicSecret.Status.Lease == nil {
+		err := r.CreateDynamicSecretLease(ctx, logger, infisicalClient, infisicalDynamicSecret, destination)
+		r.SetCreatedLeaseConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+
+		return defaultNextReconcile, err // Short requeue after creation
+	} else {
+		now := time.Now()
+		leaseExpiresAt := infisicalDynamicSecret.Status.Lease.ExpiresAt.Time
+
+		// Calculate from creation to expiration
+		originalLeaseDuration := leaseExpiresAt.Sub(infisicalDynamicSecret.Status.Lease.CreationTimestamp.Time)
+
+		// Generate a random percentage between 20% and 30%
+		jitterPercentage := 20 + r.Random.Intn(11) // Random int from 0 to 10, then add 20
+		renewalThreshold := originalLeaseDuration * time.Duration(jitterPercentage) / 100
+		timeUntilExpiration := time.Until(leaseExpiresAt)
+
+		nextReconcile = timeUntilExpiration / 2
+
+		// Max TTL
+		if infisicalDynamicSecret.Status.MaxTTL != "" {
+			maxTTLDuration, err := util.ConvertIntervalToDuration(infisicalDynamicSecret.Status.MaxTTL)
+			if err != nil {
+				return defaultNextReconcile, fmt.Errorf("unable to parse MaxTTL duration: %w", err)
+			}
+
+			// Calculate when this dynamic secret will hit its max TTL
+			maxTTLExpirationTime := infisicalDynamicSecret.Status.Lease.CreationTimestamp.Add(maxTTLDuration)
+
+			// Calculate remaining time until max TTL
+			timeUntilMaxTTL := maxTTLExpirationTime.Sub(now)
+			maxTTLThreshold := maxTTLDuration * 40 / 100
+
+			// If we have less than 40% of max TTL remaining or have exceeded it, create new lease
+			if timeUntilMaxTTL <= maxTTLThreshold || now.After(maxTTLExpirationTime) {
+				logger.Info(fmt.Sprintf("Approaching or exceeded max TTL [timeUntilMaxTTL=%v] [maxTTLThreshold=%v], creating new lease...",
+					timeUntilMaxTTL,
+					maxTTLThreshold))
+
+				err := r.CreateDynamicSecretLease(ctx, logger, infisicalClient, infisicalDynamicSecret, destination)
+				r.SetCreatedLeaseConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+				return defaultNextReconcile, err // Short requeue after creation
+			}
+		}
+
+		// Fail-safe: If the lease has expired we create a new dynamic secret directly.
+		if now.After(leaseExpiresAt) {
+			logger.Info("Lease has expired, creating new lease...")
+			err = r.CreateDynamicSecretLease(ctx, logger, infisicalClient, infisicalDynamicSecret, destination)
+			r.SetCreatedLeaseConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+			return defaultNextReconcile, err // Short requeue after creation
+		}
+
+		if timeUntilExpiration < renewalThreshold || timeUntilExpiration < 30*time.Second {
+			logger.Info(fmt.Sprintf("Lease renewal needed [leaseId=%s] [timeUntilExpiration=%v] [threshold=%v]",
+				infisicalDynamicSecret.Status.Lease.ID,
+				timeUntilExpiration,
+				renewalThreshold))
+
+			err = r.RenewDynamicSecretLease(ctx, logger, infisicalClient, infisicalDynamicSecret, destination)
+			r.SetLeaseRenewalConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+
+			if err == constants.ErrInvalidLease {
+				logger.Info("Failed to renew expired lease, creating new lease...")
+				err = r.CreateDynamicSecretLease(ctx, logger, infisicalClient, infisicalDynamicSecret, destination)
+				r.SetCreatedLeaseConditionStatus(ctx, logger, infisicalDynamicSecret, err)
+			}
+			return defaultNextReconcile, err // Short requeue after renewal/creation
+
+		} else {
+			logger.Info(fmt.Sprintf("Lease renewal not needed yet [leaseId=%s] [timeUntilExpiration=%v] [threshold=%v]",
+				infisicalDynamicSecret.Status.Lease.ID,
+				timeUntilExpiration,
+				renewalThreshold))
+		}
+
+		// Small buffer (20% of the calculated time) to ensure we don't cut it too close
+		nextReconcile = nextReconcile * 8 / 10
+
+		// Minimum and maximum bounds for the reconcile interval (5 min max, 5 min minimum)
+		nextReconcile = max(5*time.Second, min(nextReconcile, 5*time.Minute))
+	}
+
+	if err := r.Client.Status().Update(ctx, infisicalDynamicSecret); err != nil {
+		return nextReconcile, fmt.Errorf("unable to update InfisicalDynamicSecret status [err=%s]", err)
+	}
+
+	return nextReconcile, nil
+}

k8-operator/controllers/infisicalpushsecret/infisicalpushsecret_controller.go

@@ -22,7 +22,7 @@ import (
 	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
 	"github.com/Infisical/infisical/k8-operator/packages/api"
 	"github.com/Infisical/infisical/k8-operator/packages/constants"
-	controllerhelpers "github.com/Infisical/infisical/k8-operator/packages/controllerutil"
+	controllerhelpers "github.com/Infisical/infisical/k8-operator/packages/controllerhelpers"
 	"github.com/Infisical/infisical/k8-operator/packages/util"
 	"github.com/go-logr/logr"
 )
@@ -105,7 +105,7 @@ func (r *InfisicalPushSecretReconciler) Reconcile(ctx context.Context, req ctrl.
 
 	if infisicalPushSecretCRD.Spec.ResyncInterval != "" {
 
-		duration, err := util.ConvertResyncIntervalToDuration(infisicalPushSecretCRD.Spec.ResyncInterval)
+		duration, err := util.ConvertIntervalToDuration(infisicalPushSecretCRD.Spec.ResyncInterval)
 
 		if err != nil {
 			logger.Error(err, fmt.Sprintf("unable to convert resync interval to duration. Will requeue after [requeueTime=%v]", requeueTime))
@@ -141,7 +141,7 @@ func (r *InfisicalPushSecretReconciler) Reconcile(ctx context.Context, req ctrl.
 	if infisicalPushSecretCRD.Spec.HostAPI == "" {
 		api.API_HOST_URL = infisicalConfig["hostAPI"]
 	} else {
-		api.API_HOST_URL = infisicalPushSecretCRD.Spec.HostAPI
+		api.API_HOST_URL = util.AppendAPIEndpoint(infisicalPushSecretCRD.Spec.HostAPI)
 	}
 
 	if infisicalPushSecretCRD.Spec.TLS.CaRef.SecretName != "" {

k8-operator/controllers/infisicalsecret/infisicalsecret_controller.go

@@ -15,7 +15,7 @@ import (
 
 	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
 	"github.com/Infisical/infisical/k8-operator/packages/api"
-	controllerhelpers "github.com/Infisical/infisical/k8-operator/packages/controllerutil"
+	controllerhelpers "github.com/Infisical/infisical/k8-operator/packages/controllerhelpers"
 	"github.com/Infisical/infisical/k8-operator/packages/util"
 	"github.com/go-logr/logr"
 )
@@ -35,6 +35,8 @@ func (r *InfisicalSecretReconciler) GetLogger(req ctrl.Request) logr.Logger {
 	return r.BaseLogger.WithValues("infisicalsecret", req.NamespacedName)
 }
 
+var resourceVariablesMap map[string]util.ResourceVariables = make(map[string]util.ResourceVariables)
+
 //+kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicalsecrets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicalsecrets/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicalsecrets/finalizers,verbs=update
@@ -108,7 +110,7 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	if infisicalSecretCRD.Spec.HostAPI == "" {
 		api.API_HOST_URL = infisicalConfig["hostAPI"]
 	} else {
-		api.API_HOST_URL = infisicalSecretCRD.Spec.HostAPI
+		api.API_HOST_URL = util.AppendAPIEndpoint(infisicalSecretCRD.Spec.HostAPI)
 	}
 
 	if infisicalSecretCRD.Spec.TLS.CaRef.SecretName != "" {
@@ -136,7 +138,7 @@ func (r *InfisicalSecretReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		}, nil
 	}
 
-	numDeployments, err := r.ReconcileDeploymentsWithManagedSecrets(ctx, logger, infisicalSecretCRD)
+	numDeployments, err := controllerhelpers.ReconcileDeploymentsWithManagedSecrets(ctx, r.Client, logger, infisicalSecretCRD.Spec.ManagedSecretReference)
 	r.SetInfisicalAutoRedeploymentReady(ctx, logger, &infisicalSecretCRD, numDeployments, err)
 	if err != nil {
 		logger.Error(err, fmt.Sprintf("unable to reconcile auto redeployment. Will requeue after [requeueTime=%v]", requeueTime))

k8-operator/go.mod

@@ -3,7 +3,7 @@ module github.com/Infisical/infisical/k8-operator
 go 1.21
 
 require (
-	github.com/infisical/go-sdk v0.4.1
+	github.com/infisical/go-sdk v0.4.4
 	github.com/onsi/ginkgo/v2 v2.6.0
 	github.com/onsi/gomega v1.24.1
 	k8s.io/apimachinery v0.26.1
@@ -54,7 +54,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/zapr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect

k8-operator/go.sum

@@ -217,8 +217,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
 github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/infisical/go-sdk v0.4.1 h1:ZeLyc2+2TeIaw9odjxR3ipQqYzVSMOnd8/RaqyUNvBg=
-github.com/infisical/go-sdk v0.4.1/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
+github.com/infisical/go-sdk v0.4.4 h1:Z4CBzxfhiY6ikjRimOEeyEEnb3QT/BKw3OzNFH7Pe+U=
+github.com/infisical/go-sdk v0.4.4/go.mod h1:6fWzAwTPIoKU49mQ2Oxu+aFnJu9n7k2JcNrZjzhHM2M=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=

k8-operator/internal/controller/infisicaldynamicsecret_controller.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+
+	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+)
+
+// InfisicalDynamicSecretReconciler reconciles a InfisicalDynamicSecret object
+type InfisicalDynamicSecretReconciler struct {
+	client.Client
+	Scheme *runtime.Scheme
+}
+
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=secrets.infisical.com,resources=infisicaldynamicsecrets/finalizers,verbs=update
+
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+// TODO(user): Modify the Reconcile function to compare the state specified by
+// the InfisicalDynamicSecret object against the actual cluster state, and then
+// perform operations to make the cluster state reflect the state specified by
+// the user.
+//
+// For more details, check Reconcile and its Result here:
+// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/reconcile
+func (r *InfisicalDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	_ = log.FromContext(ctx)
+
+	// TODO(user): your logic here
+
+	return ctrl.Result{}, nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *InfisicalDynamicSecretReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&secretsv1alpha1.InfisicalDynamicSecret{}).
+		Named("infisicaldynamicsecret").
+		Complete(r)
+}

k8-operator/main.go

@@ -3,9 +3,12 @@ package main
 import (
 	"flag"
 	"os"
+	"time"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
+	"math/rand"
+
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -16,6 +19,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	secretsv1alpha1 "github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	infisicalDynamicSecretController "github.com/Infisical/infisical/k8-operator/controllers/infisicaldynamicsecret"
 	infisicalPushSecretController "github.com/Infisical/infisical/k8-operator/controllers/infisicalpushsecret"
 	infisicalSecretController "github.com/Infisical/infisical/k8-operator/controllers/infisicalsecret"
 	//+kubebuilder:scaffold:imports
@@ -100,6 +104,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err = (&infisicalDynamicSecretController.InfisicalDynamicSecretReconciler{
+		Client:     mgr.GetClient(),
+		Scheme:     mgr.GetScheme(),
+		BaseLogger: ctrl.Log,
+		Random:     rand.New(rand.NewSource(time.Now().UnixNano())),
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "InfisicalDynamicSecret")
+		os.Exit(1)
+	}
+
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

k8-operator/packages/api/api.go

@@ -125,3 +125,24 @@ func CallGetServiceAccountKeysV2(httpClient *resty.Client, request GetServiceAcc
 
 	return serviceAccountKeysResponse, nil
 }
+
+func CallGetProjectByID(httpClient *resty.Client, request GetProjectByIDRequest) (GetProjectByIDResponse, error) {
+
+	var projectResponse GetProjectByIDResponse
+
+	response, err := httpClient.
+		R().SetResult(&projectResponse).
+		SetHeader("User-Agent", USER_AGENT_NAME).
+		Get(fmt.Sprintf("%s/v1/workspace/%s", API_HOST_URL, request.ProjectID))
+
+	if err != nil {
+		return GetProjectByIDResponse{}, fmt.Errorf("CallGetProject: Unable to complete api request [err=%s]", err)
+	}
+
+	if response.IsError() {
+		return GetProjectByIDResponse{}, fmt.Errorf("CallGetProject: Unsuccessful response: [response=%s]", response)
+	}
+
+	return projectResponse, nil
+
+}

k8-operator/packages/api/models.go

@@ -1,6 +1,10 @@
 package api
 
-import "time"
+import (
+	"time"
+
+	"github.com/Infisical/infisical/k8-operator/packages/model"
+)
 
 type GetEncryptedWorkspaceKeyRequest struct {
 	WorkspaceId string `json:"workspaceId"`
@@ -194,3 +198,11 @@ type ServiceAccountKey struct {
 type GetServiceAccountKeysResponse struct {
 	ServiceAccountKeys []ServiceAccountKey `json:"serviceAccountKeys"`
 }
+
+type GetProjectByIDRequest struct {
+	ProjectID string
+}
+
+type GetProjectByIDResponse struct {
+	Project model.Project `json:"workspace"`
+}

k8-operator/packages/constants/constants.go

@@ -1,5 +1,7 @@
 package constants
 
+import "errors"
+
 const SERVICE_ACCOUNT_ACCESS_KEY = "serviceAccountAccessKey"
 const SERVICE_ACCOUNT_PUBLIC_KEY = "serviceAccountPublicKey"
 const SERVICE_ACCOUNT_PRIVATE_KEY = "serviceAccountPrivateKey"
@@ -14,6 +16,7 @@ const OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE = "infisical-operator-system"
 const INFISICAL_DOMAIN = "https://app.infisical.com/api"
 
 const INFISICAL_PUSH_SECRET_FINALIZER_NAME = "pushsecret.secrets.infisical.com/finalizer"
+const INFISICAL_DYNAMIC_SECRET_FINALIZER_NAME = "dynamicsecret.secrets.infisical.com/finalizer"
 
 type PushSecretReplacePolicy string
 type PushSecretDeletionPolicy string
@@ -22,3 +25,11 @@ const (
 	PUSH_SECRET_REPLACE_POLICY_ENABLED PushSecretReplacePolicy  = "Replace"
 	PUSH_SECRET_DELETE_POLICY_ENABLED  PushSecretDeletionPolicy = "Delete"
 )
+
+type DynamicSecretLeaseRevocationPolicy string
+
+const (
+	DYNAMIC_SECRET_LEASE_REVOCATION_POLICY_ENABLED DynamicSecretLeaseRevocationPolicy = "Revoke"
+)
+
+var ErrInvalidLease = errors.New("invalid dynamic secret lease")

k8-operator/packages/controllerhelpers/controllerhelpers.go

@@ -0,0 +1,144 @@
+package controllerhelpers
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	"github.com/Infisical/infisical/k8-operator/api/v1alpha1"
+	"github.com/Infisical/infisical/k8-operator/packages/constants"
+	"github.com/go-logr/logr"
+	v1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	k8Errors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	controllerClient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+const DEPLOYMENT_SECRET_NAME_ANNOTATION_PREFIX = "secrets.infisical.com/managed-secret"
+const AUTO_RELOAD_DEPLOYMENT_ANNOTATION = "secrets.infisical.com/auto-reload" // needs to be set to true for a deployment to start auto redeploying
+
+func ReconcileDeploymentsWithManagedSecrets(ctx context.Context, client controllerClient.Client, logger logr.Logger, managedSecret v1alpha1.ManagedKubeSecretConfig) (int, error) {
+	listOfDeployments := &v1.DeploymentList{}
+
+	err := client.List(ctx, listOfDeployments, &controllerClient.ListOptions{Namespace: managedSecret.SecretNamespace})
+	if err != nil {
+		return 0, fmt.Errorf("unable to get deployments in the [namespace=%v] [err=%v]", managedSecret.SecretNamespace, err)
+	}
+
+	managedKubeSecretNameAndNamespace := types.NamespacedName{
+		Namespace: managedSecret.SecretNamespace,
+		Name:      managedSecret.SecretName,
+	}
+
+	managedKubeSecret := &corev1.Secret{}
+	err = client.Get(ctx, managedKubeSecretNameAndNamespace, managedKubeSecret)
+	if err != nil {
+		return 0, fmt.Errorf("unable to fetch Kubernetes secret to update deployment: %v", err)
+	}
+
+	var wg sync.WaitGroup
+	// Iterate over the deployments and check if they use the managed secret
+	for _, deployment := range listOfDeployments.Items {
+		deployment := deployment
+		if deployment.Annotations[AUTO_RELOAD_DEPLOYMENT_ANNOTATION] == "true" && IsDeploymentUsingManagedSecret(deployment, managedSecret) {
+			// Start a goroutine to reconcile the deployment
+			wg.Add(1)
+			go func(deployment v1.Deployment, managedSecret corev1.Secret) {
+				defer wg.Done()
+				if err := ReconcileDeployment(ctx, client, logger, deployment, managedSecret); err != nil {
+					logger.Error(err, fmt.Sprintf("unable to reconcile deployment with [name=%v]. Will try next requeue", deployment.ObjectMeta.Name))
+				}
+			}(deployment, *managedKubeSecret)
+		}
+	}
+
+	wg.Wait()
+
+	return 0, nil
+}
+
+// Check if the deployment uses managed secrets
+func IsDeploymentUsingManagedSecret(deployment v1.Deployment, managedSecret v1alpha1.ManagedKubeSecretConfig) bool {
+	managedSecretName := managedSecret.SecretName
+	for _, container := range deployment.Spec.Template.Spec.Containers {
+		for _, envFrom := range container.EnvFrom {
+			if envFrom.SecretRef != nil && envFrom.SecretRef.LocalObjectReference.Name == managedSecretName {
+				return true
+			}
+		}
+		for _, env := range container.Env {
+			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil && env.ValueFrom.SecretKeyRef.LocalObjectReference.Name == managedSecretName {
+				return true
+			}
+		}
+	}
+	for _, volume := range deployment.Spec.Template.Spec.Volumes {
+		if volume.Secret != nil && volume.Secret.SecretName == managedSecretName {
+			return true
+		}
+	}
+
+	return false
+}
+
+// This function ensures that a deployment is in sync with a Kubernetes secret by comparing their versions.
+// If the version of the secret is different from the version annotation on the deployment, the annotation is updated to trigger a restart of the deployment.
+func ReconcileDeployment(ctx context.Context, client controllerClient.Client, logger logr.Logger, deployment v1.Deployment, secret corev1.Secret) error {
+	annotationKey := fmt.Sprintf("%s.%s", DEPLOYMENT_SECRET_NAME_ANNOTATION_PREFIX, secret.Name)
+	annotationValue := secret.Annotations[constants.SECRET_VERSION_ANNOTATION]
+
+	if deployment.Annotations[annotationKey] == annotationValue &&
+		deployment.Spec.Template.Annotations[annotationKey] == annotationValue {
+		logger.Info(fmt.Sprintf("The [deploymentName=%v] is already using the most up to date managed secrets. No action required.", deployment.ObjectMeta.Name))
+		return nil
+	}
+
+	logger.Info(fmt.Sprintf("Deployment is using outdated managed secret. Starting re-deployment [deploymentName=%v]", deployment.ObjectMeta.Name))
+
+	if deployment.Spec.Template.Annotations == nil {
+		deployment.Spec.Template.Annotations = make(map[string]string)
+	}
+
+	deployment.Annotations[annotationKey] = annotationValue
+	deployment.Spec.Template.Annotations[annotationKey] = annotationValue
+
+	if err := client.Update(ctx, &deployment); err != nil {
+		return fmt.Errorf("failed to update deployment annotation: %v", err)
+	}
+	return nil
+}
+
+func GetInfisicalConfigMap(ctx context.Context, client client.Client) (configMap map[string]string, errToReturn error) {
+	// default key values
+	defaultConfigMapData := make(map[string]string)
+	defaultConfigMapData["hostAPI"] = constants.INFISICAL_DOMAIN
+
+	kubeConfigMap := &corev1.ConfigMap{}
+	err := client.Get(ctx, types.NamespacedName{
+		Namespace: constants.OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE,
+		Name:      constants.OPERATOR_SETTINGS_CONFIGMAP_NAME,
+	}, kubeConfigMap)
+
+	if err != nil {
+		if k8Errors.IsNotFound(err) {
+			kubeConfigMap = nil
+		} else {
+			return nil, fmt.Errorf("GetConfigMapByNamespacedName: unable to fetch config map in [namespacedName=%s] [err=%s]", constants.OPERATOR_SETTINGS_CONFIGMAP_NAMESPACE, err)
+		}
+	}
+
+	if kubeConfigMap == nil {
+		return defaultConfigMapData, nil
+	} else {
+		for key, value := range defaultConfigMapData {
+			_, exists := kubeConfigMap.Data[key]
+			if !exists {
+				kubeConfigMap.Data[key] = value
+			}
+		}
+
+		return kubeConfigMap.Data, nil
+	}
+}

k8-operator/packages/model/model.go

@@ -28,3 +28,15 @@ type SecretTemplateOptions struct {
 	Value      string `json:"value"`
 	SecretPath string `json:"secretPath"`
 }
+
+type Project struct {
+	ID           string `json:"id"`
+	Name         string `json:"name"`
+	Slug         string `json:"slug"`
+	OrgID        string `json:"orgId"`
+	Environments []struct {
+		Name string `json:"name"`
+		Slug string `json:"slug"`
+		ID   string `json:"id"`
+	}
+}

k8-operator/packages/util/auth.go

@@ -63,11 +63,13 @@ var AuthStrategy = struct {
 type SecretCrdType string
 
 var SecretCrd = struct {
-	INFISICAL_SECRET      SecretCrdType
-	INFISICAL_PUSH_SECRET SecretCrdType
+	INFISICAL_SECRET         SecretCrdType
+	INFISICAL_PUSH_SECRET    SecretCrdType
+	INFISICAL_DYNAMIC_SECRET SecretCrdType
 }{
-	INFISICAL_SECRET:      "INFISICAL_SECRET",
-	INFISICAL_PUSH_SECRET: "INFISICAL_PUSH_SECRET",
+	INFISICAL_SECRET:         "INFISICAL_SECRET",
+	INFISICAL_PUSH_SECRET:    "INFISICAL_PUSH_SECRET",
+	INFISICAL_DYNAMIC_SECRET: "INFISICAL_DYNAMIC_SECRET",
 }
 
 type SecretAuthInput struct {
@@ -107,6 +109,18 @@ func HandleUniversalAuth(ctx context.Context, reconcilerClient client.Client, se
 			CredentialsRef: infisicalPushSecret.Spec.Authentication.UniversalAuth.CredentialsRef,
 			SecretsScope:   v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		universalAuthSpec = v1alpha1.UniversalAuthDetails{
+			CredentialsRef: infisicalDynamicSecret.Spec.Authentication.UniversalAuth.CredentialsRef,
+			SecretsScope:   v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	universalAuthKubeSecret, err := GetInfisicalUniversalAuthFromKubeSecret(ctx, reconcilerClient, v1alpha1.KubeSecretReference{
@@ -160,6 +174,22 @@ func HandleKubernetesAuth(ctx context.Context, reconcilerClient client.Client, s
 			},
 			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		kubernetesAuthSpec = v1alpha1.KubernetesAuthDetails{
+			IdentityID: infisicalDynamicSecret.Spec.Authentication.KubernetesAuth.IdentityID,
+			ServiceAccountRef: v1alpha1.KubernetesServiceAccountRef{
+				Namespace: infisicalDynamicSecret.Spec.Authentication.KubernetesAuth.ServiceAccountRef.Namespace,
+				Name:      infisicalDynamicSecret.Spec.Authentication.KubernetesAuth.ServiceAccountRef.Name,
+			},
+			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	if kubernetesAuthSpec.IdentityID == "" {
@@ -208,6 +238,18 @@ func HandleAwsIamAuth(ctx context.Context, reconcilerClient client.Client, secre
 			IdentityID:   infisicalPushSecret.Spec.Authentication.AwsIamAuth.IdentityID,
 			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		awsIamAuthSpec = v1alpha1.AWSIamAuthDetails{
+			IdentityID:   infisicalDynamicSecret.Spec.Authentication.AwsIamAuth.IdentityID,
+			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	if awsIamAuthSpec.IdentityID == "" {
@@ -253,6 +295,19 @@ func HandleAzureAuth(ctx context.Context, reconcilerClient client.Client, secret
 			Resource:     infisicalPushSecret.Spec.Authentication.AzureAuth.Resource,
 			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		azureAuthSpec = v1alpha1.AzureAuthDetails{
+			IdentityID:   infisicalDynamicSecret.Spec.Authentication.AzureAuth.IdentityID,
+			Resource:     infisicalDynamicSecret.Spec.Authentication.AzureAuth.Resource,
+			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	if azureAuthSpec.IdentityID == "" {
@@ -296,6 +351,18 @@ func HandleGcpIdTokenAuth(ctx context.Context, reconcilerClient client.Client, s
 			IdentityID:   infisicalPushSecret.Spec.Authentication.GcpIdTokenAuth.IdentityID,
 			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		gcpIdTokenSpec = v1alpha1.GCPIdTokenAuthDetails{
+			IdentityID:   infisicalDynamicSecret.Spec.Authentication.GcpIdTokenAuth.IdentityID,
+			SecretsScope: v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	if gcpIdTokenSpec.IdentityID == "" {
@@ -340,6 +407,19 @@ func HandleGcpIamAuth(ctx context.Context, reconcilerClient client.Client, secre
 			ServiceAccountKeyFilePath: infisicalPushSecret.Spec.Authentication.GcpIamAuth.ServiceAccountKeyFilePath,
 			SecretsScope:              v1alpha1.MachineIdentityScopeInWorkspace{},
 		}
+
+	case SecretCrd.INFISICAL_DYNAMIC_SECRET:
+		infisicalDynamicSecret, ok := secretCrd.Secret.(v1alpha1.InfisicalDynamicSecret)
+
+		if !ok {
+			return AuthenticationDetails{}, errors.New("unable to cast secret to InfisicalDynamicSecret")
+		}
+
+		gcpIamSpec = v1alpha1.GcpIamAuthDetails{
+			IdentityID:                infisicalDynamicSecret.Spec.Authentication.GcpIamAuth.IdentityID,
+			ServiceAccountKeyFilePath: infisicalDynamicSecret.Spec.Authentication.GcpIamAuth.ServiceAccountKeyFilePath,
+			SecretsScope:              v1alpha1.MachineIdentityScopeInWorkspace{},
+		}
 	}
 
 	if gcpIamSpec.IdentityID == "" && gcpIamSpec.ServiceAccountKeyFilePath == "" {

k8-operator/packages/util/helpers.go

@@ -0,0 +1,61 @@
+package util
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func ConvertIntervalToDuration(resyncInterval string) (time.Duration, error) {
+	length := len(resyncInterval)
+	if length < 2 {
+		return 0, fmt.Errorf("invalid format")
+	}
+
+	unit := resyncInterval[length-1:]
+	numberPart := resyncInterval[:length-1]
+
+	number, err := strconv.Atoi(numberPart)
+	if err != nil {
+		return 0, err
+	}
+
+	switch unit {
+	case "s":
+		if number < 5 {
+			return 0, fmt.Errorf("resync interval must be at least 5 seconds")
+		}
+		return time.Duration(number) * time.Second, nil
+	case "m":
+		return time.Duration(number) * time.Minute, nil
+	case "h":
+		return time.Duration(number) * time.Hour, nil
+	case "d":
+		return time.Duration(number) * 24 * time.Hour, nil
+	case "w":
+		return time.Duration(number) * 7 * 24 * time.Hour, nil
+	default:
+		return 0, fmt.Errorf("invalid time unit")
+	}
+}
+
+func ConvertIntervalToTime(resyncInterval string) (time.Time, error) {
+	duration, err := ConvertIntervalToDuration(resyncInterval)
+	if err != nil {
+		return time.Time{}, err
+	}
+
+	// Add duration to current time
+	return time.Now().Add(duration), nil
+}
+
+func AppendAPIEndpoint(address string) string {
+	if strings.HasSuffix(address, "/api") {
+		return address
+	}
+	if address[len(address)-1] == '/' {
+		return address + "api"
+	}
+	return address + "/api"
+}

k8-operator/packages/util/workspace.go

@@ -0,0 +1,27 @@
+package util
+
+import (
+	"fmt"
+
+	"github.com/Infisical/infisical/k8-operator/packages/api"
+	"github.com/Infisical/infisical/k8-operator/packages/model"
+	"github.com/go-resty/resty/v2"
+)
+
+func GetProjectByID(accessToken string, projectId string) (model.Project, error) {
+
+	httpClient := resty.New()
+	httpClient.
+		SetAuthScheme("Bearer").
+		SetAuthToken(accessToken).
+		SetHeader("Accept", "application/json")
+
+	projectDetails, err := api.CallGetProjectByID(httpClient, api.GetProjectByIDRequest{
+		ProjectID: projectId,
+	})
+	if err != nil {
+		return model.Project{}, fmt.Errorf("unable to get project by slug. [err=%v]", err)
+	}
+
+	return projectDetails.Project, nil
+}