Merge branch 'main' into docs/update-net-sdk

Update .NET docs with new links
update
2025-07-29 22:37:44 +00:00 · 2025-05-29 08:07:43 -07:00 · 2025-05-29 08:07:07 -07:00 · 2025-05-29 10:28:35 -04:00 · 2025-05-29 10:16:59 -04:00 · 2025-05-29 21:45:22 +08:00
39 changed files with 1668 additions and 144 deletions
--- a/backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts
+++ b/backend/src/db/migrations/20250528183744_remove-encrypted-salt-from-shared-secret.ts
@@ -0,0 +1,27 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.dropColumn("encryptedSalt");
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.SecretSharing)) {
+    const hasEncryptedSalt = await knex.schema.hasColumn(TableName.SecretSharing, "encryptedSalt");
+
+    if (!hasEncryptedSalt) {
+      await knex.schema.alterTable(TableName.SecretSharing, (t) => {
+        t.binary("encryptedSalt").nullable();
+      });
+    }
+  }
+}
--- a/backend/src/db/schemas/secret-sharing.ts
+++ b/backend/src/db/schemas/secret-sharing.ts
@@ -28,7 +28,6 @@ export const SecretSharingSchema = z.object({
  encryptedSecret: zodBuffer.nullable().optional(),
  identifier: z.string().nullable().optional(),
  type: z.string().default("share"),
-  encryptedSalt: zodBuffer.nullable().optional(),
  authorizedEmails: z.unknown().nullable().optional()
 });

--- a/backend/src/ee/routes/v1/license-router.ts
+++ b/backend/src/ee/routes/v1/license-router.ts
@@ -47,7 +47,7 @@ export const registerLicenseRouter = async (server: FastifyZodProvider) => {
        200: z.object({ plan: z.any() })
      }
    },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
    handler: async (req) => {
      const plan = await server.services.license.getOrgPlan({
        actorId: req.permission.id,
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -6,6 +6,7 @@ import { AwsIamProvider } from "./aws-iam";
 import { AzureEntraIDProvider } from "./azure-entra-id";
 import { CassandraProvider } from "./cassandra";
 import { ElasticSearchProvider } from "./elastic-search";
+import { KubernetesProvider } from "./kubernetes";
 import { LdapProvider } from "./ldap";
 import { DynamicSecretProviders, TDynamicProviderFns } from "./models";
 import { MongoAtlasProvider } from "./mongo-atlas";
@@ -38,5 +39,6 @@ export const buildDynamicSecretProviders = ({
  [DynamicSecretProviders.SapHana]: SapHanaProvider(),
  [DynamicSecretProviders.Snowflake]: SnowflakeProvider(),
  [DynamicSecretProviders.Totp]: TotpProvider(),
-  [DynamicSecretProviders.SapAse]: SapAseProvider()
+  [DynamicSecretProviders.SapAse]: SapAseProvider(),
+  [DynamicSecretProviders.Kubernetes]: KubernetesProvider({ gatewayService })
 });
--- a/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/kubernetes.ts
@@ -0,0 +1,199 @@
+import axios from "axios";
+import https from "https";
+
+import { InternalServerError } from "@app/lib/errors";
+import { withGatewayProxy } from "@app/lib/gateway";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
+import { TKubernetesTokenRequest } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-types";
+
+import { TGatewayServiceFactory } from "../../gateway/gateway-service";
+import { DynamicSecretKubernetesSchema, TDynamicProviderFns } from "./models";
+
+const EXTERNAL_REQUEST_TIMEOUT = 10 * 1000;
+
+type TKubernetesProviderDTO = {
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
+};
+
+export const KubernetesProvider = ({ gatewayService }: TKubernetesProviderDTO): TDynamicProviderFns => {
+  const validateProviderInputs = async (inputs: unknown) => {
+    const providerInputs = await DynamicSecretKubernetesSchema.parseAsync(inputs);
+    if (!providerInputs.gatewayId) {
+      await blockLocalAndPrivateIpAddresses(providerInputs.url);
+    }
+
+    return providerInputs;
+  };
+
+  const $gatewayProxyWrapper = async <T>(
+    inputs: {
+      gatewayId: string;
+      targetHost: string;
+      targetPort: number;
+    },
+    gatewayCallback: (host: string, port: number) => Promise<T>
+  ): Promise<T> => {
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+    const callbackResult = await withGatewayProxy(
+      async (port) => {
+        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
+        const res = await gatewayCallback("https://localhost", port);
+        return res;
+      },
+      {
+        targetHost: inputs.targetHost,
+        targetPort: inputs.targetPort,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+
+    return callbackResult;
+  };
+
+  const validateConnection = async (inputs: unknown) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const serviceAccountGetCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      await axios.get(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}`,
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      if (providerInputs.gatewayId) {
+        const k8sHost = url.hostname;
+
+        await $gatewayProxyWrapper(
+          {
+            gatewayId: providerInputs.gatewayId,
+            targetHost: k8sHost,
+            targetPort: k8sPort
+          },
+          serviceAccountGetCallback
+        );
+      } else {
+        const k8sHost = `${url.protocol}//${url.hostname}`;
+        await serviceAccountGetCallback(k8sHost, k8sPort);
+      }
+
+      return true;
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to validate connection: ${errorMessage}`
+      });
+    }
+  };
+
+  const create = async (inputs: unknown, expireAt: number) => {
+    const providerInputs = await validateProviderInputs(inputs);
+
+    const tokenRequestCallback = async (host: string, port: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;
+
+      const res = await axios.post<TKubernetesTokenRequest>(
+        `${baseUrl}/api/v1/namespaces/${providerInputs.namespace}/serviceaccounts/${providerInputs.serviceAccountName}/token`,
+        {
+          spec: {
+            expirationSeconds: Math.floor((expireAt - Date.now()) / 1000),
+            ...(providerInputs.audiences?.length ? { audiences: providerInputs.audiences } : {})
+          }
+        },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${providerInputs.clusterToken}`
+          },
+          signal: AbortSignal.timeout(EXTERNAL_REQUEST_TIMEOUT),
+          timeout: EXTERNAL_REQUEST_TIMEOUT,
+          httpsAgent: new https.Agent({
+            ca: providerInputs.ca,
+            rejectUnauthorized: providerInputs.sslEnabled
+          })
+        }
+      );
+
+      return res.data;
+    };
+
+    const url = new URL(providerInputs.url);
+    const k8sHost = `${url.protocol}//${url.hostname}`;
+    const k8sGatewayHost = url.hostname;
+    const k8sPort = url.port ? Number(url.port) : 443;
+
+    try {
+      const tokenData = providerInputs.gatewayId
+        ? await $gatewayProxyWrapper(
+            {
+              gatewayId: providerInputs.gatewayId,
+              targetHost: k8sGatewayHost,
+              targetPort: k8sPort
+            },
+            tokenRequestCallback
+          )
+        : await tokenRequestCallback(k8sHost, k8sPort);
+
+      return {
+        entityId: providerInputs.serviceAccountName,
+        data: { TOKEN: tokenData.status.token }
+      };
+    } catch (error) {
+      let errorMessage = error instanceof Error ? error.message : "Unknown error";
+      if (axios.isAxiosError(error) && (error.response?.data as { message: string })?.message) {
+        errorMessage = (error.response?.data as { message: string }).message;
+      }
+
+      throw new InternalServerError({
+        message: `Failed to create dynamic secret: ${errorMessage}`
+      });
+    }
+  };
+
+  const revoke = async (_inputs: unknown, entityId: string) => {
+    return { entityId };
+  };
+
+  const renew = async (_inputs: unknown, entityId: string) => {
+    // No renewal necessary
+    return { entityId };
+  };
+
+  return {
+    validateProviderInputs,
+    validateConnection,
+    create,
+    revoke,
+    renew
+  };
+};
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -29,6 +29,10 @@ export enum LdapCredentialType {
  Static = "static"
 }

+export enum KubernetesCredentialType {
+  Static = "static"
+}
+
 export enum TotpConfigType {
  URL = "url",
  MANUAL = "manual"
@@ -277,6 +281,18 @@ export const LdapSchema = z.union([
  })
 ]);

+export const DynamicSecretKubernetesSchema = z.object({
+  url: z.string().url().trim().min(1),
+  gatewayId: z.string().nullable().optional(),
+  sslEnabled: z.boolean().default(true),
+  clusterToken: z.string().trim().min(1),
+  ca: z.string().optional(),
+  serviceAccountName: z.string().trim().min(1),
+  credentialType: z.literal(KubernetesCredentialType.Static),
+  namespace: z.string().trim().min(1),
+  audiences: z.array(z.string().trim().min(1))
+});
+
 export const DynamicSecretTotpSchema = z.discriminatedUnion("configType", [
  z.object({
    configType: z.literal(TotpConfigType.URL),
@@ -320,7 +336,8 @@ export enum DynamicSecretProviders {
  SapHana = "sap-hana",
  Snowflake = "snowflake",
  Totp = "totp",
-  SapAse = "sap-ase"
+  SapAse = "sap-ase",
+  Kubernetes = "kubernetes"
 }

 export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
@@ -338,7 +355,8 @@ export const DynamicSecretProviderSchema = z.discriminatedUnion("type", [
  z.object({ type: z.literal(DynamicSecretProviders.AzureEntraID), inputs: AzureEntraIDSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Ldap), inputs: LdapSchema }),
  z.object({ type: z.literal(DynamicSecretProviders.Snowflake), inputs: DynamicSecretSnowflakeSchema }),
-  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema })
+  z.object({ type: z.literal(DynamicSecretProviders.Totp), inputs: DynamicSecretTotpSchema }),
+  z.object({ type: z.literal(DynamicSecretProviders.Kubernetes), inputs: DynamicSecretKubernetesSchema })
 ]);

 export type TDynamicProviderFns = {
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -44,6 +44,7 @@ import {
  TOidcLoginDTO,
  TUpdateOidcCfgDTO
 } from "./oidc-config-types";
+import { logger } from "@app/lib/logger";

 type TOidcConfigServiceFactoryDep = {
  userDAL: Pick<
@@ -699,6 +700,7 @@ export const oidcConfigServiceFactory = ({
      // eslint-disable-next-line @typescript-eslint/no-explicit-any
      (_req: any, tokenSet: TokenSet, cb: any) => {
        const claims = tokenSet.claims();
+        logger.info(`User OIDC claims received for [orgId=${org.id}] [claims=${JSON.stringify(claims)}]`);
        if (!claims.email || !claims.given_name) {
          throw new BadRequestError({
            message: "Invalid request. Missing email or first name"
--- a/backend/src/lib/gateway/index.ts
+++ b/backend/src/lib/gateway/index.ts
@@ -3,6 +3,7 @@ import crypto from "node:crypto";
 import net from "node:net";

 import quicDefault, * as quicModule from "@infisical/quic";
+import axios from "axios";

 import { BadRequestError } from "../errors";
 import { logger } from "../logger";
@@ -378,7 +379,12 @@ export const withGatewayProxy = async <T>(
      logger.error(new Error(proxyErrorMessage), "Failed to proxy");
    }
    logger.error(err, "Failed to do gateway");
-    throw new BadRequestError({ message: proxyErrorMessage || (err as Error)?.message });
+    let errorMessage = proxyErrorMessage || (err as Error)?.message;
+    if (axios.isAxiosError(err) && (err.response?.data as { message?: string })?.message) {
+      errorMessage = (err.response?.data as { message: string }).message;
+    }
+
+    throw new BadRequestError({ message: errorMessage });
  } finally {
    // Ensure cleanup happens regardless of success or failure
    await cleanup();
--- a/backend/src/server/routes/v1/secret-sharing-router.ts
+++ b/backend/src/server/routes/v1/secret-sharing-router.ts
@@ -62,9 +62,7 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
      }),
      body: z.object({
        hashedHex: z.string().min(1).optional(),
-        password: z.string().optional(),
-        email: z.string().optional(),
-        hash: z.string().optional()
+        password: z.string().optional()
      }),
      response: {
        200: z.object({
@@ -91,8 +89,7 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        hashedHex: req.body.hashedHex,
        password: req.body.password,
        orgId: req.permission?.orgId,
-        email: req.body.email,
-        hash: req.body.hash
+        actorId: req.permission?.id
      });

      if (sharedSecret.secret?.orgId) {
@@ -156,7 +153,13 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
        expiresAt: z.string(),
        expiresAfterViews: z.number().min(1).optional(),
        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization),
-        emails: z.string().email().array().max(100).optional()
+        emails: z
+          .string()
+          .email()
+          .array()
+          .max(100)
+          .optional()
+          .transform((val) => (val ? [...new Set(val)] : undefined))
      }),
      response: {
        200: z.object({
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -2,6 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import axios, { AxiosError } from "axios";
 import https from "https";
 import jwt from "jsonwebtoken";
+import RE2 from "re2";

 import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
 import { TGatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
@@ -185,7 +186,13 @@ export const identityKubernetesAuthServiceFactory = ({
      return res.data;
    };

-    const [k8sHost, k8sPort] = identityKubernetesAuth.kubernetesHost.split(":");
+    let { kubernetesHost } = identityKubernetesAuth;
+
+    if (kubernetesHost.startsWith("https://") || kubernetesHost.startsWith("http://")) {
+      kubernetesHost = new RE2("^https?:\\/\\/").replace(kubernetesHost, "");
+    }
+
+    const [k8sHost, k8sPort] = kubernetesHost.split(":");

    const data = identityKubernetesAuth.gatewayId
      ? await $gatewayProxyWrapper(
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
@@ -63,6 +63,18 @@ export type TCreateTokenReviewResponse = {
  status: TCreateTokenReviewSuccessResponse | TCreateTokenReviewErrorResponse;
 };

+export type TKubernetesTokenRequest = {
+  apiVersion: "authentication.k8s.io/v1";
+  kind: "TokenRequest";
+  spec: {
+    audiences: string[];
+    expirationSeconds: number;
+  };
+  status: {
+    token: string;
+  };
+};
+
 export type TRevokeKubernetesAuthDTO = {
  identityId: string;
 } & Omit<TProjectPermission, "projectId">;
--- a/backend/src/services/secret-sharing/secret-sharing-service.ts
+++ b/backend/src/services/secret-sharing/secret-sharing-service.ts
@@ -115,8 +115,6 @@ export const secretSharingServiceFactory = ({

    const encryptWithRoot = kmsService.encryptWithRootKey();

-    let salt: string | undefined;
-    let encryptedSalt: Buffer | undefined;
    const orgEmails = [];

    if (emails && emails.length > 0) {
@@ -133,10 +131,6 @@ export const secretSharingServiceFactory = ({
          });
        }
      }
-
-      // Generate salt for signing email hashes (if emails are provided)
-      salt = crypto.randomBytes(32).toString("hex");
-      encryptedSalt = encryptWithRoot(Buffer.from(salt));
    }

    const encryptedSecret = encryptWithRoot(Buffer.from(secretValue));
@@ -158,14 +152,13 @@ export const secretSharingServiceFactory = ({
      userId: actorId,
      orgId,
      accessType,
-      authorizedEmails: emails && emails.length > 0 ? JSON.stringify(emails) : undefined,
-      encryptedSalt
+      authorizedEmails: emails && emails.length > 0 ? JSON.stringify(emails) : undefined
    });

    const idToReturn = `${Buffer.from(newSharedSecret.identifier!, "hex").toString("base64url")}`;

    // Loop through recipients and send out emails with unique access links
-    if (emails && salt) {
+    if (emails) {
      const user = await userDAL.findById(actorId);

      if (!user) {
@@ -174,9 +167,6 @@ export const secretSharingServiceFactory = ({

      for await (const email of emails) {
        try {
-          const hmac = crypto.createHmac("sha256", salt).update(email);
-          const hash = hmac.digest("hex");
-
          // Only show the username to emails which are part of the organization
          const respondentUsername = orgEmails.includes(email) ? user.username : undefined;

@@ -186,7 +176,7 @@ export const secretSharingServiceFactory = ({
            substitutions: {
              name,
              respondentUsername,
-              secretRequestUrl: `${appCfg.SITE_URL}/shared/secret/${idToReturn}?email=${encodeURIComponent(email)}&hash=${hash}`
+              secretRequestUrl: `${appCfg.SITE_URL}/shared/secret/${idToReturn}`
            },
            template: SmtpTemplates.SecretRequestCompleted
          });
@@ -474,9 +464,8 @@ export const secretSharingServiceFactory = ({
    sharedSecretId,
    hashedHex,
    orgId,
-    password,
-    email,
-    hash
+    actorId,
+    password
  }: TGetActiveSharedSecretByIdDTO) => {
    const sharedSecret = isUuidV4(sharedSecretId)
      ? await secretSharingDAL.findOne({
@@ -506,6 +495,17 @@ export const secretSharingServiceFactory = ({
      throw new ForbiddenRequestError();
    }

+    // If the secret was shared with specific emails, verify that the current user's session email is authorized
+    if (sharedSecret.authorizedEmails && (sharedSecret.authorizedEmails as string[]).length > 0) {
+      if (!actorId) throw new UnauthorizedError();
+
+      const user = await userDAL.findById(actorId);
+      if (!user || !user.email) throw new UnauthorizedError();
+
+      if (!(sharedSecret.authorizedEmails as string[]).includes(user.email))
+        throw new UnauthorizedError({ message: "Email not authorized to view secret" });
+    }
+
    // all secrets pass through here, meaning we check if its expired first and then check if it needs verification
    // or can be safely sent to the client.
    if (expiresAt !== null && expiresAt < new Date()) {
@@ -524,31 +524,6 @@ export const secretSharingServiceFactory = ({
      });
    }

-    const decryptWithRoot = kmsService.decryptWithRootKey();
-
-    if (sharedSecret.authorizedEmails && sharedSecret.encryptedSalt) {
-      // Verify both params were passed
-      if (!email || !hash) {
-        throw new BadRequestError({
-          message: "This secret is email protected. Parameters must include email and hash."
-        });
-
-        // Verify that email is authorized to view shared secret
-      } else if (!(sharedSecret.authorizedEmails as string[]).includes(email)) {
-        throw new UnauthorizedError({ message: "Email not authorized to view secret" });
-
-        // Verify that hash matches
-      } else {
-        const salt = decryptWithRoot(sharedSecret.encryptedSalt).toString();
-        const hmac = crypto.createHmac("sha256", salt).update(email);
-        const rebuiltHash = hmac.digest("hex");
-
-        if (rebuiltHash !== hash) {
-          throw new UnauthorizedError({ message: "Email not authorized to view secret" });
-        }
-      }
-    }
-
    // Password checks
    const isPasswordProtected = Boolean(sharedSecret.password);
    const hasProvidedPassword = Boolean(password);
@@ -561,6 +536,8 @@ export const secretSharingServiceFactory = ({
      }
    }

+    const decryptWithRoot = kmsService.decryptWithRootKey();
+
    // If encryptedSecret is set, we know that this secret has been encrypted using KMS, and we can therefore do server-side decryption.
    let decryptedSecretValue: Buffer | undefined;
    if (sharedSecret.encryptedSecret) {
--- a/backend/src/services/secret-sharing/secret-sharing-types.ts
+++ b/backend/src/services/secret-sharing/secret-sharing-types.ts
@@ -37,11 +37,8 @@ export type TGetActiveSharedSecretByIdDTO = {
  sharedSecretId: string;
  hashedHex?: string;
  orgId?: string;
+  actorId?: string;
  password?: string;
-
-  // For secrets shared with specific emails
-  email?: string;
-  hash?: string;
 };

 export type TValidateActiveSharedSecretDTO = TGetActiveSharedSecretByIdDTO & {
--- a/backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts
+++ b/backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts
@@ -57,7 +57,7 @@ const sleep = async () =>
    setTimeout(resolve, 1000);
  });

-const getSecretsRecord = async (client: SecretsManagerClient): Promise<TAwsSecretsRecord> => {
+const getSecretsRecord = async (client: SecretsManagerClient, keySchema?: string): Promise<TAwsSecretsRecord> => {
  const awsSecretsRecord: TAwsSecretsRecord = {};
  let hasNext = true;
  let nextToken: string | undefined;
@@ -72,7 +72,7 @@ const getSecretsRecord = async (client: SecretsManagerClient): Promise<TAwsSecre

      if (output.SecretList) {
        output.SecretList.forEach((secretEntry) => {
-          if (secretEntry.Name) {
+          if (secretEntry.Name && matchesSchema(secretEntry.Name, keySchema)) {
            awsSecretsRecord[secretEntry.Name] = secretEntry;
          }
        });
@@ -311,7 +311,7 @@ export const AwsSecretsManagerSyncFns = {

    const client = await getSecretsManagerClient(secretSync);

-    const awsSecretsRecord = await getSecretsRecord(client);
+    const awsSecretsRecord = await getSecretsRecord(client, syncOptions.keySchema);

    const awsValuesRecord = await getSecretValuesRecord(client, awsSecretsRecord);

@@ -468,14 +468,16 @@ export const AwsSecretsManagerSyncFns = {
  getSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials): Promise<TSecretMap> => {
    const client = await getSecretsManagerClient(secretSync);

-    const awsSecretsRecord = await getSecretsRecord(client);
+    const awsSecretsRecord = await getSecretsRecord(client, secretSync.syncOptions.keySchema);
    const awsValuesRecord = await getSecretValuesRecord(client, awsSecretsRecord);

    const { destinationConfig } = secretSync;

    if (destinationConfig.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.OneToOne) {
      return Object.fromEntries(
-        Object.keys(awsSecretsRecord).map((key) => [key, { value: awsValuesRecord[key].SecretString ?? "" }])
+        Object.keys(awsSecretsRecord)
+          .filter((key) => Object.hasOwn(awsValuesRecord, key))
+          .map((key) => [key, { value: awsValuesRecord[key]?.SecretString ?? "" }])
      );
    }

@@ -501,11 +503,11 @@ export const AwsSecretsManagerSyncFns = {
    }
  },
  removeSecrets: async (secretSync: TAwsSecretsManagerSyncWithCredentials, secretMap: TSecretMap) => {
-    const { destinationConfig } = secretSync;
+    const { destinationConfig, syncOptions } = secretSync;

    const client = await getSecretsManagerClient(secretSync);

-    const awsSecretsRecord = await getSecretsRecord(client);
+    const awsSecretsRecord = await getSecretsRecord(client, syncOptions.keySchema);

    if (destinationConfig.mappingBehavior === AwsSecretsManagerSyncMappingBehavior.OneToOne) {
      for await (const secretKey of Object.keys(awsSecretsRecord)) {
--- a/docs/documentation/platform/dynamic-secrets/kubernetes.mdx
+++ b/docs/documentation/platform/dynamic-secrets/kubernetes.mdx
@@ -0,0 +1,243 @@
+---
+title: "Kubernetes"
+description: "Learn how to dynamically generate Kubernetes service account tokens."
+---
+
+The Infisical Kubernetes dynamic secret allows you to generate short-lived service account tokens on demand.
+
+## Overview
+
+The Kubernetes dynamic secret feature enables you to generate short-lived service account tokens for your Kubernetes clusters. This is particularly useful for:
+
+- **Secure Access Management**: Instead of using long-lived service account tokens, you can generate short-lived tokens that automatically expire, reducing the risk of token exposure.
+- **Temporary Access**: Generate tokens with specific TTLs (Time To Live) for temporary access to your Kubernetes clusters.
+- **Audit Trail**: Each token generation is tracked, providing better visibility into who accessed your cluster and when.
+- **Integration with Private Clusters**: Seamlessly work with private Kubernetes clusters using Infisical's Gateway feature.
+
+<Note>
+  Kubernetes service account tokens cannot be revoked once issued. This is why
+  it's important to use short TTLs and carefully manage token generation. The
+  tokens will automatically expire after their TTL period.
+</Note>
+
+<Note>
+  Kubernetes service account tokens are JWTs (JSON Web Tokens) with a fixed
+  expiration time. Once a token is generated, its lifetime cannot be extended.
+  If you need longer access, you'll need to generate a new token.
+</Note>
+
+This feature is ideal for scenarios where you need to:
+
+- Provide temporary access to developers or CI/CD pipelines
+- Rotate service account tokens frequently
+- Maintain a secure audit trail of cluster access
+- Manage access to multiple Kubernetes clusters
+
+## Prerequisites
+
+- A Kubernetes cluster with a service account
+- Cluster access token with permissions to create service account tokens
+- (Optional) [Gateway](/documentation/platform/gateways/overview) for private cluster access
+
+## RBAC Configuration
+
+Before you can start generating dynamic service account tokens, you'll need to configure the appropriate permissions in your Kubernetes cluster. This involves setting up Role-Based Access Control (RBAC) to allow the creation and management of service account tokens.
+
+The RBAC configuration serves a crucial security purpose: it creates a dedicated service account with minimal permissions that can only create and manage service account tokens. This follows the principle of least privilege, ensuring that the token generation process is secure and controlled.
+
+The following RBAC configuration creates the necessary permissions for generating service account tokens:
+
+```yaml rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tokenrequest
+rules:
+  - apiGroups: [""]
+    resources:
+      - "serviceaccounts/token"
+      - "serviceaccounts"
+    verbs:
+      - "create"
+      - "get"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tokenrequest
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tokenrequest
+subjects:
+  - kind: ServiceAccount
+    name: infisical-token-requester
+    namespace: default
+```
+
+```bash
+kubectl apply -f rbac.yaml
+```
+
+This configuration:
+
+1. Creates a `ClusterRole` named `tokenrequest` that allows:
+   - Creating and getting service account tokens
+   - Getting service account information
+2. Creates a `ClusterRoleBinding` that binds the role to a service account named `infisical-token-requester` in the `default` namespace
+
+You can customize the service account name and namespace according to your needs.
+
+## Obtaining the Cluster Token
+
+After setting up the RBAC configuration, you need to obtain a token for the service account that will be used to create dynamic secrets. Here's how to get the token:
+
+1. Create a service account in your Kubernetes cluster that will be used to create service account tokens:
+
+```yaml infisical-service-account.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: infisical-token-requester
+  namespace: default
+```
+
+```bash
+kubectl apply -f infisical-service-account.yaml
+```
+
+2. Create a long-lived service account token using this configuration file:
+
+```yaml service-account-token.yaml
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: infisical-token-requester-token
+  annotations:
+    kubernetes.io/service-account.name: "infisical-token-requester"
+```
+
+```bash
+kubectl apply -f service-account-token.yaml
+```
+
+3. Link the secret to the service account:
+
+```bash
+kubectl patch serviceaccount infisical-token-requester -p '{"secrets": [{"name": "infisical-token-requester-token"}]}' -n default
+```
+
+4. Retrieve the token:
+
+```bash
+kubectl get secret infisical-token-requester-token -n default -o=jsonpath='{.data.token}' | base64 --decode
+```
+
+This token will be used as the "Cluster Token" in the dynamic secret configuration.
+
+## Obtaining the Cluster URL
+
+The cluster URL is the address of your Kubernetes API server. The simplest way to find it is to use the `kubectl cluster-info` command:
+
+```bash
+kubectl cluster-info
+```
+
+This command works for all Kubernetes environments (managed services like GKE, EKS, AKS, or self-hosted clusters) and will show you the Kubernetes control plane address, which is your cluster URL.
+
+<Note>
+  Make sure the cluster URL is accessible from where you're running Infisical.
+  If you're using a private cluster, you'll need to configure a [Gateway](/documentation/platform/gateways/overview) to
+  access it.
+</Note>
+
+## Set up Dynamic Secrets with Kubernetes
+
+<Steps>
+  <Step title="Open Secret Overview Dashboard">
+    Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
+  </Step>
+  <Step title="Click on the 'Add Dynamic Secret' button">
+    ![Add Dynamic Secret Button](/images/platform/dynamic-secrets/add-dynamic-secret-button.png)
+  </Step>
+  <Step title="Select Kubernetes">
+    ![Dynamic Secret Modal](/images/platform/dynamic-secrets/dynamic-secret-modal-kubernetes.png)
+  </Step>
+  <Step title="Provide the inputs for dynamic secret parameters">
+    <ParamField path="Secret Name" type="string" required>
+      Name by which you want the secret to be referenced
+    </ParamField>
+    <ParamField path="Default TTL" type="string" required>
+      Default time-to-live for a generated secret (it is possible to modify this value after a secret is generated)
+    </ParamField>
+    <ParamField path="Max TTL" type="string" required>
+      Maximum time-to-live for a generated secret
+    </ParamField>
+    <ParamField path="Gateway" type="string">
+      Select a gateway for private cluster access. If not specified, the Internet Gateway will be used.
+    </ParamField>
+    <ParamField path="Cluster URL" type="string" required>
+      Kubernetes API server URL (e.g., https://kubernetes.default.svc)
+    </ParamField>
+    <ParamField path="Enable SSL" type="boolean">
+      Whether to enable SSL verification for the Kubernetes API server connection.
+    </ParamField>
+    <ParamField path="CA" type="string">
+      Custom CA certificate for the Kubernetes API server. Leave blank to use the system/public CA.
+    </ParamField>
+    <ParamField path="Cluster Token" type="string" required>
+      Token with permissions to create service account tokens
+    </ParamField>
+    <ParamField path="Service Account Name" type="string" required>
+      Name of the service account to generate tokens for
+    </ParamField>
+    <ParamField path="Namespace" type="string" required>
+      Kubernetes namespace where the service account exists
+    </ParamField>
+    <ParamField path="Audiences" type="array">
+      Optional list of audiences to include in the generated token
+    </ParamField>
+
+    ![Dynamic Secret Setup Modal](../../../images/platform/dynamic-secrets/dynamic-secret-setup-modal-kubernetes.png)
+
+  </Step>
+  <Step title="Click 'Submit'">
+    After submitting the form, you will see a dynamic secret created in the dashboard.
+  </Step>
+  <Step title="Generate dynamic secrets">
+    Once you've successfully configured the dynamic secret, you're ready to generate on-demand service account tokens.
+    To do this, simply click on the 'Generate' button which appears when hovering over the dynamic secret item.
+    Alternatively, you can initiate the creation of a new lease by selecting 'New Lease' from the dynamic secret lease list section.
+
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-generate.png)
+    ![Dynamic Secret](/images/platform/dynamic-secrets/dynamic-secret-lease-empty.png)
+
+    When generating these secrets, it's important to specify a Time-to-Live (TTL) duration. This will dictate how long the credentials are valid for.
+
+    ![Provision Lease](/images/platform/dynamic-secrets/provision-lease.png)
+
+    <Tip>
+      Ensure that the TTL for the lease fall within the maximum TTL defined when configuring the dynamic secret.
+    </Tip>
+
+    Once you click the `Submit` button, a new secret lease will be generated and the service account token will be shown to you.
+
+    ![Provision Lease](/images/platform/dynamic-secrets/kubernetes-lease-value.png)
+
+  </Step>
+</Steps>
+
+## Audit or Revoke Leases
+
+Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard.
+This will allow you to see the lease details and delete the lease ahead of its expiration time.
+
+<Note>
+  While you can delete the lease from Infisical, the actual Kubernetes service
+  account token cannot be revoked. The token will remain valid until its TTL
+  expires. This is why it's crucial to use appropriate TTL values when
+  generating tokens.
+</Note>
+
+![Provision Lease](/images/platform/dynamic-secrets/lease-data.png)
--- a/docs/documentation/platform/secret-sharing.mdx
+++ b/docs/documentation/platform/secret-sharing.mdx
@@ -5,42 +5,53 @@ description: "Learn how to share time & view-count bound secrets securely with a
 ---

 Developers frequently need to share secrets with team members, contractors, or other third parties, which can be risky due to potential leaks or misuse.
-Infisical offers a secure solution for sharing secrets over the internet in a time and view count bound manner. It is possible to share secrets without signing up via [share.infisical.com](https://share.infisical.com) or via Infisical Dashboard (which has more advanced funcitonality).
+Infisical offers a secure solution for sharing secrets over the internet in a time and view-count bound manner. It is possible to share secrets without signing up via [share.infisical.com](https://share.infisical.com) or via Infisical Dashboard (which has more advanced functionality).

-With its zero-knowledge architecture, secrets shared via Infisical remain unreadable even to Infisical itself.
+## Sharing a Secret

-## Share a Secret
+<Steps>
+    <Step title="Navigate to the 'Secret Sharing' page and click 'Share Secret'">
+        ![Secret Sharing](../../images/platform/secret-sharing/overview.png)
+    </Step>
+    <Step title="Configure Secret Share">
+        ![Configure Secret](../../images/platform/secret-sharing/create-new-secret.png)

-1. Navigate to the **Organization** page.
-2. Click on the **Secret Sharing** tab from the sidebar.
+        - **Name (optional):** A friendly name for the shared secret.
+        - **Your Secret:** The secret content.
+        - **Password (optional):** A password which will be required when viewing the secret.

-![Secret Sharing](../../images/platform/secret-sharing/overview.png)
+        - **Limit access to people within organization:** Only lets people within your organization view the secret. Enabling this feature requires secret viewers to log into Infisical.
+        - **Expires In:** The time it'll take for the secret to expire.
+        - **Max Views:** How many times the secret can be viewed before it's destroyed.

-<Note>
-  Infisical does not have access to the shared secrets. This is a part of our
-  zero knowledge architecture.
-</Note>
+        - **Authorized Emails (optional):** Emails which are authorized to view this secret. Enabling this feature requires secret viewers to log into Infisical. Each email will receive the shared secret link in their inbox after creation.
+    </Step>
+    <Step title="Copy Link and Share Secret">
+        After creating the shared secret, its link will be displayed. Share this with the intended recipients.

-3. Click on the **Share Secret** button. Set the secret, its expiration time and specify if the secret can be viewed only once. It expires as soon as any of the conditions are met.
-Also, specify if the secret can be accessed by anyone or only people within your organization.
+        <Info>
+            If no organization or email restrictions are set, anyone with this link can view the secret before it expires.
+        </Info>

-   ![Add View-Bound Sharing Secret](../../images/platform/secret-sharing/create-new-secret.png)
+        ![Copy URL](../../images/platform/secret-sharing/copy-url.png)
+    </Step>
+    <Step title="Access Shared Secret">
+        Visiting the secret link will display its contents.

-<Note>
-  Secret once set cannot be changed. This is to ensure that the secret is not
-  tampered with.
-</Note>
+        ![Access Shared Secret](../../images/platform/secret-sharing/public-view.png)
+    </Step>
+</Steps>

-5. Copy the link and share it with the intended recipient. Anyone with the link can access the secret before its expiration condition. Hence, it is recommended to share the link only with the intended recipient.
+## Deleting a Shared Secret

-![Copy URL](../../images/platform/secret-sharing/copy-url.png)
+To delete a shared secret, click the **Trash Can** icon on the relevant shared secret row in the [**Secret Sharing**](https://app.infisical.com/organization/secret-sharing?selectedTab=share-secret) page.

-## Access a Shared Secret
+![Delete Secret](../../images/platform/secret-sharing/delete-secret.png)

-Just click on the link you received to access the secret. The secret will be displayed on the screen & for how long it is valid.
+## FAQ

-![Access Shared Secret](../../images/platform/secret-sharing/public-view.png)
-
-## Delete a Shared Secret
-
-In the **Secret Sharing** tab, click on the **Delete** button next to the secret you want to delete. This will delete the secret immediately & the link will no longer be accessible.
+<AccordionGroup>
+    <Accordion title="Can secrets be changed after they are shared?">
+        No, secrets cannot be changed after they've been created. This is to ensure that secrets are not tampered with.
+    </Accordion>
+</AccordionGroup>
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-modal-kubernetes.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-modal-kubernetes.png
--- a/docs/images/platform/dynamic-secrets/dynamic-secret-setup-modal-kubernetes.png
+++ b/docs/images/platform/dynamic-secrets/dynamic-secret-setup-modal-kubernetes.png
--- a/docs/images/platform/dynamic-secrets/kubernetes-lease-value.png
+++ b/docs/images/platform/dynamic-secrets/kubernetes-lease-value.png
--- a/docs/images/platform/secret-sharing/copy-url.png
+++ b/docs/images/platform/secret-sharing/copy-url.png
--- a/docs/images/platform/secret-sharing/create-new-secret.png
+++ b/docs/images/platform/secret-sharing/create-new-secret.png
--- a/docs/images/platform/secret-sharing/delete-secret.png
+++ b/docs/images/platform/secret-sharing/delete-secret.png
--- a/docs/images/platform/secret-sharing/overview.png
+++ b/docs/images/platform/secret-sharing/overview.png
--- a/docs/images/platform/secret-sharing/public-view.png
+++ b/docs/images/platform/secret-sharing/public-view.png
--- a/docs/integrations/secret-syncs/overview.mdx
+++ b/docs/integrations/secret-syncs/overview.mdx
@@ -99,6 +99,8 @@ via the UI or API for the third-party service you intend to sync secrets to.

 Key Schemas transform your secret keys by applying a prefix, suffix, or format pattern during sync to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.

+Any destination secrets which do not match the schema will not get deleted or updated by Infisical.
+
 **Example:**
 - Infisical key: `SECRET_1`
 - Schema: `INFISICAL_{{secretKey}}`
--- a/docs/internals/bug-bounty.mdx
+++ b/docs/internals/bug-bounty.mdx
@@ -10,9 +10,7 @@ We value reports that help identify vulnerabilities that affect the integrity of
 ### How to Report

 - Send reports to **security@infisical.com** with clear steps to reproduce, impact, and (if possible) a proof-of-concept.
- We will acknowledge receipt within 3 business days for reports that are clearly written, technically sound, and plausibly within scope.
- We'll provide an initial assessment or next steps within 5 business days.
- **Please note**: We do not respond to spam, auto generated reports, inaccurate claims, or submissions that are clearly out of scope.
+- You will receive follow ups from our team if we deam your report to be a legitimate vulnerability or need further clarification. We do not respond to spam, auto generated reports, inaccurate claims, or submissions that are clearly out of scope.


 ### What's in Scope?
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -217,7 +217,8 @@
            "documentation/platform/dynamic-secrets/sap-ase",
            "documentation/platform/dynamic-secrets/sap-hana",
            "documentation/platform/dynamic-secrets/snowflake",
-            "documentation/platform/dynamic-secrets/totp"
+            "documentation/platform/dynamic-secrets/totp",
+            "documentation/platform/dynamic-secrets/kubernetes"
          ]
        },
        {
--- a/docs/sdks/languages/csharp.mdx
+++ b/docs/sdks/languages/csharp.mdx
@@ -4,10 +4,10 @@ sidebarTitle: ".NET"
 icon: "bars"
 ---

-If you're working with C#, the official [Infisical C# SDK](https://github.com/Infisical/sdk/tree/main/languages/csharp) package is the easiest way to fetch and work with secrets for your application.
+If you're working with C#, the official [Infisical C# SDK](https://github.com/Infisical/infisical-dotnet-configuration) package is the easiest way to fetch and work with secrets for your application.

 - [Nuget Package](https://www.nuget.org/packages/Infisical.Sdk)
- [Github Repository](https://github.com/Infisical/sdk/tree/main/languages/csharp)
+- [Github Repository](https://github.com/Infisical/infisical-dotnet-configuration)

 <Warning>
  **Deprecation Notice**
--- a/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
@@ -146,11 +146,15 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
                      href="https://infisical.com/docs/integrations/secret-syncs/overview#key-schemas"
                      target="_blank"
                      rel="noopener noreferrer"
+                      className="underline"
                    >
                      Key Schema
                    </a>{" "}
                    to ensure that Infisical only manages the specific keys you intend, keeping
                    everything else untouched.
+                    <br />
+                    <br />
+                    Destination secrets that do not match the schema will not be deleted or updated.
                  </span>
                }
              >
--- a/frontend/src/hooks/api/dynamicSecret/types.ts
+++ b/frontend/src/hooks/api/dynamicSecret/types.ts
@@ -31,7 +31,8 @@ export enum DynamicSecretProviders {
  SapHana = "sap-hana",
  Snowflake = "snowflake",
  Totp = "totp",
-  SapAse = "sap-ase"
+  SapAse = "sap-ase",
+  Kubernetes = "kubernetes"
 }

 export enum SqlProviders {
@@ -261,6 +262,20 @@ export type TDynamicSecretProvider =
            algorithm?: string;
            digits?: number;
          };
+    }
+  | {
+      type: DynamicSecretProviders.Kubernetes;
+      inputs: {
+        url: string;
+        clusterToken: string;
+        ca?: string;
+        serviceAccountName: string;
+        credentialType: "dynamic" | "static";
+        namespace: string;
+        gatewayId?: string;
+        sslEnabled: boolean;
+        audiences: string[];
+      };
    };

 export type TCreateDynamicSecretDTO = {
--- a/frontend/src/hooks/api/secretSharing/queries.ts
+++ b/frontend/src/hooks/api/secretSharing/queries.ts
@@ -11,13 +11,10 @@ export const secretSharingKeys = {
  allSecretRequests: () => ["secretRequests"] as const,
  specificSecretRequests: ({ offset, limit }: { offset: number; limit: number }) =>
    [...secretSharingKeys.allSecretRequests(), { offset, limit }] as const,
-  getSecretById: (arg: {
-    id: string;
-    hashedHex: string | null;
-    password?: string;
-    email?: string;
-    hash?: string;
-  }) => ["shared-secret", arg],
+  getSecretById: (arg: { id: string; hashedHex: string | null; password?: string }) => [
+    "shared-secret",
+    arg
+  ],
  getSecretRequestById: (arg: { id: string }) => ["secret-request", arg] as const
 };

@@ -73,34 +70,24 @@ export const useGetSecretRequests = ({
 export const useGetActiveSharedSecretById = ({
  sharedSecretId,
  hashedHex,
-  password,
-  email,
-  hash
+  password
 }: {
  sharedSecretId: string;
  hashedHex: string | null;
  password?: string;
-
-  // For secrets shared to specific emails (optional)
-  email?: string;
-  hash?: string;
 }) => {
  return useQuery({
    queryKey: secretSharingKeys.getSecretById({
      id: sharedSecretId,
      hashedHex,
-      password,
-      email,
-      hash
+      password
    }),
    queryFn: async () => {
      const { data } = await apiRequest.post<TViewSharedSecretResponse>(
        `/api/v1/secret-sharing/shared/public/${sharedSecretId}`,
        {
          ...(hashedHex && { hashedHex }),
-          password,
-          email,
-          hash
+          password
        }
      );

--- a/frontend/src/pages/organization/AccessManagementPage/components/UpgradePrivilegeSystemModal/UpgradePrivilegeSystemModal.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/UpgradePrivilegeSystemModal/UpgradePrivilegeSystemModal.tsx
@@ -4,7 +4,7 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";

 import { createNotification } from "@app/components/notifications";
-import { Button, Checkbox, Modal, ModalContent } from "@app/components/v2";
+import { Button, Checkbox, Modal, ModalContent, Tooltip } from "@app/components/v2";
 import { useOrgPermission } from "@app/context";
 import { useUpgradePrivilegeSystem } from "@app/hooks/api";

@@ -262,7 +262,6 @@ export const UpgradePrivilegeSystemModal = ({ isOpen, onOpenChange }: Props) =>
                </div>
              </div>
            </div>
-
            <form onSubmit={handleSubmit(handlePrivilegeSystemUpgrade)}>
              <div className="mt-6 flex items-center justify-end gap-4">
                <button
@@ -272,17 +271,27 @@ export const UpgradePrivilegeSystemModal = ({ isOpen, onOpenChange }: Props) =>
                >
                  Cancel
                </button>
-                <Button
-                  type="submit"
-                  variant="solid"
-                  colorSchema="primary"
-                  size="md"
-                  className="w-[120px] bg-primary hover:bg-primary-600"
-                  isDisabled={!isAllChecksCompleted || !isAdmin}
-                  isLoading={isSubmitting}
+                <Tooltip
+                  content={
+                    !isAdmin
+                      ? `You cannot perform this upgrade because you are not an organization admin. (Your current role: ${membership?.role ?? "Unknown"})`
+                      : undefined
+                  }
                >
-                  Upgrade
-                </Button>
+                  <div>
+                    <Button
+                      type="submit"
+                      variant="solid"
+                      colorSchema="primary"
+                      size="md"
+                      className="w-[120px] bg-primary hover:bg-primary-600"
+                      isDisabled={!isAllChecksCompleted || !isAdmin}
+                      isLoading={isSubmitting}
+                    >
+                      Upgrade
+                    </Button>
+                  </div>
+                </Tooltip>
              </div>
            </form>
          </div>
--- a/frontend/src/pages/public/ViewSharedSecretByIDPage/ViewSharedSecretByIDPage.tsx
+++ b/frontend/src/pages/public/ViewSharedSecretByIDPage/ViewSharedSecretByIDPage.tsx
@@ -38,14 +38,6 @@ export const ViewSharedSecretByIDPage = () => {
    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
    select: (el) => el.key
  });
-  const email = useSearch({
-    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
-    select: (el) => el.email
-  });
-  const hash = useSearch({
-    from: ROUTE_PATHS.Public.ViewSharedSecretByIDPage.id,
-    select: (el) => el.hash
-  });
  const [password, setPassword] = useState<string>();
  const { hashedHex, key } = extractDetailsFromUrl(urlEncodedKey);

@@ -57,9 +49,7 @@ export const ViewSharedSecretByIDPage = () => {
  } = useGetActiveSharedSecretById({
    sharedSecretId: id,
    hashedHex,
-    password,
-    email,
-    hash
+    password
  });

  const navigate = useNavigate();
@@ -94,6 +84,8 @@ export const ViewSharedSecretByIDPage = () => {
      navigate({
        to: "/login"
      });
+
+      return;
    }

    if (error) {
--- a/frontend/src/pages/public/ViewSharedSecretByIDPage/route.tsx
+++ b/frontend/src/pages/public/ViewSharedSecretByIDPage/route.tsx
@@ -7,9 +7,7 @@ import { authKeys, fetchAuthToken } from "@app/hooks/api/auth/queries";
 import { ViewSharedSecretByIDPage } from "./ViewSharedSecretByIDPage";

 const SharedSecretByIDPageQuerySchema = z.object({
-  key: z.string().catch(""),
-  email: z.string().optional(),
-  hash: z.string().optional()
+  key: z.string().catch("")
 });

 export const Route = createFileRoute("/shared/secret/$secretId")({
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/CreateDynamicSecretForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/CreateDynamicSecretForm.tsx
@@ -4,6 +4,7 @@ import {
  SiApachecassandra,
  SiElasticsearch,
  SiFiles,
+  SiKubernetes,
  SiMongodb,
  SiRabbitmq,
  SiSap,
@@ -24,6 +25,7 @@ import { AwsIamInputForm } from "./AwsIamInputForm";
 import { AzureEntraIdInputForm } from "./AzureEntraIdInputForm";
 import { CassandraInputForm } from "./CassandraInputForm";
 import { ElasticSearchInputForm } from "./ElasticSearchInputForm";
+import { KubernetesInputForm } from "./KubernetesInputForm";
 import { LdapInputForm } from "./LdapInputForm";
 import { MongoAtlasInputForm } from "./MongoAtlasInputForm";
 import { MongoDBDatabaseInputForm } from "./MongoDBInputForm";
@@ -124,6 +126,11 @@ const DYNAMIC_SECRET_LIST = [
    icon: <FontAwesomeIcon icon={faClock} size="lg" />,
    provider: DynamicSecretProviders.Totp,
    title: "TOTP"
+  },
+  {
+    icon: <SiKubernetes size="1.5rem" />,
+    provider: DynamicSecretProviders.Kubernetes,
+    title: "Kubernetes"
  }
 ];

@@ -472,6 +479,25 @@ export const CreateDynamicSecretForm = ({
                />
              </motion.div>
            )}
+          {wizardStep === WizardSteps.ProviderInputs &&
+            selectedProvider === DynamicSecretProviders.Kubernetes && (
+              <motion.div
+                key="dynamic-kubernetes-step"
+                transition={{ duration: 0.1 }}
+                initial={{ opacity: 0, translateX: 30 }}
+                animate={{ opacity: 1, translateX: 0 }}
+                exit={{ opacity: 0, translateX: -30 }}
+              >
+                <KubernetesInputForm
+                  onCompleted={handleFormReset}
+                  onCancel={handleFormReset}
+                  projectSlug={projectSlug}
+                  secretPath={secretPath}
+                  environments={environments}
+                  isSingleEnvironmentMode={isSingleEnvironmentMode}
+                />
+              </motion.div>
+            )}
        </AnimatePresence>
      </ModalContent>
    </Modal>
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/KubernetesInputForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/KubernetesInputForm.tsx
@@ -0,0 +1,492 @@
+import { Controller, FieldValues, useFieldArray, useForm } from "react-hook-form";
+import {
+  faArrowUpRightFromSquare,
+  faBookOpen,
+  faQuestionCircle,
+  faTrash
+} from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useQuery } from "@tanstack/react-query";
+import ms from "ms";
+import { z } from "zod";
+
+import { TtlFormLabel } from "@app/components/features";
+import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
+import {
+  Button,
+  FilterableSelect,
+  FormControl,
+  IconButton,
+  Input,
+  Select,
+  SelectItem,
+  Switch,
+  TextArea,
+  Tooltip
+} from "@app/components/v2";
+import { OrgPermissionSubjects } from "@app/context/OrgPermissionContext";
+import { OrgGatewayPermissionActions } from "@app/context/OrgPermissionContext/types";
+import { gatewaysQueryKeys, useCreateDynamicSecret } from "@app/hooks/api";
+import { DynamicSecretProviders } from "@app/hooks/api/dynamicSecret/types";
+import { WorkspaceEnv } from "@app/hooks/api/types";
+
+enum CredentialType {
+  Dynamic = "dynamic",
+  Static = "static"
+}
+
+const credentialTypes = [
+  {
+    label: "Static",
+    value: CredentialType.Static
+  }
+] as const;
+
+const formSchema = z.object({
+  provider: z.object({
+    url: z.string().url().trim().min(1),
+    clusterToken: z.string().trim().min(1),
+    ca: z.string().optional(),
+    sslEnabled: z.boolean().default(false),
+    credentialType: z.literal(CredentialType.Static),
+    serviceAccountName: z.string().trim().min(1),
+    namespace: z.string().trim().min(1),
+    gatewayId: z.string().optional(),
+    audiences: z.array(z.string().trim().min(1))
+  }),
+  defaultTTL: z.string().superRefine((val, ctx) => {
+    const valMs = ms(val);
+    if (valMs < 60 * 1000)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+    if (valMs > 24 * 60 * 60 * 1000)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+  }),
+  maxTTL: z
+    .string()
+    .optional()
+    .superRefine((val, ctx) => {
+      if (!val) return;
+      const valMs = ms(val);
+      if (valMs < 60 * 1000)
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+      if (valMs > 24 * 60 * 60 * 1000)
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+    }),
+  name: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase"),
+  environment: z.object({ name: z.string(), slug: z.string() })
+});
+
+type TForm = z.infer<typeof formSchema> & FieldValues;
+
+type Props = {
+  onCompleted: () => void;
+  onCancel: () => void;
+  secretPath: string;
+  projectSlug: string;
+  environments: WorkspaceEnv[];
+  isSingleEnvironmentMode?: boolean;
+};
+
+export const KubernetesInputForm = ({
+  onCompleted,
+  onCancel,
+  secretPath,
+  projectSlug,
+  environments,
+  isSingleEnvironmentMode
+}: Props) => {
+  const {
+    control,
+    formState: { isSubmitting },
+    handleSubmit,
+    watch
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    defaultValues: {
+      provider: {
+        url: "",
+        clusterToken: "",
+        ca: "",
+        sslEnabled: false,
+        serviceAccountName: "",
+        namespace: "",
+        credentialType: CredentialType.Static,
+        gatewayId: undefined,
+        audiences: []
+      },
+      environment: isSingleEnvironmentMode ? environments[0] : undefined
+    }
+  });
+
+  const { fields, append, remove } = useFieldArray({
+    control,
+    name: "provider.audiences"
+  });
+
+  const createDynamicSecret = useCreateDynamicSecret();
+  const { data: gateways, isPending: isGatewaysLoading } = useQuery(gatewaysQueryKeys.list());
+
+  const sslEnabled = watch("provider.sslEnabled");
+
+  const handleCreateDynamicSecret = async (formData: TForm) => {
+    const { provider, ...rest } = formData;
+    // wait till previous request is finished
+    if (createDynamicSecret.isPending) return;
+    try {
+      await createDynamicSecret.mutateAsync({
+        provider: { type: DynamicSecretProviders.Kubernetes, inputs: provider },
+        maxTTL: rest.maxTTL,
+        name: rest.name,
+        path: secretPath,
+        defaultTTL: rest.defaultTTL,
+        projectSlug,
+        environmentSlug: rest.environment.slug
+      });
+
+      onCompleted();
+    } catch {
+      createNotification({
+        type: "error",
+        text: "Failed to create dynamic secret"
+      });
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit(handleCreateDynamicSecret)} autoComplete="off">
+      <div>
+        <div className="flex items-center space-x-2">
+          <div className="flex-grow">
+            <Controller
+              control={control}
+              defaultValue=""
+              name="name"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label="Secret Name"
+                  isError={Boolean(error)}
+                  errorText={error?.message}
+                >
+                  <Input {...field} placeholder="dynamic-secret" />
+                </FormControl>
+              )}
+            />
+          </div>
+          <div className="w-32">
+            <Controller
+              control={control}
+              name="defaultTTL"
+              defaultValue="1h"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label={<TtlFormLabel label="Default TTL" />}
+                  isError={Boolean(error?.message)}
+                  errorText={error?.message}
+                >
+                  <Input {...field} />
+                </FormControl>
+              )}
+            />
+          </div>
+          <div className="w-32">
+            <Controller
+              control={control}
+              name="maxTTL"
+              defaultValue="24h"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label={<TtlFormLabel label="Max TTL" />}
+                  isError={Boolean(error?.message)}
+                  errorText={error?.message}
+                >
+                  <Input {...field} />
+                </FormControl>
+              )}
+            />
+          </div>
+        </div>
+        <div>
+          <div className="mb-4 mt-4 border-b border-mineshaft-500 pb-2 pl-1 font-medium text-mineshaft-200">
+            Configuration
+            <a
+              href="https://infisical.com/docs/documentation/platform/dynamic-secrets/kubernetes"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              <div className="mb-1 ml-2 inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
+                <FontAwesomeIcon icon={faBookOpen} className="mr-1.5" />
+                Docs
+                <FontAwesomeIcon
+                  icon={faArrowUpRightFromSquare}
+                  className="mb-[0.07rem] ml-1.5 text-xxs"
+                />
+              </div>
+            </a>
+          </div>
+          <div className="flex flex-col">
+            <div className="flex items-center space-x-2">
+              <div className="flex-grow">
+                <div>
+                  <OrgPermissionCan
+                    I={OrgGatewayPermissionActions.AttachGateways}
+                    a={OrgPermissionSubjects.Gateway}
+                  >
+                    {(isAllowed) => (
+                      <Controller
+                        control={control}
+                        name="provider.gatewayId"
+                        defaultValue=""
+                        render={({ field: { value, onChange }, fieldState: { error } }) => (
+                          <FormControl
+                            isError={Boolean(error?.message)}
+                            errorText={error?.message}
+                            label="Gateway"
+                          >
+                            <Tooltip
+                              isDisabled={isAllowed}
+                              content="Restricted access. You don't have permission to attach gateways to resources."
+                            >
+                              <div>
+                                <Select
+                                  isDisabled={!isAllowed}
+                                  value={value}
+                                  onValueChange={onChange}
+                                  className="w-full border border-mineshaft-500"
+                                  dropdownContainerClassName="max-w-none"
+                                  isLoading={isGatewaysLoading}
+                                  placeholder="Default: Internet Gateway"
+                                  position="popper"
+                                >
+                                  <SelectItem
+                                    value={null as unknown as string}
+                                    onClick={() => onChange(undefined)}
+                                  >
+                                    Internet Gateway
+                                  </SelectItem>
+                                  {gateways?.map((el) => (
+                                    <SelectItem value={el.id} key={el.id}>
+                                      {el.name}
+                                    </SelectItem>
+                                  ))}
+                                </Select>
+                              </div>
+                            </Tooltip>
+                          </FormControl>
+                        )}
+                      />
+                    )}
+                  </OrgPermissionCan>
+                </div>
+                <Controller
+                  control={control}
+                  name="provider.url"
+                  render={({ field, fieldState: { error } }) => (
+                    <FormControl
+                      label="Cluster URL"
+                      isError={Boolean(error?.message)}
+                      errorText={error?.message}
+                    >
+                      <Input {...field} />
+                    </FormControl>
+                  )}
+                />
+
+                <div className="mb-2 flex items-center">
+                  <span className="mr-3 flex items-center text-sm text-mineshaft-400">
+                    Enable SSL
+                    <Tooltip
+                      className="ml-1 max-w-md"
+                      content={
+                        <span>
+                          If enabled, you can optionally provide a custom CA certificate. Leave
+                          blank to use the system/public CA.
+                        </span>
+                      }
+                    >
+                      <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
+                    </Tooltip>
+                  </span>
+                  <Controller
+                    name="provider.sslEnabled"
+                    control={control}
+                    render={({ field: { value, onChange } }) => (
+                      <Switch
+                        className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
+                        id="ssl-enabled"
+                        thumbClassName="bg-mineshaft-800"
+                        isChecked={value}
+                        onCheckedChange={onChange}
+                        aria-label="Enable SSL"
+                      />
+                    )}
+                  />
+                </div>
+
+                <Controller
+                  control={control}
+                  name="provider.ca"
+                  render={({ field, fieldState: { error } }) => (
+                    <FormControl
+                      label="CA"
+                      isError={Boolean(error?.message)}
+                      errorText={error?.message}
+                      className={sslEnabled ? "" : "opacity-50"}
+                    >
+                      <TextArea
+                        {...field}
+                        placeholder="-----BEGIN CERTIFICATE----- ..."
+                        isDisabled={!sslEnabled}
+                      />
+                    </FormControl>
+                  )}
+                />
+
+                <Controller
+                  control={control}
+                  name="provider.clusterToken"
+                  render={({ field, fieldState: { error } }) => (
+                    <FormControl
+                      label="Cluster Token"
+                      isError={Boolean(error?.message)}
+                      errorText={error?.message}
+                    >
+                      <Input {...field} type="password" autoComplete="new-password" />
+                    </FormControl>
+                  )}
+                />
+                <Controller
+                  control={control}
+                  name="provider.credentialType"
+                  render={({ field, fieldState: { error } }) => (
+                    <FormControl
+                      label="Credential Type"
+                      isError={Boolean(error?.message)}
+                      errorText={error?.message}
+                      className="w-full"
+                    >
+                      <Select
+                        defaultValue={field.value}
+                        {...field}
+                        className="w-full"
+                        onValueChange={(e) => field.onChange(e)}
+                      >
+                        {credentialTypes.map((credentialType) => (
+                          <SelectItem
+                            value={credentialType.value}
+                            key={`credential-type-${credentialType.value}`}
+                          >
+                            {credentialType.label}
+                          </SelectItem>
+                        ))}
+                      </Select>
+                    </FormControl>
+                  )}
+                />
+                <div className="flex items-center space-x-2">
+                  <div className="flex-1">
+                    <Controller
+                      control={control}
+                      name="provider.serviceAccountName"
+                      render={({ field, fieldState: { error } }) => (
+                        <FormControl
+                          label="Service Account Name"
+                          isError={Boolean(error?.message)}
+                          errorText={error?.message}
+                        >
+                          <Input {...field} autoComplete="new-password" />
+                        </FormControl>
+                      )}
+                    />
+                  </div>
+                  <div className="flex-1">
+                    <Controller
+                      control={control}
+                      name="provider.namespace"
+                      render={({ field, fieldState: { error } }) => (
+                        <FormControl
+                          label="Namespace"
+                          isError={Boolean(error?.message)}
+                          errorText={error?.message}
+                        >
+                          <Input {...field} />
+                        </FormControl>
+                      )}
+                    />
+                  </div>
+                </div>
+                <div className="mt-2 w-1/2">
+                  <Controller
+                    control={control}
+                    name="provider.audiences"
+                    render={({ fieldState: { error } }) => (
+                      <FormControl
+                        label="Audiences"
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                      >
+                        <div className="space-y-2">
+                          {fields.map((field, index) => (
+                            <div key={field.id} className="flex items-center space-x-2">
+                              <Input
+                                {...control.register(`provider.audiences.${index}`)}
+                                placeholder="Enter audience"
+                                className="flex-grow"
+                              />
+                              <IconButton
+                                onClick={() => remove(index)}
+                                variant="outline_bg"
+                                ariaLabel="Remove audience"
+                              >
+                                <FontAwesomeIcon icon={faTrash} />
+                              </IconButton>
+                            </div>
+                          ))}
+                          <Button variant="outline_bg" onClick={() => append("")} type="button">
+                            Add Audience
+                          </Button>
+                        </div>
+                      </FormControl>
+                    )}
+                  />
+                </div>
+                {!isSingleEnvironmentMode && (
+                  <Controller
+                    control={control}
+                    name="environment"
+                    render={({ field: { value, onChange }, fieldState: { error } }) => (
+                      <FormControl
+                        label="Environment"
+                        isError={Boolean(error)}
+                        errorText={error?.message}
+                      >
+                        <FilterableSelect
+                          options={environments}
+                          value={value}
+                          onChange={onChange}
+                          placeholder="Select the environment to create secret in..."
+                          getOptionLabel={(option) => option.name}
+                          getOptionValue={(option) => option.slug}
+                          menuPlacement="top"
+                        />
+                      </FormControl>
+                    )}
+                  />
+                )}
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+      <div className="mt-4 flex items-center space-x-4">
+        <Button type="submit" isLoading={isSubmitting}>
+          Submit
+        </Button>
+        <Button variant="outline_bg" onClick={onCancel}>
+          Cancel
+        </Button>
+      </div>
+    </form>
+  );
+};
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/CreateDynamicSecretLease.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/CreateDynamicSecretLease.tsx
@@ -320,6 +320,20 @@ const renderOutputForm = (
    );
  }

+  if (provider === DynamicSecretProviders.Kubernetes) {
+    const { TOKEN } = data as { TOKEN: string };
+
+    return (
+      <div>
+        <OutputDisplay
+          label="Service Account JWT"
+          value={TOKEN}
+          helperText="Important: Copy these credentials now. You will not be able to see them again after you close the modal."
+        />
+      </div>
+    );
+  }
+
  if (provider === DynamicSecretProviders.Totp) {
    const { TOTP, TIME_REMAINING } = data as {
      TOTP: string;
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretForm.tsx
@@ -9,6 +9,7 @@ import { EditDynamicSecretAwsIamForm } from "./EditDynamicSecretAwsIamForm";
 import { EditDynamicSecretAzureEntraIdForm } from "./EditDynamicSecretAzureEntraIdForm";
 import { EditDynamicSecretCassandraForm } from "./EditDynamicSecretCassandraForm";
 import { EditDynamicSecretElasticSearchForm } from "./EditDynamicSecretElasticSearchForm";
+import { EditDynamicSecretKubernetesForm } from "./EditDynamicSecretKubernetesForm";
 import { EditDynamicSecretLdapForm } from "./EditDynamicSecretLdapForm";
 import { EditDynamicSecretMongoAtlasForm } from "./EditDynamicSecretMongoAtlasForm";
 import { EditDynamicSecretMongoDBForm } from "./EditDynamicSecretMongoDBForm";
@@ -312,6 +313,23 @@ export const EditDynamicSecretForm = ({
          />
        </motion.div>
      )}
+      {dynamicSecretDetails?.type === DynamicSecretProviders.Kubernetes && (
+        <motion.div
+          key="kubernetes-edit"
+          transition={{ duration: 0.1 }}
+          initial={{ opacity: 0, translateX: 30 }}
+          animate={{ opacity: 1, translateX: 0 }}
+          exit={{ opacity: 0, translateX: -30 }}
+        >
+          <EditDynamicSecretKubernetesForm
+            onClose={onClose}
+            projectSlug={projectSlug}
+            secretPath={secretPath}
+            dynamicSecret={dynamicSecretDetails}
+            environment={environment}
+          />
+        </motion.div>
+      )}
    </AnimatePresence>
  );
 };
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretKubernetesForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretKubernetesForm.tsx
@@ -0,0 +1,463 @@
+import { Controller, FieldValues, useFieldArray, useForm } from "react-hook-form";
+import {
+  faArrowUpRightFromSquare,
+  faBookOpen,
+  faQuestionCircle,
+  faTrash
+} from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useQuery } from "@tanstack/react-query";
+import ms from "ms";
+import { z } from "zod";
+
+import { TtlFormLabel } from "@app/components/features";
+import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
+import {
+  Button,
+  FormControl,
+  IconButton,
+  Input,
+  Select,
+  SelectItem,
+  Switch,
+  TextArea,
+  Tooltip
+} from "@app/components/v2";
+import { OrgPermissionSubjects } from "@app/context/OrgPermissionContext";
+import { OrgGatewayPermissionActions } from "@app/context/OrgPermissionContext/types";
+import { gatewaysQueryKeys, useUpdateDynamicSecret } from "@app/hooks/api";
+import { TDynamicSecret } from "@app/hooks/api/dynamicSecret/types";
+
+enum CredentialType {
+  Dynamic = "dynamic",
+  Static = "static"
+}
+
+const credentialTypes = [
+  {
+    label: "Static",
+    value: CredentialType.Static
+  }
+] as const;
+
+const formSchema = z.object({
+  inputs: z.object({
+    url: z.string().url().trim().min(1),
+    clusterToken: z.string().trim().min(1),
+    ca: z.string().optional(),
+    sslEnabled: z.boolean().default(false),
+    credentialType: z.literal(CredentialType.Static),
+    serviceAccountName: z.string().trim().min(1),
+    namespace: z.string().trim().min(1),
+    gatewayId: z.string().optional(),
+    audiences: z.array(z.string().trim().min(1))
+  }),
+  defaultTTL: z.string().superRefine((val, ctx) => {
+    const valMs = ms(val);
+    if (valMs < 60 * 1000)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+    if (valMs > 24 * 60 * 60 * 1000)
+      ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+  }),
+  maxTTL: z
+    .string()
+    .optional()
+    .superRefine((val, ctx) => {
+      if (!val) return;
+      const valMs = ms(val);
+      if (valMs < 60 * 1000)
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be a greater than 1min" });
+      if (valMs > 24 * 60 * 60 * 1000)
+        ctx.addIssue({ code: z.ZodIssueCode.custom, message: "TTL must be less than a day" });
+    }),
+  newName: z.string().refine((val) => val.toLowerCase() === val, "Must be lowercase")
+});
+
+type TForm = z.infer<typeof formSchema> & FieldValues;
+
+type Props = {
+  onClose: () => void;
+  dynamicSecret: TDynamicSecret & { inputs: unknown };
+  secretPath: string;
+  projectSlug: string;
+  environment: string;
+};
+
+export const EditDynamicSecretKubernetesForm = ({
+  onClose,
+  dynamicSecret,
+  environment,
+  secretPath,
+  projectSlug
+}: Props) => {
+  const {
+    control,
+    formState: { isSubmitting },
+    handleSubmit,
+    watch
+  } = useForm<TForm>({
+    resolver: zodResolver(formSchema),
+    values: {
+      newName: dynamicSecret.name,
+      defaultTTL: dynamicSecret.defaultTTL,
+      maxTTL: dynamicSecret.maxTTL,
+      inputs: dynamicSecret.inputs as TForm["inputs"]
+    }
+  });
+
+  const { fields, append, remove } = useFieldArray({
+    control,
+    name: "inputs.audiences" as const
+  });
+
+  const updateDynamicSecret = useUpdateDynamicSecret();
+  const { data: gateways, isPending: isGatewaysLoading } = useQuery(gatewaysQueryKeys.list());
+
+  const sslEnabled = watch("inputs.sslEnabled");
+
+  const handleUpdateDynamicSecret = async (formData: TForm) => {
+    // wait till previous request is finished
+    if (updateDynamicSecret.isPending) return;
+    try {
+      await updateDynamicSecret.mutateAsync({
+        name: dynamicSecret.name,
+        path: secretPath,
+        projectSlug,
+        environmentSlug: environment,
+        data: {
+          inputs: formData.inputs,
+          newName: formData.newName === dynamicSecret.name ? undefined : formData.newName,
+          defaultTTL: formData.defaultTTL,
+          maxTTL: formData.maxTTL
+        }
+      });
+      onClose();
+      createNotification({
+        type: "success",
+        text: "Successfully updated dynamic secret"
+      });
+    } catch (err) {
+      createNotification({
+        type: "error",
+        text: err instanceof Error ? err.message : "Failed to update dynamic secret"
+      });
+    }
+  };
+
+  return (
+    <div>
+      <form onSubmit={handleSubmit(handleUpdateDynamicSecret)} autoComplete="off">
+        <div>
+          <div className="flex items-center space-x-2">
+            <div className="flex-grow">
+              <Controller
+                control={control}
+                defaultValue=""
+                name="newName"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    label="Secret Name"
+                    isError={Boolean(error)}
+                    errorText={error?.message}
+                  >
+                    <Input {...field} placeholder="dynamic-secret" />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <div className="w-32">
+              <Controller
+                control={control}
+                name="defaultTTL"
+                defaultValue="1h"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    label={<TtlFormLabel label="Default TTL" />}
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                  >
+                    <Input {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+            <div className="w-32">
+              <Controller
+                control={control}
+                name="maxTTL"
+                defaultValue="24h"
+                render={({ field, fieldState: { error } }) => (
+                  <FormControl
+                    label={<TtlFormLabel label="Max TTL" />}
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                  >
+                    <Input {...field} />
+                  </FormControl>
+                )}
+              />
+            </div>
+          </div>
+          <div>
+            <div className="mb-4 mt-4 border-b border-mineshaft-500 pb-2 pl-1 font-medium text-mineshaft-200">
+              Configuration
+              <a
+                href="https://infisical.com/docs/documentation/platform/dynamic-secrets/kubernetes"
+                target="_blank"
+                rel="noopener noreferrer"
+              >
+                <div className="mb-1 ml-2 inline-block cursor-default rounded-md bg-yellow/20 px-1.5 pb-[0.03rem] pt-[0.04rem] text-sm text-yellow opacity-80 hover:opacity-100">
+                  <FontAwesomeIcon icon={faBookOpen} className="mr-1.5" />
+                  Docs
+                  <FontAwesomeIcon
+                    icon={faArrowUpRightFromSquare}
+                    className="mb-[0.07rem] ml-1.5 text-xxs"
+                  />
+                </div>
+              </a>
+            </div>
+            <div className="flex flex-col">
+              <div className="flex items-center space-x-2">
+                <div className="flex-grow">
+                  <div>
+                    <OrgPermissionCan
+                      I={OrgGatewayPermissionActions.AttachGateways}
+                      a={OrgPermissionSubjects.Gateway}
+                    >
+                      {(isAllowed) => (
+                        <Controller
+                          control={control}
+                          name="inputs.gatewayId"
+                          defaultValue=""
+                          render={({ field: { value, onChange }, fieldState: { error } }) => (
+                            <FormControl
+                              isError={Boolean(error?.message)}
+                              errorText={error?.message}
+                              label="Gateway"
+                            >
+                              <Tooltip
+                                isDisabled={isAllowed}
+                                content="Restricted access. You don't have permission to attach gateways to resources."
+                              >
+                                <div>
+                                  <Select
+                                    isDisabled={!isAllowed}
+                                    value={value}
+                                    onValueChange={onChange}
+                                    className="w-full border border-mineshaft-500"
+                                    dropdownContainerClassName="max-w-none"
+                                    isLoading={isGatewaysLoading}
+                                    placeholder="Default: Internet Gateway"
+                                    position="popper"
+                                  >
+                                    <SelectItem
+                                      value={null as unknown as string}
+                                      onClick={() => onChange(undefined)}
+                                    >
+                                      Internet Gateway
+                                    </SelectItem>
+                                    {gateways?.map((el) => (
+                                      <SelectItem value={el.id} key={el.id}>
+                                        {el.name}
+                                      </SelectItem>
+                                    ))}
+                                  </Select>
+                                </div>
+                              </Tooltip>
+                            </FormControl>
+                          )}
+                        />
+                      )}
+                    </OrgPermissionCan>
+                  </div>
+                  <Controller
+                    control={control}
+                    name="inputs.url"
+                    render={({ field, fieldState: { error } }) => (
+                      <FormControl
+                        label="Cluster URL"
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                      >
+                        <Input {...field} />
+                      </FormControl>
+                    )}
+                  />
+
+                  <div className="mb-2 flex items-center">
+                    <span className="mr-3 flex items-center text-sm text-mineshaft-400">
+                      Enable SSL
+                      <Tooltip
+                        className="ml-1 max-w-md"
+                        content={
+                          <span>
+                            If enabled, you can optionally provide a custom CA certificate. Leave
+                            blank to use the system/public CA.
+                          </span>
+                        }
+                      >
+                        <FontAwesomeIcon icon={faQuestionCircle} size="sm" className="ml-1" />
+                      </Tooltip>
+                    </span>
+                    <Controller
+                      name="inputs.sslEnabled"
+                      control={control}
+                      render={({ field: { value, onChange } }) => (
+                        <Switch
+                          className="bg-mineshaft-400/50 shadow-inner data-[state=checked]:bg-green/80"
+                          id="ssl-enabled"
+                          thumbClassName="bg-mineshaft-800"
+                          isChecked={value}
+                          onCheckedChange={onChange}
+                          aria-label="Enable SSL"
+                        />
+                      )}
+                    />
+                  </div>
+
+                  <Controller
+                    control={control}
+                    name="inputs.ca"
+                    render={({ field, fieldState: { error } }) => (
+                      <FormControl
+                        label="CA"
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                        className={sslEnabled ? "" : "opacity-50"}
+                      >
+                        <TextArea
+                          {...field}
+                          placeholder="-----BEGIN CERTIFICATE----- ..."
+                          isDisabled={!sslEnabled}
+                        />
+                      </FormControl>
+                    )}
+                  />
+
+                  <Controller
+                    control={control}
+                    name="inputs.clusterToken"
+                    render={({ field, fieldState: { error } }) => (
+                      <FormControl
+                        label="Cluster Token"
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                      >
+                        <Input {...field} type="password" autoComplete="new-password" />
+                      </FormControl>
+                    )}
+                  />
+                  <Controller
+                    control={control}
+                    name="inputs.credentialType"
+                    render={({ field, fieldState: { error } }) => (
+                      <FormControl
+                        label="Credential Type"
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                        className="w-full"
+                      >
+                        <Select
+                          defaultValue={field.value}
+                          {...field}
+                          className="w-full"
+                          onValueChange={(e) => field.onChange(e)}
+                        >
+                          {credentialTypes.map((credentialType) => (
+                            <SelectItem
+                              value={credentialType.value}
+                              key={`credential-type-${credentialType.value}`}
+                            >
+                              {credentialType.label}
+                            </SelectItem>
+                          ))}
+                        </Select>
+                      </FormControl>
+                    )}
+                  />
+                  <div className="flex items-center space-x-2">
+                    <div className="flex-1">
+                      <Controller
+                        control={control}
+                        name="inputs.serviceAccountName"
+                        render={({ field, fieldState: { error } }) => (
+                          <FormControl
+                            label="Service Account Name"
+                            isError={Boolean(error?.message)}
+                            errorText={error?.message}
+                          >
+                            <Input {...field} autoComplete="new-password" />
+                          </FormControl>
+                        )}
+                      />
+                    </div>
+                    <div className="flex-1">
+                      <Controller
+                        control={control}
+                        name="inputs.namespace"
+                        render={({ field, fieldState: { error } }) => (
+                          <FormControl
+                            label="Namespace"
+                            isError={Boolean(error?.message)}
+                            errorText={error?.message}
+                          >
+                            <Input {...field} />
+                          </FormControl>
+                        )}
+                      />
+                    </div>
+                  </div>
+                </div>
+              </div>
+              <div className="mt-2 w-1/2">
+                <Controller
+                  control={control}
+                  name="inputs.audiences"
+                  render={({ fieldState: { error } }) => (
+                    <FormControl
+                      label="Audiences"
+                      isError={Boolean(error?.message)}
+                      errorText={error?.message}
+                    >
+                      <div className="space-y-2">
+                        {fields.map((field, index) => (
+                          <div key={field.id} className="flex items-center space-x-2">
+                            <Input
+                              {...control.register(`inputs.audiences.${index}`)}
+                              placeholder="Enter audience"
+                              className="flex-grow"
+                            />
+                            <IconButton
+                              onClick={() => remove(index)}
+                              variant="outline_bg"
+                              ariaLabel="Remove audience"
+                            >
+                              <FontAwesomeIcon icon={faTrash} />
+                            </IconButton>
+                          </div>
+                        ))}
+                        <Button variant="outline_bg" onClick={() => append("")} type="button">
+                          Add Audience
+                        </Button>
+                      </div>
+                    </FormControl>
+                  )}
+                />
+              </div>
+            </div>
+          </div>
+        </div>
+        <div className="mt-4 flex items-center space-x-4">
+          <Button type="submit" isLoading={isSubmitting}>
+            Submit
+          </Button>
+          <Button variant="outline_bg" onClick={onClose}>
+            Cancel
+          </Button>
+        </div>
+      </form>
+    </div>
+  );
+};
Author	SHA1	Message	Date
ArshBallagan	b12fe66871	Merge branch 'main' into docs/update-net-sdk	2025-05-29 08:07:43 -07:00
ArshBallagan	28582d9134	Update .NET docs with new links	2025-05-29 08:07:07 -07:00
Maidul Islam	04908edb5b	update	2025-05-29 10:28:35 -04:00
Maidul Islam	e8753a3ce8	Update	2025-05-29 10:16:59 -04:00
Sheen	1947989ca5	Merge pull request #3668 from Infisical/feat/add-kubernetes-dynamic-secret feat: add kubernetes dynamic secret	2025-05-29 21:45:22 +08:00
Sheen	c22e616771	misc: addressed k8 doc changes	2025-05-29 13:34:41 +00:00
Sheen Capadngan	40711ac707	misc: addressed comments	2025-05-29 21:15:53 +08:00
Daniel Hougaard	a47e6910b1	Merge pull request #3678 from Infisical/daniel/fix-k8s-https-protocol fix: allow https on gateway k8s hosts	2025-05-29 17:06:20 +04:00
Daniel Hougaard	78c4a591a9	requested changes	2025-05-29 16:57:22 +04:00
Daniel Hougaard	f6b7717517	fix: allow https on gateway k8s hosts	2025-05-29 16:39:47 +04:00
x032205	b21a5b6425	Merge pull request #3672 from Infisical/ENG-2843 Improved Key Schema docs + tooltip	2025-05-28 23:39:01 -04:00
Maidul Islam	66a5691ffd	Merge pull request #3675 from Infisical/revert-3546-feat/point-in-time-revamp Revert "feat(PIT): Point In Time Revamp"	2025-05-28 20:56:38 -04:00
Maidul Islam	6bdf62d453	Revert "feat(PIT): Point In Time Revamp"	2025-05-28 20:56:04 -04:00
Maidul Islam	652a48b520	Merge pull request #3674 from Infisical/revert-3671-fix/pitCheckpointCreationBatch Revert "PIT: fix checkpoint creation to do it in batches to avoid insert fails"	2025-05-28 20:55:56 -04:00
Maidul Islam	3148c54e18	Revert "PIT: fix checkpoint creation to do it in batches to avoid insert fails"	2025-05-28 20:55:46 -04:00
x032205	bd4cf64fc6	Merge pull request #3670 from Infisical/ENG-2827 feat(secret-sharing): Require Login for Secrets Shared to Specific Emails	2025-05-28 19:23:26 -04:00
x032205	f4e3d7d576	Review fix	2025-05-28 19:22:46 -04:00
x032205	8298f9974f	Improved Key Schema docs + tooltip	2025-05-28 19:18:09 -04:00
carlosmonastyrski	da347e96e1	Merge pull request #3671 from Infisical/fix/pitCheckpointCreationBatch PIT: fix checkpoint creation to do it in batches to avoid insert fails	2025-05-29 00:17:33 +01:00
carlosmonastyrski	5df96234a0	PIT: fix checkpoint creation to do it in batches to avoid insert fails	2025-05-28 20:10:12 -03:00
Maidul Islam	e78682560c	Merge pull request #3546 from Infisical/feat/point-in-time-revamp feat(PIT): Point In Time Revamp	2025-05-28 18:24:37 -04:00
carlosmonastyrski	1602fac5ca	PIT: decrese PIT_CHECKPOINT_WINDOW to 1 for deployment	2025-05-28 19:16:19 -03:00
carlosmonastyrski	0100bf7032	PIT: decrese PIT_CHECKPOINT_WINDOW to 5 for deployment	2025-05-28 19:13:28 -03:00
Maidul Islam	e2c49878c6	Merge pull request #3666 from Infisical/feat/add-token-period-support feat: add token period support for ua	2025-05-28 17:38:59 -04:00
x032205	335aada941	Doc and review tweaks	2025-05-28 17:28:34 -04:00
x032205	b949fe06c3	Doc update	2025-05-28 17:25:21 -04:00
carlosmonastyrski	28e539c481	PIT: improve wording on the revert button	2025-05-28 17:37:44 -03:00
x032205	5c4c881b60	Docs update	2025-05-28 15:50:46 -04:00
x032205	8ffb92bfb3	Docs revamp	2025-05-28 15:39:44 -04:00
carlosmonastyrski	15986633c7	PIT: omit commit version check on rollbacks and reverts	2025-05-28 16:07:42 -03:00
carlosmonastyrski	c4809bbb54	PIT: remove reminders from commit history	2025-05-28 15:51:51 -03:00
x032205	6305aab0d1	Merge branch 'main' into ENG-2827	2025-05-28 14:44:51 -04:00
x032205	456493ff5a	feat(secret-sharing): Require Login for Email Sharing	2025-05-28 14:44:27 -04:00
Sheen Capadngan	8cfaefcec5	misc: added missing types	2025-05-29 02:43:36 +08:00
Sheen Capadngan	e39e80a0e7	misc: added proper propagation of error to logs	2025-05-29 02:38:14 +08:00
Sheen Capadngan	8cae92f29e	misc: make it work with gateway	2025-05-29 02:01:17 +08:00
Sheen Capadngan	918911f2e4	misc: addressed greptile	2025-05-29 01:40:12 +08:00
Sheen	a1aee45eb2	doc: added docs	2025-05-28 17:36:47 +00:00
Maidul Islam	5fe93dc35a	Merge pull request #3669 from Infisical/update-oidc-logs Update OIDC logs	2025-05-28 12:34:36 -04:00
Scott Wilson	5e0e7763a3	Merge pull request #3664 from Infisical/aws-secret-manager-fix Fix: Update aws secret manager sync to handle constrained iam policies	2025-05-28 09:31:41 -07:00
Maidul Islam	f663d1d4a6	update log	2025-05-28 12:28:33 -04:00
Sheen Capadngan	650f6d9585	feat: add kubernetes dynamic secret	2025-05-29 00:16:01 +08:00
Maidul Islam	7994034639	Merge pull request #3660 from Infisical/misc/add-proper-notice-for-non-admin-privilege-upgrade-1 misc: added proper notice for non-admins doing privilege upgrade	2025-05-28 09:59:09 -04:00
carlosmonastyrski	48619ed24c	Fix lint issue	2025-05-28 08:50:40 -03:00
carlosmonastyrski	21fb8df39b	Merge branch 'feat/point-in-time-revamp' of https://github.com/Infisical/infisical into feat/point-in-time-revamp	2025-05-28 08:44:16 -03:00
carlosmonastyrski	f03a7cc249	PIT: add description to folder versioning	2025-05-28 08:43:32 -03:00
Sheen Capadngan	f2dcbfa91c	misc: moved prompt to tooltip	2025-05-28 16:33:14 +08:00
Maidul Islam	30252c2bcb	minor text updates	2025-05-28 00:06:50 -04:00
Maidul Islam	9687f33122	Merge pull request #3665 from Infisical/allow-machine-to-read-billing Allow machine identity to read billing	2025-05-27 22:36:29 -04:00
Maidul Islam	a5282a56c9	allow machine identity to read billing	2025-05-27 22:26:32 -04:00
Scott Wilson	cc3551c417	fix: update aws secret manager sync to handle constrained iam policies	2025-05-27 18:25:20 -07:00
Maidul Islam	9e6fe39609	Merge pull request #3663 from Infisical/add-logs-for-oidc-claims add oidc logs	2025-05-27 21:24:38 -04:00
Maidul Islam	2bc91c42a7	add oidc logs	2025-05-27 21:18:22 -04:00
carlosmonastyrski	c7ec825830	Improve restore buttons on the UI and reconstruct folder children on revert by default	2025-05-27 19:42:31 -03:00
carlosmonastyrski	5b7f445e33	PIT: fix for folder commit order on cascade deletion	2025-05-27 18:28:00 -03:00
carlosmonastyrski	7fe53ab00e	PIT: add batch logic to initializeFolder migration	2025-05-27 11:58:17 -03:00
Sheen Capadngan	90c17820fc	misc: added proper notice for non-admins doing privilege upgrade	2025-05-27 22:54:50 +08:00
carlosmonastyrski	8168b5faf8	PIT: fix resourceChangeSchema schema	2025-05-26 23:25:05 -03:00
carlosmonastyrski	8b9e035bf6	PIT: fix folder update issue	2025-05-26 23:08:01 -03:00
carlosmonastyrski	d36d0784ca	PIT: Add delete commit for cascade deletion	2025-05-26 21:51:43 -03:00
carlosmonastyrski	f3a84f6001	Merge branch 'main' into feat/point-in-time-revamp	2025-05-26 17:28:38 -03:00
carlosmonastyrski	13672481a8	Merge branch 'main' into feat/point-in-time-revamp	2025-05-26 17:14:30 -03:00
carlosmonastyrski	c623c615a1	Fix lint issue	2025-05-26 14:52:04 -03:00
carlosmonastyrski	034a8112b7	Merge branch 'main' into feat/point-in-time-revamp	2025-05-26 14:42:55 -03:00
carlosmonastyrski	5fc6fd71ce	Fix tag and metadata insert/update logic on revert/rollback and fix tree checkpoint logic to exclude reserved folders	2025-05-26 14:31:05 -03:00
carlosmonastyrski	e5bc609a2a	PIT: add last commit indicator and remove unnecessary empty folder commit	2025-05-25 12:07:00 -03:00
carlosmonastyrski	b812761bdd	PIT: hide restore button for last commit	2025-05-25 11:52:28 -03:00
carlosmonastyrski	14362dbe6a	PIT: general improvements and fixes	2025-05-25 11:00:06 -03:00
carlosmonastyrski	b7b90aea33	PIT: general improvements and fixes	2025-05-25 00:12:31 -03:00
carlosmonastyrski	28a3bf0b94	Improvement on createCommit function to add changes in batches	2025-05-23 10:59:05 -03:00
carlosmonastyrski	5712c24370	Fix migration to initialize pit projects	2025-05-23 10:45:39 -03:00
carlosmonastyrski	4a391c7ac2	PIT: add commits to snapshots and improve old role hidding	2025-05-23 01:46:13 -03:00
carlosmonastyrski	2b21c9d348	Fix for secret-sync import secrets creating a new version for secrets that did not change	2025-05-22 13:02:38 -03:00
carlosmonastyrski	2b948a18f3	Type fixes and PIT history pagination	2025-05-21 23:43:41 -03:00
carlosmonastyrski	f06004370d	PIT: address PR suggestions	2025-05-21 19:42:09 -03:00
carlosmonastyrski	2493bbbc97	PIT: fix blocker for deep rollbacks	2025-05-21 09:08:12 -03:00
carlosmonastyrski	44aa743d56	Type fixes	2025-05-20 11:09:25 -03:00
carlosmonastyrski	fefb71dd86	Merge branch 'main' into feat/point-in-time-revamp	2025-05-20 10:52:20 -03:00
carlosmonastyrski	1748052cb0	Merge branch 'main' into feat/point-in-time-revamp	2025-05-20 10:37:41 -03:00
carlosmonastyrski	c01a98ccf1	Merge pull request #3555 from Infisical/feat/point-in-time-revamp-2710 Feat/point in time revamp 2710	2025-05-20 09:46:08 -03:00
carlosmonastyrski	9ea9f90928	PIT: add envID to rollback endpoint	2025-05-20 09:34:43 -03:00
carlosmonastyrski	6319f53802	PIT: UI views	2025-05-20 08:22:14 -03:00
carlosmonastyrski	8bfd3913da	PIT: add backend logic for deep PIT and rollback	2025-05-14 10:26:41 -03:00
carlosmonastyrski	9e1d38a27b	Add PIT rollback	2025-05-09 16:03:50 -03:00
carlosmonastyrski	78d5bc823d	PIT: Add folder reconstruction functions	2025-05-09 09:20:17 -03:00
carlosmonastyrski	e8d424bbb0	PIT: Add initialization and checkpoint logic	2025-05-08 09:41:01 -03:00
carlosmonastyrski	f0c52cc8da	Add comments to provide context on this change	2025-05-07 08:43:56 -03:00
carlosmonastyrski	e58dbe853e	Minor improvements on commits code quality	2025-05-07 08:38:19 -03:00
carlosmonastyrski	f493a617b1	Add new commit logic on every folder/secret operation	2025-05-06 18:57:25 -03:00
carlosmonastyrski	32a3e1d200	commit	2025-05-06 08:11:50 -03:00
carlosmonastyrski	c6e56f0380	Stop removing secret/folder versions on projects with version >= 3	2025-05-05 16:43:58 -03:00