Update overview.mdx

feat(helm): infisical helm

.github/workflows/release_helm_gateway.yaml

@@ -0,0 +1,27 @@
+name: Release Gateway Helm Chart
+on:
+    workflow_dispatch:
+
+jobs:
+    release-helm:
+        name: Release Helm Chart
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Install Helm
+              uses: azure/setup-helm@v3
+              with:
+                  version: v3.10.0
+
+            - name: Install python
+              uses: actions/setup-python@v4
+
+            - name: Install Cloudsmith CLI
+              run: pip install --upgrade cloudsmith-cli
+
+            - name: Build and push helm package to CloudSmith
+              run: cd helm-charts && sh upload-gateway-cloudsmith.sh
+              env:
+                  CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}

docs/api-reference/endpoints/identity-specific-privilege/v1/find-by-slug.mdx

@@ -1,4 +1,4 @@
 ---
-title: "Find By Privilege Slug"
+title: "Find By Slug"
 openapi: "GET /api/v1/additional-privilege/identity/{privilegeSlug}"
 ---

docs/api-reference/endpoints/identity-specific-privilege/v2/create.mdx

@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v2/identity-project-additional-privilege"
+---

docs/api-reference/endpoints/identity-specific-privilege/v2/delete.mdx

@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v2/identity-project-additional-privilege/{id}"
+---

docs/api-reference/endpoints/identity-specific-privilege/v2/find-by-id.mdx

@@ -0,0 +1,4 @@
+---
+title: "Find By ID"
+openapi: "GET /api/v2/identity-project-additional-privilege/{id}"
+---

docs/api-reference/endpoints/identity-specific-privilege/v2/find-by-slug.mdx

@@ -0,0 +1,4 @@
+---
+title: "Find By Slug"
+openapi: "GET /api/v2/identity-project-additional-privilege/slug/{privilegeSlug}"
+---

docs/api-reference/endpoints/identity-specific-privilege/v2/list.mdx

@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v2/identity-project-additional-privilege"
+---

docs/api-reference/endpoints/identity-specific-privilege/v2/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v2/identity-project-additional-privilege/{id}"
+---

docs/documentation/platform/gateways/overview.mdx

@@ -73,6 +73,61 @@ Once authenticated, the Gateway establishes a secure connection with Infisical t
         </Warning>
       </Tab>
 
+      <Tab title="Production (Helm)">
+
+        The Gateway can be installed via [Helm](https://helm.sh/). Helm is a package manager for Kubernetes that allows you to define, install, and upgrade Kubernetes applications.
+
+        For production deployments on Kubernetes, install the Gateway using the Infisical Helm chart:
+
+        ### Install the latest Helm Chart repository
+        ```bash
+        helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/' 
+        ```
+
+        ### Update the Helm Chart repository
+        ```bash
+        helm repo update
+        ```
+
+        ### Create a Kubernetes Secret with the gateway token
+
+        Create a new Kubernetes secret containing the gateway token as the `TOKEN` key. You can optionally also set the `INFISICAL_API_URL` key to your Infisical instance URL. By default, `INFISICAL_API_URL` is set to `https://app.infisical.com`.
+
+
+        ```bash
+        kubectl create secret generic infisical-gateway-environment --from-literal=TOKEN=<your-machine-identity-access-token>
+        ```
+      
+        <Note>
+          The secret name is `infisical-gateway-environment` by default. The `TOKEN` key is required, and the `INFISICAL_API_URL` key is optional.
+        </Note>
+
+        ### Install the Infisical Gateway Helm Chart
+        ```bash
+        helm install infisical-gateway infisical-helm-charts/infisical-gateway
+        ```
+
+        ### Check the gateway logs
+        After installing the gateway, you can check the logs to ensure it's running as expected.
+
+        ```bash
+        kubectl logs deployment/infisical-gateway
+        ```
+
+        You should see the following output which indicates the gateway is running as expected.
+        ```bash
+        $ kubectl logs deployment/infisical-gateway                  
+        INF Provided relay port 5349. Using TLS
+        INF Connected with relay
+        INF 10.0.101.112:56735
+        INF Starting relay connection health check
+        INF Gateway started successfully
+        INF New connection from: 10.0.1.8:34051
+        INF Gateway is reachable by Infisical
+        ```
+
+      </Tab>
+
       <Tab title="Development (direct)">
         For development or testing, you can run the Gateway directly. Log in with your machine identity and start the Gateway in one command:
         ```bash

docs/integrations/platforms/kubernetes/infisical-secret-crd.mdx

@@ -1230,13 +1230,13 @@ To address this, we added functionality to automatically redeploy your deploymen
 
 #### Enabling Automatic Redeployment
 
-To enable auto redeployment you simply have to add the following annotation to the deployment, statefulset, or daemonset that consumes a managed secret.
+To enable auto redeployment you simply have to add the following annotation to the Deployment, StatefulSet, or DaemonSet that consumes a managed secret.
 
 ```yaml
 secrets.infisical.com/auto-reload: "true"
 ```
 
-<Accordion title="Deployment example with auto redeploy enabled">
+<Accordion title="Deployment example">
   ```yaml
   apiVersion: apps/v1
   kind: Deployment
@@ -1266,10 +1266,82 @@ secrets.infisical.com/auto-reload: "true"
           - containerPort: 80
   ```
 </Accordion>
+
+<Accordion title="DaemonSet example">
+  ```yaml
+  apiVersion: apps/v1
+  kind: DaemonSet
+  metadata:
+    name: log-agent
+    labels:
+      app: log-agent
+    annotations:
+      secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
+  spec:
+    selector:
+      matchLabels:
+        app: log-agent
+    template:
+      metadata:
+        labels:
+          app: log-agent
+      spec:
+        containers:
+          - name: log-agent
+            image: mycompany/log-agent:latest
+            envFrom:
+              - secretRef:
+                  name: managed-secret # <- name of the managed secret
+            volumeMounts:
+              - name: config-volume
+                mountPath: /etc/config
+                readOnly: true
+        volumes:
+          - name: config-volume
+            secret:
+              secretName: managed-secret
+  ```
+</Accordion>
+
+<Accordion title="StatefulSet example">
+  ```yaml
+  apiVersion: apps/v1
+  kind: StatefulSet
+  metadata:
+    name: db-worker
+    labels:
+      app: db-worker
+    annotations:
+      secrets.infisical.com/auto-reload: "true" # <- redeployment annotation
+  spec:
+    selector:
+      matchLabels:
+        app: db-worker
+    serviceName: "db-worker"
+    replicas: 2
+    template:
+      metadata:
+        labels:
+          app: db-worker
+      spec:
+        containers:
+          - name: db-worker
+            image: mycompany/db-worker:stable
+            env:
+              - name: DATABASE_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: managed-secret
+                    key: DB_PASSWORD
+            ports:
+              - containerPort: 5432
+  ```
+</Accordion>
+
 <Info>
   #### How it works 
-  When a secret change occurs, the operator will check to see which deployments are using the operator-managed Kubernetes secret that received the update. 
-  Then, for each deployment that has this annotation present, a rolling update will be triggered.
+  When a managed secret is updated, the operator checks for any Deployments, DaemonSets, or StatefulSets that consume the updated secret and have the annotation
+  `secrets.infisical.com/auto-reload: "true"`. For each matching workload, the operator triggers a rolling restart to ensure it picks up the latest secret values.
 </Info>
 
 ## Using Managed ConfigMap In Your Deployment

docs/mint.json

@@ -955,12 +955,28 @@
         {
           "group": "Identity Specific Privilege",
           "pages": [
-            "api-reference/endpoints/identity-specific-privilege/create-permanent",
-            "api-reference/endpoints/identity-specific-privilege/create-temporary",
-            "api-reference/endpoints/identity-specific-privilege/update",
-            "api-reference/endpoints/identity-specific-privilege/delete",
-            "api-reference/endpoints/identity-specific-privilege/find-by-slug",
-            "api-reference/endpoints/identity-specific-privilege/list"
+            {
+              "group": "V1 (Legacy)",
+              "pages": [
+                "api-reference/endpoints/identity-specific-privilege/v1/create-permanent",
+                "api-reference/endpoints/identity-specific-privilege/v1/create-temporary",
+                "api-reference/endpoints/identity-specific-privilege/v1/update",
+                "api-reference/endpoints/identity-specific-privilege/v1/delete",
+                "api-reference/endpoints/identity-specific-privilege/v1/find-by-slug",
+                "api-reference/endpoints/identity-specific-privilege/v1/list"
+              ]
+            },
+            {
+              "group": "V2",
+              "pages": [
+                "api-reference/endpoints/identity-specific-privilege/v2/create",
+                "api-reference/endpoints/identity-specific-privilege/v2/update",
+                "api-reference/endpoints/identity-specific-privilege/v2/delete",
+                "api-reference/endpoints/identity-specific-privilege/v2/list",
+                "api-reference/endpoints/identity-specific-privilege/v2/find-by-id",
+                "api-reference/endpoints/identity-specific-privilege/v2/find-by-slug"
+              ]
+            }
           ]
         },
         {

frontend/vite.config.ts

@@ -1,6 +1,6 @@
 import { TanStackRouterVite } from "@tanstack/router-plugin/vite";
 import react from "@vitejs/plugin-react-swc";
-import { defineConfig, PluginOption } from "vite";
+import { defineConfig, loadEnv, PluginOption } from "vite";
 import { nodePolyfills } from "vite-plugin-node-polyfills";
 import topLevelAwait from "vite-plugin-top-level-await";
 import wasm from "vite-plugin-wasm";
@@ -20,32 +20,38 @@ const virtualRouteFileChangeReloadPlugin: PluginOption = {
 };
 
 // https://vite.dev/config/
-export default defineConfig({
-  server: {
-    host: true,
-    port: 3000
-    // proxy: {
-    //   "/api": {
-    //     target: "http://localhost:8080",
-    //     changeOrigin: true,
-    //     secure: false,
-    //     ws: true
-    //   }
-    // }
-  },
-  plugins: [
-    tsconfigPaths(),
-    nodePolyfills({
-      globals: {
-        Buffer: true
-      }
-    }),
-    wasm(),
-    topLevelAwait(),
-    TanStackRouterVite({
-      virtualRouteConfig: "./src/routes.ts"
-    }),
-    react(),
-    virtualRouteFileChangeReloadPlugin
-  ]
+export default defineConfig(({ mode }) => {
+  const env = loadEnv(mode, process.cwd());
+  const allowedHosts = env.VITE_ALLOWED_HOSTS?.split(",") ?? [];
+
+  return {
+    server: {
+      allowedHosts,
+      host: true,
+      port: 3000
+      // proxy: {
+      //   "/api": {
+      //     target: "http://localhost:8080",
+      //     changeOrigin: true,
+      //     secure: false,
+      //     ws: true
+      //   }
+      // }
+    },
+    plugins: [
+      tsconfigPaths(),
+      nodePolyfills({
+        globals: {
+          Buffer: true
+        }
+      }),
+      wasm(),
+      topLevelAwait(),
+      TanStackRouterVite({
+        virtualRouteConfig: "./src/routes.ts"
+      }),
+      react(),
+      virtualRouteFileChangeReloadPlugin
+    ]
+  };
 });

helm-charts/infisical-gateway/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm-charts/infisical-gateway/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.0.1 (May 1, 2025)
+
+* Initial helm release

helm-charts/infisical-gateway/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: infisical-gateway
+description: A Helm chart to deploy Infisical Gateway
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.0.1"

helm-charts/infisical-gateway/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "infisical-gateway.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "infisical-gateway.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "infisical-gateway.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "infisical-gateway.labels" -}}
+helm.sh/chart: {{ include "infisical-gateway.chart" . }}
+{{ include "infisical-gateway.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "infisical-gateway.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "infisical-gateway.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "infisical-gateway.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "infisical-gateway.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

helm-charts/infisical-gateway/templates/deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "infisical-gateway.fullname" . }}
+  labels:
+    {{- include "infisical-gateway.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "infisical-gateway.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "infisical-gateway.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "infisical-gateway.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "infisical/cli:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - gateway
+            - --token
+            - $(TOKEN)
+          envFrom:
+            - secretRef:
+                name: {{ .Values.secret.name }}
+          env:
+            - name: TOKEN_VALIDATION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secret.name }}
+                  key: TOKEN
+                  optional: false
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

helm-charts/infisical-gateway/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "infisical-gateway.fullname" . }}
+  labels:
+    {{- include "infisical-gateway.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "infisical-gateway.selectorLabels" . | nindent 4 }}

helm-charts/infisical-gateway/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "infisical-gateway.serviceAccountName" . }}
+  labels:
+    {{- include "infisical-gateway.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

helm-charts/infisical-gateway/values.yaml

@@ -0,0 +1,44 @@
+image:
+  pullPolicy: IfNotPresent
+  tag: "0.41.1"
+
+secret:
+  # The secret that contains the environment variables to be used by the gateway, such as INFISICAL_API_URL and TOKEN
+  name: "infisical-gateway-environment"
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 128Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: ""
+
+podAnnotations: {}
+podLabels: {}
+podSecurityContext:
+  runAsNonRoot: true
+
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+affinity: {}
+tolerations: {}
+nodeSelector: {}
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false

helm-charts/upload-gateway-cloudsmith.sh

@@ -0,0 +1,8 @@
+cd infisical-gateway
+helm dependency update
+helm package .
+for i in *.tgz; do
+    [ -f "$i" ] || break
+    cloudsmith push helm --republish infisical/helm-charts "$i"
+done
+cd ..