add docs for label and refereces

Documentation for SSH Command in CLI

backend/src/services/integration-auth/integration-sync-secret.ts

@@ -328,7 +328,7 @@ const syncSecretsAzureAppConfig = async ({
   const metadata = IntegrationMetadataSchema.parse(integration.metadata);
 
   const azureAppConfigValuesUrl = `${integration.app}/kv?api-version=2023-11-01&key=${metadata.secretPrefix}*${
-    metadata.azureLabel ? `&label=${metadata.azureLabel}` : ""
+    metadata.azureLabel ? `&label=${metadata.azureLabel}` : "&label=%00"
   }`;
 
   const azureAppConfigSecrets = (await getCompleteAzureAppConfigValues(azureAppConfigValuesUrl)).reduce(

docs/cli/commands/ssh.mdx

@@ -0,0 +1,116 @@
+---
+title: "infisical ssh"
+description: "Generate SSH credentials with the CLI"
+---
+
+## Description
+
+[Infisical SSH](/documentation/platform/ssh) lets you issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure.
+
+This command enables you to obtain SSH credentials used to access a remote host; we recommend using the `issue-credentials` sub-command to generate dynamic SSH credentials for each SSH session.
+
+### Sub-commands
+
+<Accordion title="infisical ssh issue-credentials">
+    This command is used to issue SSH credentials (SSH certificate, public key, and private key) against a certificate template.
+    
+    We recommend using the `--addToAgent` flag to automatically load issued SSH credentials to the SSH agent.
+    
+    ```bash
+    $ infisical ssh issue-credentials --certificateTemplateId=<certificate-template-id> --principals=<principals> --addToAgent
+    ```
+
+    ### Flags
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--addToAgent">
+        Whether to add issued SSH credentials to the SSH agent.
+        
+        Default value: `false`
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH credentials to such as `~/.ssh`, `./some_folder`, `./some_folder/id_rsa-cert.pub`. If not provided, the credentials will be saved to the current working directory where the command is run.
+        
+        Note that either the `--outFilePath` or `--addToAgent` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--keyAlgorithm">
+        The key algorithm to issue SSH credentials for.
+        
+        Default value: `RSA_2048`
+        
+        Available options: `RSA_2048`, `RSA_4096`, `EC_prime256v1`, `EC_secp384r1`.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>
+
+<Accordion title="infisical ssh sign-key">
+    This command is used to sign an existing SSH public key against a certificate template; the command outputs the corresponding signed SSH certificate.
+    
+    ```bash
+    $ infisical ssh sign-key --certificateTemplateId=<certificate-template-id> --publicKey=<public-key> --principals=<principals> --outFilePath=<out-file-path>
+    ```
+    <Accordion title="--certificateTemplateId">
+        The ID of the SSH certificate template to issue the SSH certificate for.
+    </Accordion>
+    <Accordion title="--publicKey">
+        The public key to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--publicKeyFilePath">
+        The path to the public key file to sign.
+
+        Note that either the `--publicKey` or `--publicKeyFilePath` flag must be set for the sub-command to execute successfully.
+    </Accordion>
+    <Accordion title="--principals">
+        A comma-separated list of principals (i.e. usernames like `ec2-user` or hostnames) to issue SSH credentials for.
+    </Accordion>
+    <Accordion title="--outFilePath">
+        The path to write the SSH certificate to such as `~/.ssh/id_rsa-cert.pub`; the specified file must have the `.pub` extension. If not provided, the credentials will be saved to the directory of the specified `--publicKeyFilePath` or the current working directory where the command is run.
+    </Accordion>
+    <Accordion title="--certType">
+        The certificate type to issue SSH credentials for.
+        
+        Default value: `user`
+        
+        Available options: `user` or `host`
+    </Accordion>
+    <Accordion title="--ttl">
+        The time-to-live (TTL) for the issued SSH certificate (e.g. `2 days`, `1d`, `2h`, `1y`).
+        
+        Defaults to the Default TTL value set in the certificate template.
+    </Accordion>
+    <Accordion title="--keyId">
+        A custom Key ID to issue SSH credentials for.
+        
+        Defaults to the autogenerated Key ID by Infisical.
+    </Accordion>
+    <Accordion title="--token">
+        An authenticated token to use to issue SSH credentials.
+    </Accordion>
+</Accordion>

docs/documentation/platform/ssh.mdx

@@ -6,7 +6,7 @@ description: "Learn how to generate SSH credentials to provide secure and centra
 
 ## Concept
 
-Infisical can be used to issue SSH certificates to clients to provide short-lived, secure SSH access to infrastructure;
+Infisical can be used to issue SSH credentials to clients to provide short-lived, secure SSH access to infrastructure;
 this improves on many limitations of traditional SSH key-based authentication via mitigation of private key compromise, static key management,
 unauthorized access, and SSH key sprawl.
 
@@ -191,7 +191,9 @@ infisical login
 
     - `certificateTemplateId`: The ID of the certificate template to use for issuing the SSH certificate.
     - `principals`: The comma-delimited username(s) or hostname(s) to include in the SSH certificate.
-
+    
+    For fuller documentation on commands and flags supported by the Infisical CLI for SSH, refer to the docs [here](/cli/commands/ssh).
+ 
   </Step>
   <Step title="SSH into the host">
     Finally, SSH into the desired host; the SSH operation will be performed using the SSH certificate loaded into the SSH agent.
@@ -199,11 +201,10 @@ infisical login
     ```bash
     ssh username@hostname
     ```
-
   </Step>
 </Steps>
 
 <Note>
   Note that the above workflow can be executed via API or other client methods
   such as SDK.
-</Note>
+</Note>

docs/integrations/cloud/azure-app-configuration.mdx

@@ -30,6 +30,27 @@ description: "How to sync secrets from Infisical to Azure App Configuration"
 
         Press create integration to start syncing secrets to Azure App Configuration.
       </Step>
+      <Step title="Additional Configuration">
+
+        #### Azure references
+          When adding secrets in Infisical that reference Azure Key Vault secrets, Infisical will automatically sets the content type to `application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8` in Azure App Configuration. 
+          The following reference formats are automatically detected when added on Infisical's side:
+          - `{ "uri": "https://my-key-vault.vault.azure.net/secrets/my-secret" }`
+          - `https://my-key-vault.vault.azure.net/secrets/my-secret`
+
+        ### Azure Labels 
+          You can sync secrets from Infisical to Azure with custom labels by enabling the `Use Labels` option during setup:
+
+          **When enabled**: Secrets will be pushed to Azure with your specified label
+
+          **When disabled**: Secrets will be pushed with an empty (null) label
+
+        <Info>
+          If you have set the initial sync to `import` have behavior, the label selection affects which secrets are imported from Azure:
+          - With `Use Labels` disabled: Only secrets with empty labels are imported on initial sync
+          - With `Use Labels` enabled: Only secrets matching your specified label are imported on initial sync
+        </Info>
+      </Step>
     </Steps>
 
   </Tab>

docs/mint.json

@@ -320,6 +320,7 @@
             "cli/commands/run",
             "cli/commands/secrets",
             "cli/commands/dynamic-secrets",
+            "cli/commands/ssh",
             "cli/commands/export",
             "cli/commands/token",
             "cli/commands/service-token",
@@ -341,14 +342,6 @@
         "cli/faq"
       ]
     },
-    {
-      "group": "App Connections",
-      "pages": [
-        "integrations/app-connections/overview",
-        "integrations/app-connections/aws",
-        "integrations/app-connections/github"
-      ]
-    },
     {
       "group": "Infrastructure Integrations",
       "pages": [
@@ -765,33 +758,6 @@
             "api-reference/endpoints/identity-specific-privilege/list"
           ]
         },
-        {
-          "group": "App Connections",
-          "pages": [
-            "api-reference/endpoints/app-connections/list",
-            "api-reference/endpoints/app-connections/options",
-            { "group":  "AWS",
-              "pages": [
-                "api-reference/endpoints/app-connections/aws/list",
-                "api-reference/endpoints/app-connections/aws/get-by-id",
-                "api-reference/endpoints/app-connections/aws/get-by-name",
-                "api-reference/endpoints/app-connections/aws/create",
-                "api-reference/endpoints/app-connections/aws/update",
-                "api-reference/endpoints/app-connections/aws/delete"
-              ]
-            },
-            { "group":  "GitHub",
-              "pages": [
-                "api-reference/endpoints/app-connections/github/list",
-                "api-reference/endpoints/app-connections/github/get-by-id",
-                "api-reference/endpoints/app-connections/github/get-by-name",
-                "api-reference/endpoints/app-connections/github/create",
-                "api-reference/endpoints/app-connections/github/update",
-                "api-reference/endpoints/app-connections/github/delete"
-              ]
-            }
-          ]
-        },
         {
           "group": "Integrations",
           "pages": [