docs: injector diagram

Update kubernetes-injector.mdx
requested changes
2025-08-28 18:55:53 +00:00 · 2025-05-20 17:20:54 +04:00 · 2025-05-20 16:58:19 +04:00 · 2025-05-20 16:57:11 +04:00 · 2025-05-20 12:36:14 +04:00 · 2025-05-20 01:54:17 +04:00
56 changed files with 1394 additions and 536 deletions
--- a/backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts
+++ b/backend/src/db/migrations/20250512103022_identity-kubernetes-auth-gateway.ts
@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (!hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasGatewayIdColumn = await knex.schema.hasColumn(TableName.IdentityKubernetesAuth, "gatewayId");
+
+  if (hasGatewayIdColumn) {
+    await knex.schema.alterTable(TableName.IdentityKubernetesAuth, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts
+++ b/backend/src/db/migrations/20250513081738_remove-gateway-project-link.ts
@@ -0,0 +1,110 @@
+import { Knex } from "knex";
+
+import { inMemoryKeyStore } from "@app/keystore/memory";
+import { selectAllTableCols } from "@app/lib/knex";
+import { initLogger } from "@app/lib/logger";
+import { KmsDataKey } from "@app/services/kms/kms-types";
+
+import { TableName } from "../schemas";
+import { getMigrationEnvConfig } from "./utils/env-config";
+import { getMigrationEncryptionServices } from "./utils/services";
+
+// Note(daniel): We aren't dropping tables or columns in this migrations so we can easily rollback if needed.
+// In the future we need to drop the projectGatewayId on the dynamic secrets table, and drop the project_gateways table entirely.
+
+const BATCH_SIZE = 500;
+
+export async function up(knex: Knex): Promise<void> {
+  // eslint-disable-next-line no-param-reassign
+  knex.replicaNode = () => {
+    return knex;
+  };
+
+  if (!(await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId"))) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.uuid("gatewayId").nullable();
+      table.foreign("gatewayId").references("id").inTable(TableName.Gateway).onDelete("SET NULL");
+
+      table.index("gatewayId");
+    });
+
+    const existingDynamicSecretsWithProjectGatewayId = await knex(TableName.DynamicSecret)
+      .select(selectAllTableCols(TableName.DynamicSecret))
+      .whereNotNull(`${TableName.DynamicSecret}.projectGatewayId`)
+      .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.id`, `${TableName.DynamicSecret}.projectGatewayId`)
+      .whereNotNull(`${TableName.ProjectGateway}.gatewayId`)
+      .select(
+        knex.ref("projectId").withSchema(TableName.ProjectGateway).as("projectId"),
+        knex.ref("gatewayId").withSchema(TableName.ProjectGateway).as("projectGatewayGatewayId")
+      );
+
+    initLogger();
+    const envConfig = getMigrationEnvConfig();
+    const keyStore = inMemoryKeyStore();
+    const { kmsService } = await getMigrationEncryptionServices({ envConfig, keyStore, db: knex });
+
+    const updatedDynamicSecrets = await Promise.all(
+      existingDynamicSecretsWithProjectGatewayId.map(async (existingDynamicSecret) => {
+        if (!existingDynamicSecret.projectGatewayGatewayId) {
+          const result = {
+            ...existingDynamicSecret,
+            gatewayId: null
+          };
+
+          const { projectId, projectGatewayGatewayId, ...rest } = result;
+          return rest;
+        }
+
+        const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+        const { encryptor: secretManagerEncryptor } = await kmsService.createCipherPairWithDataKey({
+          type: KmsDataKey.SecretManager,
+          projectId: existingDynamicSecret.projectId
+        });
+
+        let decryptedStoredInput = JSON.parse(
+          secretManagerDecryptor({ cipherTextBlob: Buffer.from(existingDynamicSecret.encryptedInput) }).toString()
+        ) as object;
+
+        // We're not removing the existing projectGatewayId from the input so we can easily rollback without having to re-encrypt the input
+        decryptedStoredInput = {
+          ...decryptedStoredInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const encryptedInput = secretManagerEncryptor({
+          plainText: Buffer.from(JSON.stringify(decryptedStoredInput))
+        }).cipherTextBlob;
+
+        const result = {
+          ...existingDynamicSecret,
+          encryptedInput,
+          gatewayId: existingDynamicSecret.projectGatewayGatewayId
+        };
+
+        const { projectId, projectGatewayGatewayId, ...rest } = result;
+        return rest;
+      })
+    );
+
+    for (let i = 0; i < updatedDynamicSecrets.length; i += BATCH_SIZE) {
+      // eslint-disable-next-line no-await-in-loop
+      await knex(TableName.DynamicSecret)
+        .insert(updatedDynamicSecrets.slice(i, i + BATCH_SIZE))
+        .onConflict("id")
+        .merge();
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // no re-encryption needed as we keep the old projectGatewayId in the input
+  if (await knex.schema.hasColumn(TableName.DynamicSecret, "gatewayId")) {
+    await knex.schema.alterTable(TableName.DynamicSecret, (table) => {
+      table.dropForeign("gatewayId");
+      table.dropColumn("gatewayId");
+    });
+  }
+}
--- a/backend/src/db/migrations/20250515164622_select-org-products.ts
+++ b/backend/src/db/migrations/20250515164622_select-org-products.ts
@@ -0,0 +1,53 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!columns.secretsProductEnabled) {
+      t.boolean("secretsProductEnabled").defaultTo(true);
+    }
+    if (!columns.pkiProductEnabled) {
+      t.boolean("pkiProductEnabled").defaultTo(true);
+    }
+    if (!columns.kmsProductEnabled) {
+      t.boolean("kmsProductEnabled").defaultTo(true);
+    }
+    if (!columns.sshProductEnabled) {
+      t.boolean("sshProductEnabled").defaultTo(true);
+    }
+    if (!columns.scannerProductEnabled) {
+      t.boolean("scannerProductEnabled").defaultTo(true);
+    }
+    if (!columns.shareSecretsProductEnabled) {
+      t.boolean("shareSecretsProductEnabled").defaultTo(true);
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const columns = await knex.table(TableName.Organization).columnInfo();
+
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (columns.secretsProductEnabled) {
+      t.dropColumn("secretsProductEnabled");
+    }
+    if (columns.pkiProductEnabled) {
+      t.dropColumn("pkiProductEnabled");
+    }
+    if (columns.kmsProductEnabled) {
+      t.dropColumn("kmsProductEnabled");
+    }
+    if (columns.sshProductEnabled) {
+      t.dropColumn("sshProductEnabled");
+    }
+    if (columns.scannerProductEnabled) {
+      t.dropColumn("scannerProductEnabled");
+    }
+    if (columns.shareSecretsProductEnabled) {
+      t.dropColumn("shareSecretsProductEnabled");
+    }
+  });
+}
--- a/backend/src/db/schemas/dynamic-secrets.ts
+++ b/backend/src/db/schemas/dynamic-secrets.ts
@@ -27,7 +27,8 @@ export const DynamicSecretsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  encryptedInput: zodBuffer,
-  projectGatewayId: z.string().uuid().nullable().optional()
+  projectGatewayId: z.string().uuid().nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });

 export type TDynamicSecrets = z.infer<typeof DynamicSecretsSchema>;
--- a/backend/src/db/schemas/identity-kubernetes-auths.ts
+++ b/backend/src/db/schemas/identity-kubernetes-auths.ts
@@ -29,7 +29,8 @@ export const IdentityKubernetesAuthsSchema = z.object({
  allowedNames: z.string(),
  allowedAudience: z.string(),
  encryptedKubernetesTokenReviewerJwt: zodBuffer.nullable().optional(),
-  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional()
+  encryptedKubernetesCaCertificate: zodBuffer.nullable().optional(),
+  gatewayId: z.string().uuid().nullable().optional()
 });

 export type TIdentityKubernetesAuths = z.infer<typeof IdentityKubernetesAuthsSchema>;
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -28,7 +28,13 @@ export const OrganizationsSchema = z.object({
  privilegeUpgradeInitiatedByUsername: z.string().nullable().optional(),
  privilegeUpgradeInitiatedAt: z.date().nullable().optional(),
  bypassOrgAuthEnabled: z.boolean().default(false),
-  userTokenExpiration: z.string().nullable().optional()
+  userTokenExpiration: z.string().nullable().optional(),
+  secretsProductEnabled: z.boolean().default(true).nullable().optional(),
+  pkiProductEnabled: z.boolean().default(true).nullable().optional(),
+  kmsProductEnabled: z.boolean().default(true).nullable().optional(),
+  sshProductEnabled: z.boolean().default(true).nullable().optional(),
+  scannerProductEnabled: z.boolean().default(true).nullable().optional(),
+  shareSecretsProductEnabled: z.boolean().default(true).nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/ee/routes/v1/gateway-router.ts
+++ b/backend/src/ee/routes/v1/gateway-router.ts
@@ -121,14 +121,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
            identity: z.object({
              name: z.string(),
              id: z.string()
-            }),
-            projects: z
-              .object({
-                name: z.string(),
-                id: z.string(),
-                slug: z.string()
-              })
-              .array()
+            })
          }).array()
        })
      }
@@ -158,17 +151,15 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
            identity: z.object({
              name: z.string(),
              id: z.string()
-            }),
-            projectGatewayId: z.string()
+            })
          }).array()
        })
      }
    },
    onRequest: verifyAuth([AuthMode.IDENTITY_ACCESS_TOKEN, AuthMode.JWT]),
    handler: async (req) => {
-      const gateways = await server.services.gateway.getProjectGateways({
-        projectId: req.params.projectId,
-        projectPermission: req.permission
+      const gateways = await server.services.gateway.listGateways({
+        orgPermission: req.permission
      });
      return { gateways };
    }
@@ -216,8 +207,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
        id: z.string()
      }),
      body: z.object({
-        name: slugSchema({ field: "name" }).optional(),
-        projectIds: z.string().array().optional()
+        name: slugSchema({ field: "name" }).optional()
      }),
      response: {
        200: z.object({
@@ -230,8 +220,7 @@ export const registerGatewayRouter = async (server: FastifyZodProvider) => {
      const gateway = await server.services.gateway.updateGatewayById({
        orgPermission: req.permission,
        id: req.params.id,
-        name: req.body.name,
-        projectIds: req.body.projectIds
+        name: req.body.name
      });
      return { gateway };
    }
--- a/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
+++ b/backend/src/ee/services/dynamic-secret/dynamic-secret-service.ts
@@ -17,7 +17,8 @@ import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-fold

 import { TDynamicSecretLeaseDALFactory } from "../dynamic-secret-lease/dynamic-secret-lease-dal";
 import { TDynamicSecretLeaseQueueServiceFactory } from "../dynamic-secret-lease/dynamic-secret-lease-queue";
-import { TProjectGatewayDALFactory } from "../gateway/project-gateway-dal";
+import { TGatewayDALFactory } from "../gateway/gateway-dal";
+import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TDynamicSecretDALFactory } from "./dynamic-secret-dal";
 import {
  DynamicSecretStatus,
@@ -44,9 +45,9 @@ type TDynamicSecretServiceFactoryDep = {
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  folderDAL: Pick<TSecretFolderDALFactory, "findBySecretPath" | "findBySecretPathMultiEnv">;
  projectDAL: Pick<TProjectDALFactory, "findProjectBySlug">;
-  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
+  permissionService: Pick<TPermissionServiceFactory, "getProjectPermission" | "getOrgPermission">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
-  projectGatewayDAL: Pick<TProjectGatewayDALFactory, "findOne">;
+  gatewayDAL: Pick<TGatewayDALFactory, "findOne" | "find">;
  resourceMetadataDAL: Pick<TResourceMetadataDALFactory, "insertMany" | "delete">;
 };

@@ -62,7 +63,7 @@ export const dynamicSecretServiceFactory = ({
  dynamicSecretQueueService,
  projectDAL,
  kmsService,
-  projectGatewayDAL,
+  gatewayDAL,
  resourceMetadataDAL
 }: TDynamicSecretServiceFactoryDep) => {
  const create = async ({
@@ -117,15 +118,31 @@ export const dynamicSecretServiceFactory = ({
    const inputs = await selectedProvider.validateProviderInputs(provider.inputs);

    let selectedGatewayId: string | null = null;
-    if (inputs && typeof inputs === "object" && "projectGatewayId" in inputs && inputs.projectGatewayId) {
-      const projectGatewayId = inputs.projectGatewayId as string;
+    if (inputs && typeof inputs === "object" && "gatewayId" in inputs && inputs.gatewayId) {
+      const gatewayId = inputs.gatewayId as string;

-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+
+      if (!gateway) {
        throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
        });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
    }

    const isConnected = await selectedProvider.validateConnection(provider.inputs);
@@ -146,7 +163,7 @@ export const dynamicSecretServiceFactory = ({
          defaultTTL,
          folderId: folder.id,
          name,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
        },
        tx
      );
@@ -255,20 +272,30 @@ export const dynamicSecretServiceFactory = ({
    const updatedInput = await selectedProvider.validateProviderInputs(newInput);

    let selectedGatewayId: string | null = null;
-    if (
-      updatedInput &&
-      typeof updatedInput === "object" &&
-      "projectGatewayId" in updatedInput &&
-      updatedInput?.projectGatewayId
-    ) {
-      const projectGatewayId = updatedInput.projectGatewayId as string;
+    if (updatedInput && typeof updatedInput === "object" && "gatewayId" in updatedInput && updatedInput?.gatewayId) {
+      const gatewayId = updatedInput.gatewayId as string;

-      const projectGateway = await projectGatewayDAL.findOne({ id: projectGatewayId, projectId });
-      if (!projectGateway)
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: actorOrgId });
+      if (!gateway) {
        throw new NotFoundError({
-          message: `Project gateway with ${projectGatewayId} not found`
+          message: `Gateway with ID ${gatewayId} not found`
        });
-      selectedGatewayId = projectGateway.id;
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        gateway.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+
+      selectedGatewayId = gateway.id;
    }

    const isConnected = await selectedProvider.validateConnection(newInput);
@@ -284,7 +311,7 @@ export const dynamicSecretServiceFactory = ({
          defaultTTL,
          name: newName ?? name,
          status: null,
-          projectGatewayId: selectedGatewayId
+          gatewayId: selectedGatewayId
        },
        tx
      );
--- a/backend/src/ee/services/dynamic-secret/providers/index.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/index.ts
@@ -18,7 +18,7 @@ import { SqlDatabaseProvider } from "./sql-database";
 import { TotpProvider } from "./totp";

 type TBuildDynamicSecretProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };

 export const buildDynamicSecretProviders = ({
--- a/backend/src/ee/services/dynamic-secret/providers/models.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/models.ts
@@ -137,7 +137,7 @@ export const DynamicSecretSqlDBSchema = z.object({
  revocationStatement: z.string().trim(),
  renewStatement: z.string().trim().optional(),
  ca: z.string().optional(),
-  projectGatewayId: z.string().nullable().optional()
+  gatewayId: z.string().nullable().optional()
 });

 export const DynamicSecretCassandraSchema = z.object({
--- a/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
+++ b/backend/src/ee/services/dynamic-secret/providers/sql-database.ts
@@ -112,14 +112,14 @@ const generateUsername = (provider: SqlProviders) => {
 };

 type TSqlDatabaseProviderDTO = {
-  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTls">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };

 export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO): TDynamicProviderFns => {
  const validateProviderInputs = async (inputs: unknown) => {
    const providerInputs = await DynamicSecretSqlDBSchema.parseAsync(inputs);

-    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.projectGatewayId));
+    const [hostIp] = await verifyHostInputValidity(providerInputs.host, Boolean(providerInputs.gatewayId));
    validateHandlebarTemplate("SQL creation", providerInputs.creationStatement, {
      allowedExpressions: (val) => ["username", "password", "expiration", "database"].includes(val)
    });
@@ -168,7 +168,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
    providerInputs: z.infer<typeof DynamicSecretSqlDBSchema>,
    gatewayCallback: (host: string, port: number) => Promise<void>
  ) => {
-    const relayDetails = await gatewayService.fnGetGatewayClientTls(providerInputs.projectGatewayId as string);
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(providerInputs.gatewayId as string);
    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
    await withGatewayProxy(
      async (port) => {
@@ -202,7 +202,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
      await db.destroy();
    };

-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
      await gatewayProxyWrapper(providerInputs, gatewayCallback);
    } else {
      await gatewayCallback();
@@ -238,7 +238,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
        await db.destroy();
      }
    };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
      await gatewayProxyWrapper(providerInputs, gatewayCallback);
    } else {
      await gatewayCallback();
@@ -265,7 +265,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
        await db.destroy();
      }
    };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
      await gatewayProxyWrapper(providerInputs, gatewayCallback);
    } else {
      await gatewayCallback();
@@ -301,7 +301,7 @@ export const SqlDatabaseProvider = ({ gatewayService }: TSqlDatabaseProviderDTO)
        await db.destroy();
      }
    };
-    if (providerInputs.projectGatewayId) {
+    if (providerInputs.gatewayId) {
      await gatewayProxyWrapper(providerInputs, gatewayCallback);
    } else {
      await gatewayCallback();
--- a/backend/src/ee/services/gateway/gateway-dal.ts
+++ b/backend/src/ee/services/gateway/gateway-dal.ts
@@ -1,37 +1,34 @@
-import { Knex } from "knex";
-
 import { TDbClient } from "@app/db";
 import { GatewaysSchema, TableName, TGateways } from "@app/db/schemas";
 import { DatabaseError } from "@app/lib/errors";
-import {
-  buildFindFilter,
-  ormify,
-  selectAllTableCols,
-  sqlNestRelationships,
-  TFindFilter,
-  TFindOpt
-} from "@app/lib/knex";
+import { buildFindFilter, ormify, selectAllTableCols, TFindFilter, TFindOpt } from "@app/lib/knex";

 export type TGatewayDALFactory = ReturnType<typeof gatewayDALFactory>;

 export const gatewayDALFactory = (db: TDbClient) => {
  const orm = ormify(db, TableName.Gateway);

-  const find = async (filter: TFindFilter<TGateways>, { offset, limit, sort, tx }: TFindOpt<TGateways> = {}) => {
+  const find = async (
+    filter: TFindFilter<TGateways> & { orgId?: string },
+    { offset, limit, sort, tx }: TFindOpt<TGateways> = {}
+  ) => {
    try {
      const query = (tx || db)(TableName.Gateway)
        // eslint-disable-next-line @typescript-eslint/no-misused-promises
-        .where(buildFindFilter(filter))
+        .where(buildFindFilter(filter, TableName.Gateway, ["orgId"]))
        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .leftJoin(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .leftJoin(TableName.Project, `${TableName.Project}.id`, `${TableName.ProjectGateway}.projectId`)
+        .join(
+          TableName.IdentityOrgMembership,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.Gateway}.identityId`
+        )
        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("name").withSchema(TableName.Project).as("projectName"),
-          db.ref("slug").withSchema(TableName.Project).as("projectSlug"),
-          db.ref("id").withSchema(TableName.Project).as("projectId")
-        );
+        .select(db.ref("orgId").withSchema(TableName.IdentityOrgMembership).as("identityOrgId"))
+        .select(db.ref("name").withSchema(TableName.Identity).as("identityName"));
+
+      if (filter.orgId) {
+        void query.where(`${TableName.IdentityOrgMembership}.orgId`, filter.orgId);
+      }
      if (limit) void query.limit(limit);
      if (offset) void query.offset(offset);
      if (sort) {
@@ -39,48 +36,16 @@ export const gatewayDALFactory = (db: TDbClient) => {
      }

      const docs = await query;
-      return sqlNestRelationships({
-        data: docs,
-        key: "id",
-        parentMapper: (data) => ({
-          ...GatewaysSchema.parse(data),
-          identity: { id: data.identityId, name: data.identityName }
-        }),
-        childrenMapper: [
-          {
-            key: "projectId",
-            label: "projects" as const,
-            mapper: ({ projectId, projectName, projectSlug }) => ({
-              id: projectId,
-              name: projectName,
-              slug: projectSlug
-            })
-          }
-        ]
-      });
+
+      return docs.map((el) => ({
+        ...GatewaysSchema.parse(el),
+        orgId: el.identityOrgId as string, // todo(daniel): figure out why typescript is not inferring this as a string
+        identity: { id: el.identityId, name: el.identityName }
+      }));
    } catch (error) {
      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find` });
    }
  };

-  const findByProjectId = async (projectId: string, tx?: Knex) => {
-    try {
-      const query = (tx || db)(TableName.Gateway)
-        .join(TableName.Identity, `${TableName.Identity}.id`, `${TableName.Gateway}.identityId`)
-        .join(TableName.ProjectGateway, `${TableName.ProjectGateway}.gatewayId`, `${TableName.Gateway}.id`)
-        .select(selectAllTableCols(TableName.Gateway))
-        .select(
-          db.ref("name").withSchema(TableName.Identity).as("identityName"),
-          db.ref("id").withSchema(TableName.ProjectGateway).as("projectGatewayId")
-        )
-        .where({ [`${TableName.ProjectGateway}.projectId` as "projectId"]: projectId });
-
-      const docs = await query;
-      return docs.map((el) => ({ ...el, identity: { id: el.identityId, name: el.identityName } }));
-    } catch (error) {
-      throw new DatabaseError({ error, name: `${TableName.Gateway}: Find by project id` });
-    }
-  };
-
-  return { ...orm, find, findByProjectId };
+  return { ...orm, find };
 };
--- a/backend/src/ee/services/gateway/gateway-service.ts
+++ b/backend/src/ee/services/gateway/gateway-service.ts
@@ -4,7 +4,6 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 import { z } from "zod";

-import { ActionProjectType } from "@app/db/schemas";
 import { KeyStorePrefixes, PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -27,17 +26,14 @@ import { TGatewayDALFactory } from "./gateway-dal";
 import {
  TExchangeAllocatedRelayAddressDTO,
  TGetGatewayByIdDTO,
-  TGetProjectGatewayByIdDTO,
  THeartBeatDTO,
  TListGatewaysDTO,
  TUpdateGatewayByIdDTO
 } from "./gateway-types";
 import { TOrgGatewayConfigDALFactory } from "./org-gateway-config-dal";
-import { TProjectGatewayDALFactory } from "./project-gateway-dal";

 type TGatewayServiceFactoryDep = {
  gatewayDAL: TGatewayDALFactory;
-  projectGatewayDAL: TProjectGatewayDALFactory;
  orgGatewayConfigDAL: Pick<TOrgGatewayConfigDALFactory, "findOne" | "create" | "transaction" | "findById">;
  licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "getPlan">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey" | "decryptWithRootKey">;
@@ -57,8 +53,7 @@ export const gatewayServiceFactory = ({
  kmsService,
  permissionService,
  orgGatewayConfigDAL,
-  keyStore,
-  projectGatewayDAL
+  keyStore
 }: TGatewayServiceFactoryDep) => {
  const $validateOrgAccessToGateway = async (orgId: string, actorId: string, actorAuthMethod: ActorAuthMethod) => {
    // if (!licenseService.onPremFeatures.gateway) {
@@ -526,7 +521,7 @@ export const gatewayServiceFactory = ({
    return gateway;
  };

-  const updateGatewayById = async ({ orgPermission, id, name, projectIds }: TUpdateGatewayByIdDTO) => {
+  const updateGatewayById = async ({ orgPermission, id, name }: TUpdateGatewayByIdDTO) => {
    const { permission } = await permissionService.getOrgPermission(
      orgPermission.type,
      orgPermission.id,
@@ -543,15 +538,6 @@ export const gatewayServiceFactory = ({

    const [gateway] = await gatewayDAL.update({ id, orgGatewayRootCaId: orgGatewayConfig.id }, { name });
    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${id} not found.` });
-    if (projectIds) {
-      await projectGatewayDAL.transaction(async (tx) => {
-        await projectGatewayDAL.delete({ gatewayId: gateway.id }, tx);
-        await projectGatewayDAL.insertMany(
-          projectIds.map((el) => ({ gatewayId: gateway.id, projectId: el })),
-          tx
-        );
-      });
-    }

    return gateway;
  };
@@ -576,27 +562,7 @@ export const gatewayServiceFactory = ({
    return gateway;
  };

-  const getProjectGateways = async ({ projectId, projectPermission }: TGetProjectGatewayByIdDTO) => {
-    await permissionService.getProjectPermission({
-      projectId,
-      actor: projectPermission.type,
-      actorId: projectPermission.id,
-      actorOrgId: projectPermission.orgId,
-      actorAuthMethod: projectPermission.authMethod,
-      actionProjectType: ActionProjectType.Any
-    });
-
-    const gateways = await gatewayDAL.findByProjectId(projectId);
-    return gateways;
-  };
-
-  // this has no permission check and used for dynamic secrets directly
-  // assumes permission check is already done
-  const fnGetGatewayClientTls = async (projectGatewayId: string) => {
-    const projectGateway = await projectGatewayDAL.findById(projectGatewayId);
-    if (!projectGateway) throw new NotFoundError({ message: `Project gateway with ID ${projectGatewayId} not found.` });
-
-    const { gatewayId } = projectGateway;
+  const fnGetGatewayClientTlsByGatewayId = async (gatewayId: string) => {
    const gateway = await gatewayDAL.findById(gatewayId);
    if (!gateway) throw new NotFoundError({ message: `Gateway with ID ${gatewayId} not found.` });

@@ -645,8 +611,7 @@ export const gatewayServiceFactory = ({
    getGatewayById,
    updateGatewayById,
    deleteGatewayById,
-    getProjectGateways,
-    fnGetGatewayClientTls,
+    fnGetGatewayClientTlsByGatewayId,
    heartbeat
  };
 };
--- a/backend/src/ee/services/gateway/gateway-types.ts
+++ b/backend/src/ee/services/gateway/gateway-types.ts
@@ -20,7 +20,6 @@ export type TGetGatewayByIdDTO = {
 export type TUpdateGatewayByIdDTO = {
  id: string;
  name?: string;
-  projectIds?: string[];
  orgPermission: OrgServiceActor;
 };

--- a/backend/src/ee/services/gateway/project-gateway-dal.ts
+++ b/backend/src/ee/services/gateway/project-gateway-dal.ts
@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TProjectGatewayDALFactory = ReturnType<typeof projectGatewayDALFactory>;
-
-export const projectGatewayDALFactory = (db: TDbClient) => {
-  const orm = ormify(db, TableName.ProjectGateway);
-  return orm;
-};
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -41,7 +41,8 @@ export enum OrgPermissionGatewayActions {
  CreateGateways = "create-gateways",
  ListGateways = "list-gateways",
  EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways"
+  DeleteGateways = "delete-gateways",
+  AttachGateways = "attach-gateways"
 }

 export enum OrgPermissionIdentityActions {
@@ -337,6 +338,7 @@ const buildAdminPermission = () => {
  can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
  can(OrgPermissionGatewayActions.EditGateways, OrgPermissionSubjects.Gateway);
  can(OrgPermissionGatewayActions.DeleteGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);

  can(OrgPermissionAdminConsoleAction.AccessAllProjects, OrgPermissionSubjects.AdminConsole);

@@ -378,6 +380,7 @@ const buildMemberPermission = () => {
  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
  can(OrgPermissionGatewayActions.CreateGateways, OrgPermissionSubjects.Gateway);
+  can(OrgPermissionGatewayActions.AttachGateways, OrgPermissionSubjects.Gateway);

  return rules;
 };
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -393,6 +393,7 @@ export const KUBERNETES_AUTH = {
    allowedNames: "The comma-separated list of trusted service account names that can authenticate with Infisical.",
    allowedAudience:
      "The optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
    accessTokenTTL: "The lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
@@ -409,6 +410,7 @@ export const KUBERNETES_AUTH = {
    allowedNames: "The new comma-separated list of trusted service account names that can authenticate with Infisical.",
    allowedAudience:
      "The new optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    gatewayId: "The ID of the gateway to use when performing kubernetes API requests.",
    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
--- a/backend/src/lib/gateway/index.ts
+++ b/backend/src/lib/gateway/index.ts
@@ -174,6 +174,8 @@ const setupProxyServer = async ({
  return new Promise((resolve, reject) => {
    const server = net.createServer();

+    let streamClosed = false;
+
    // eslint-disable-next-line @typescript-eslint/no-misused-promises
    server.on("connection", async (clientConn) => {
      try {
@@ -202,9 +204,15 @@ const setupProxyServer = async ({

            // Handle client connection close
            clientConn.on("end", () => {
-              writer.close().catch((err) => {
-                logger.error(err);
-              });
+              if (!streamClosed) {
+                try {
+                  writer.close().catch((err) => {
+                    logger.debug(err, "Error closing writer (already closed)");
+                  });
+                } catch (error) {
+                  logger.debug(error, "Error in writer close");
+                }
+              }
            });

            clientConn.on("error", (clientConnErr) => {
@@ -249,14 +257,29 @@ const setupProxyServer = async ({
        setupCopy();
        // Handle connection closure
        clientConn.on("close", () => {
-          stream.destroy().catch((err) => {
-            proxyErrorMsg.push((err as Error)?.message);
-          });
+          if (!streamClosed) {
+            streamClosed = true;
+            stream.destroy().catch((err) => {
+              logger.debug(err, "Stream already destroyed during close event");
+            });
+          }
        });

        const cleanup = async () => {
-          clientConn?.destroy();
-          await stream.destroy();
+          try {
+            clientConn?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying client connection");
+          }
+
+          if (!streamClosed) {
+            streamClosed = true;
+            try {
+              await stream.destroy();
+            } catch (err) {
+              logger.debug(err, "Error destroying stream (might be already closed)");
+            }
+          }
        };

        clientConn.on("error", (clientConnErr) => {
@@ -301,8 +324,17 @@ const setupProxyServer = async ({
        server,
        port: address.port,
        cleanup: async () => {
-          server.close();
-          await quicClient?.destroy();
+          try {
+            server.close();
+          } catch (err) {
+            logger.debug(err, "Error closing server");
+          }
+
+          try {
+            await quicClient?.destroy();
+          } catch (err) {
+            logger.debug(err, "Error destroying QUIC client");
+          }
        },
        getProxyError: () => proxyErrorMsg.join(",")
      });
@@ -320,10 +352,10 @@ interface ProxyOptions {
  orgId: string;
 }

-export const withGatewayProxy = async (
-  callback: (port: number) => Promise<void>,
+export const withGatewayProxy = async <T>(
+  callback: (port: number) => Promise<T>,
  options: ProxyOptions
-): Promise<void> => {
+): Promise<T> => {
  const { relayHost, relayPort, targetHost, targetPort, tlsOptions, identityId, orgId } = options;

  // Setup the proxy server
@@ -339,7 +371,7 @@ export const withGatewayProxy = async (

  try {
    // Execute the callback with the allocated port
-    await callback(port);
+    return await callback(port);
  } catch (err) {
    const proxyErrorMessage = getProxyError();
    if (proxyErrorMessage) {
--- a/backend/src/lib/knex/index.ts
+++ b/backend/src/lib/knex/index.ts
@@ -32,13 +32,13 @@ export const buildFindFilter =
  <R extends object = object>(
    { $in, $notNull, $search, $complex, ...filter }: TFindFilter<R>,
    tableName?: TableName,
-    excludeKeys?: Array<keyof R>
+    excludeKeys?: string[]
  ) =>
  (bd: Knex.QueryBuilder<R, R>) => {
    const processedFilter = tableName
      ? Object.fromEntries(
          Object.entries(filter)
-            .filter(([key]) => !excludeKeys || !excludeKeys.includes(key as keyof R))
+            .filter(([key]) => !excludeKeys || !excludeKeys.includes(key))
            .map(([key, value]) => [`${tableName}.${key}`, value])
        )
      : filter;
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -32,7 +32,6 @@ import { externalKmsServiceFactory } from "@app/ee/services/external-kms/externa
 import { gatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
 import { gatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { orgGatewayConfigDALFactory } from "@app/ee/services/gateway/org-gateway-config-dal";
-import { projectGatewayDALFactory } from "@app/ee/services/gateway/project-gateway-dal";
 import { githubOrgSyncDALFactory } from "@app/ee/services/github-org-sync/github-org-sync-dal";
 import { githubOrgSyncServiceFactory } from "@app/ee/services/github-org-sync/github-org-sync-service";
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
@@ -439,7 +438,6 @@ export const registerRoutes = async (

  const orgGatewayConfigDAL = orgGatewayConfigDALFactory(db);
  const gatewayDAL = gatewayDALFactory(db);
-  const projectGatewayDAL = projectGatewayDALFactory(db);
  const secretReminderRecipientsDAL = secretReminderRecipientsDALFactory(db);
  const githubOrgSyncDAL = githubOrgSyncDALFactory(db);

@@ -1422,12 +1420,24 @@ export const registerRoutes = async (
    identityUaDAL,
    licenseService
  });
+
+  const gatewayService = gatewayServiceFactory({
+    permissionService,
+    gatewayDAL,
+    kmsService,
+    licenseService,
+    orgGatewayConfigDAL,
+    keyStore
+  });
+
  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
    identityKubernetesAuthDAL,
    identityOrgMembershipDAL,
    identityAccessTokenDAL,
    permissionService,
    licenseService,
+    gatewayService,
+    gatewayDAL,
    kmsService
  });
  const identityGcpAuthService = identityGcpAuthServiceFactory({
@@ -1490,16 +1500,6 @@ export const registerRoutes = async (
    identityDAL
  });

-  const gatewayService = gatewayServiceFactory({
-    permissionService,
-    gatewayDAL,
-    kmsService,
-    licenseService,
-    orgGatewayConfigDAL,
-    keyStore,
-    projectGatewayDAL
-  });
-
  const dynamicSecretProviders = buildDynamicSecretProviders({
    gatewayService
  });
@@ -1521,7 +1521,7 @@ export const registerRoutes = async (
    permissionService,
    licenseService,
    kmsService,
-    projectGatewayDAL,
+    gatewayDAL,
    resourceMetadataDAL
  });

--- a/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-kubernetes-auth-router.ts
@@ -3,6 +3,7 @@ import { z } from "zod";
 import { IdentityKubernetesAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { ApiDocsTags, KUBERNETES_AUTH } from "@app/lib/api-docs";
+import { CharacterType, characterValidator } from "@app/lib/validator/validate-string";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -21,7 +22,8 @@ const IdentityKubernetesAuthResponseSchema = IdentityKubernetesAuthsSchema.pick(
  kubernetesHost: true,
  allowedNamespaces: true,
  allowedNames: true,
-  allowedAudience: true
+  allowedAudience: true,
+  gatewayId: true
 }).extend({
  caCert: z.string(),
  tokenReviewerJwt: z.string().optional().nullable()
@@ -100,12 +102,30 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      }),
      body: z
        .object({
-          kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
+          kubernetesHost: z
+            .string()
+            .trim()
+            .min(1)
+            .describe(KUBERNETES_AUTH.ATTACH.kubernetesHost)
+            .refine(
+              (val) =>
+                characterValidator([
+                  CharacterType.Alphabets,
+                  CharacterType.Numbers,
+                  CharacterType.Colon,
+                  CharacterType.Period,
+                  CharacterType.ForwardSlash
+                ])(val),
+              {
+                message: "Kubernetes host must only contain alphabets, numbers, colons, periods, and forward slashes."
+              }
+            ),
          caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
          tokenReviewerJwt: z.string().trim().optional().describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
          allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
          allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
          allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
+          gatewayId: z.string().uuid().optional().nullable().describe(KUBERNETES_AUTH.ATTACH.gatewayId),
          accessTokenTrustedIps: z
            .object({
              ipAddress: z.string().trim()
@@ -199,12 +219,34 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
      }),
      body: z
        .object({
-          kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
+          kubernetesHost: z
+            .string()
+            .trim()
+            .min(1)
+            .optional()
+            .describe(KUBERNETES_AUTH.UPDATE.kubernetesHost)
+            .refine(
+              (val) => {
+                if (!val) return true;
+
+                return characterValidator([
+                  CharacterType.Alphabets,
+                  CharacterType.Numbers,
+                  CharacterType.Colon,
+                  CharacterType.Period,
+                  CharacterType.ForwardSlash
+                ])(val);
+              },
+              {
+                message: "Kubernetes host must only contain alphabets, numbers, colons, periods, and forward slashes."
+              }
+            ),
          caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
          tokenReviewerJwt: z.string().trim().nullable().optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
          allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
          allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
          allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
+          gatewayId: z.string().uuid().optional().nullable().describe(KUBERNETES_AUTH.UPDATE.gatewayId),
          accessTokenTrustedIps: z
            .object({
              ipAddress: z.string().trim()
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -275,7 +275,13 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
            },
            { message: "Duration value must be at least 1" }
          )
-          .optional()
+          .optional(),
+        secretsProductEnabled: z.boolean().optional(),
+        pkiProductEnabled: z.boolean().optional(),
+        kmsProductEnabled: z.boolean().optional(),
+        sshProductEnabled: z.boolean().optional(),
+        scannerProductEnabled: z.boolean().optional(),
+        shareSecretsProductEnabled: z.boolean().optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -4,8 +4,14 @@ import https from "https";
 import jwt from "jsonwebtoken";

 import { IdentityAuthMethod, TIdentityKubernetesAuthsUpdate } from "@app/db/schemas";
+import { TGatewayDALFactory } from "@app/ee/services/gateway/gateway-dal";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
-import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  OrgPermissionGatewayActions,
+  OrgPermissionIdentityActions,
+  OrgPermissionSubjects
+} from "@app/ee/services/permission/org-permission";
 import {
  constructPermissionErrorMessage,
  validatePrivilegeChangeOperation
@@ -13,6 +19,7 @@ import {
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { withGatewayProxy } from "@app/lib/gateway";
 import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
@@ -43,6 +50,8 @@ type TIdentityKubernetesAuthServiceFactoryDep = {
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+  gatewayService: TGatewayServiceFactory;
+  gatewayDAL: Pick<TGatewayDALFactory, "find">;
 };

 export type TIdentityKubernetesAuthServiceFactory = ReturnType<typeof identityKubernetesAuthServiceFactory>;
@@ -53,8 +62,45 @@ export const identityKubernetesAuthServiceFactory = ({
  identityAccessTokenDAL,
  permissionService,
  licenseService,
+  gatewayService,
+  gatewayDAL,
  kmsService
 }: TIdentityKubernetesAuthServiceFactoryDep) => {
+  const $gatewayProxyWrapper = async <T>(
+    inputs: {
+      gatewayId: string;
+      targetHost: string;
+      targetPort: number;
+    },
+    gatewayCallback: (host: string, port: number) => Promise<T>
+  ): Promise<T> => {
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+    const callbackResult = await withGatewayProxy(
+      async (port) => {
+        // Needs to be https protocol or the kubernetes API server will fail with "Client sent an HTTP request to an HTTPS server"
+        const res = await gatewayCallback("https://localhost", port);
+        return res;
+      },
+      {
+        targetHost: inputs.targetHost,
+        targetPort: inputs.targetPort,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+
+    return callbackResult;
+  };
+
  const login = async ({ identityId, jwt: serviceAccountJwt }: TLoginKubernetesAuthDTO) => {
    const identityKubernetesAuth = await identityKubernetesAuthDAL.findOne({ identityId });
    if (!identityKubernetesAuth) {
@@ -92,46 +138,65 @@ export const identityKubernetesAuthServiceFactory = ({
      tokenReviewerJwt = serviceAccountJwt;
    }

-    const { data } = await axios
-      .post<TCreateTokenReviewResponse>(
-        `${identityKubernetesAuth.kubernetesHost}/apis/authentication.k8s.io/v1/tokenreviews`,
-        {
-          apiVersion: "authentication.k8s.io/v1",
-          kind: "TokenReview",
-          spec: {
-            token: serviceAccountJwt,
-            ...(identityKubernetesAuth.allowedAudience ? { audiences: [identityKubernetesAuth.allowedAudience] } : {})
-          }
-        },
-        {
-          headers: {
-            "Content-Type": "application/json",
-            Authorization: `Bearer ${tokenReviewerJwt}`
-          },
-          signal: AbortSignal.timeout(10000),
-          timeout: 10000,
-          // if ca cert, rejectUnauthorized: true
-          httpsAgent: new https.Agent({
-            ca: caCert,
-            rejectUnauthorized: !!caCert
-          })
-        }
-      )
-      .catch((err) => {
-        if (err instanceof AxiosError) {
-          if (err.response) {
-            const { message } = err?.response?.data as unknown as { message?: string };
+    const tokenReviewCallback = async (host: string = identityKubernetesAuth.kubernetesHost, port?: number) => {
+      const baseUrl = port ? `${host}:${port}` : host;

-            if (message) {
-              throw new UnauthorizedError({
-                message,
-                name: "KubernetesTokenReviewRequestError"
-              });
+      const res = await axios
+        .post<TCreateTokenReviewResponse>(
+          `${baseUrl}/apis/authentication.k8s.io/v1/tokenreviews`,
+          {
+            apiVersion: "authentication.k8s.io/v1",
+            kind: "TokenReview",
+            spec: {
+              token: serviceAccountJwt,
+              ...(identityKubernetesAuth.allowedAudience ? { audiences: [identityKubernetesAuth.allowedAudience] } : {})
+            }
+          },
+          {
+            headers: {
+              "Content-Type": "application/json",
+              Authorization: `Bearer ${tokenReviewerJwt}`
+            },
+            signal: AbortSignal.timeout(10000),
+            timeout: 10000,
+            // if ca cert, rejectUnauthorized: true
+            httpsAgent: new https.Agent({
+              ca: caCert,
+              rejectUnauthorized: !!caCert
+            })
+          }
+        )
+        .catch((err) => {
+          if (err instanceof AxiosError) {
+            if (err.response) {
+              const { message } = err?.response?.data as unknown as { message?: string };
+
+              if (message) {
+                throw new UnauthorizedError({
+                  message,
+                  name: "KubernetesTokenReviewRequestError"
+                });
+              }
            }
          }
-        }
-        throw err;
-      });
+          throw err;
+        });
+
+      return res.data;
+    };
+
+    const [k8sHost, k8sPort] = identityKubernetesAuth.kubernetesHost.split(":");
+
+    const data = identityKubernetesAuth.gatewayId
+      ? await $gatewayProxyWrapper(
+          {
+            gatewayId: identityKubernetesAuth.gatewayId,
+            targetHost: k8sHost,
+            targetPort: k8sPort ? Number(k8sPort) : 443
+          },
+          tokenReviewCallback
+        )
+      : await tokenReviewCallback();

    if ("error" in data.status)
      throw new UnauthorizedError({ message: data.status.error, name: "KubernetesTokenReviewError" });
@@ -222,6 +287,7 @@ export const identityKubernetesAuthServiceFactory = ({

  const attachKubernetesAuth = async ({
    identityId,
+    gatewayId,
    kubernetesHost,
    caCert,
    tokenReviewerJwt,
@@ -280,6 +346,27 @@ export const identityKubernetesAuthServiceFactory = ({
      return extractIPDetails(accessTokenTrustedIp.ipAddress);
    });

+    if (gatewayId) {
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: identityMembershipOrg.orgId });
+      if (!gateway) {
+        throw new NotFoundError({
+          message: `Gateway with ID ${gatewayId} not found`
+        });
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        identityMembershipOrg.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+    }
+
    const { encryptor } = await kmsService.createCipherPairWithDataKey({
      type: KmsDataKey.Organization,
      orgId: identityMembershipOrg.orgId
@@ -296,6 +383,7 @@ export const identityKubernetesAuthServiceFactory = ({
          accessTokenMaxTTL,
          accessTokenTTL,
          accessTokenNumUsesLimit,
+          gatewayId,
          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps),
          encryptedKubernetesTokenReviewerJwt: tokenReviewerJwt
            ? encryptor({ plainText: Buffer.from(tokenReviewerJwt) }).cipherTextBlob
@@ -318,6 +406,7 @@ export const identityKubernetesAuthServiceFactory = ({
    allowedNamespaces,
    allowedNames,
    allowedAudience,
+    gatewayId,
    accessTokenTTL,
    accessTokenMaxTTL,
    accessTokenNumUsesLimit,
@@ -373,11 +462,33 @@ export const identityKubernetesAuthServiceFactory = ({
      return extractIPDetails(accessTokenTrustedIp.ipAddress);
    });

+    if (gatewayId) {
+      const [gateway] = await gatewayDAL.find({ id: gatewayId, orgId: identityMembershipOrg.orgId });
+      if (!gateway) {
+        throw new NotFoundError({
+          message: `Gateway with ID ${gatewayId} not found`
+        });
+      }
+
+      const { permission: orgPermission } = await permissionService.getOrgPermission(
+        actor,
+        actorId,
+        identityMembershipOrg.orgId,
+        actorAuthMethod,
+        actorOrgId
+      );
+      ForbiddenError.from(orgPermission).throwUnlessCan(
+        OrgPermissionGatewayActions.AttachGateways,
+        OrgPermissionSubjects.Gateway
+      );
+    }
+
    const updateQuery: TIdentityKubernetesAuthsUpdate = {
      kubernetesHost,
      allowedNamespaces,
      allowedNames,
      allowedAudience,
+      gatewayId,
      accessTokenMaxTTL,
      accessTokenTTL,
      accessTokenNumUsesLimit,
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-types.ts
@@ -13,6 +13,7 @@ export type TAttachKubernetesAuthDTO = {
  allowedNamespaces: string;
  allowedNames: string;
  allowedAudience: string;
+  gatewayId?: string | null;
  accessTokenTTL: number;
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
@@ -28,6 +29,7 @@ export type TUpdateKubernetesAuthDTO = {
  allowedNamespaces?: string;
  allowedNames?: string;
  allowedAudience?: string;
+  gatewayId?: string | null;
  accessTokenTTL?: number;
  accessTokenMaxTTL?: number;
  accessTokenNumUsesLimit?: number;
--- a/backend/src/services/org/org-schema.ts
+++ b/backend/src/services/org/org-schema.ts
@@ -18,5 +18,11 @@ export const sanitizedOrganizationSchema = OrganizationsSchema.pick({
  privilegeUpgradeInitiatedByUsername: true,
  privilegeUpgradeInitiatedAt: true,
  bypassOrgAuthEnabled: true,
-  userTokenExpiration: true
+  userTokenExpiration: true,
+  secretsProductEnabled: true,
+  pkiProductEnabled: true,
+  kmsProductEnabled: true,
+  sshProductEnabled: true,
+  scannerProductEnabled: true,
+  shareSecretsProductEnabled: true
 });
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -355,7 +355,13 @@ export const orgServiceFactory = ({
      selectedMfaMethod,
      allowSecretSharingOutsideOrganization,
      bypassOrgAuthEnabled,
-      userTokenExpiration
+      userTokenExpiration,
+      secretsProductEnabled,
+      pkiProductEnabled,
+      kmsProductEnabled,
+      sshProductEnabled,
+      scannerProductEnabled,
+      shareSecretsProductEnabled
    }
  }: TUpdateOrgDTO) => {
    const appCfg = getConfig();
@@ -457,7 +463,13 @@ export const orgServiceFactory = ({
      selectedMfaMethod,
      allowSecretSharingOutsideOrganization,
      bypassOrgAuthEnabled,
-      userTokenExpiration
+      userTokenExpiration,
+      secretsProductEnabled,
+      pkiProductEnabled,
+      kmsProductEnabled,
+      sshProductEnabled,
+      scannerProductEnabled,
+      shareSecretsProductEnabled
    });
    if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
    return org;
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@@ -75,6 +75,12 @@ export type TUpdateOrgDTO = {
    allowSecretSharingOutsideOrganization: boolean;
    bypassOrgAuthEnabled: boolean;
    userTokenExpiration: string;
+    secretsProductEnabled: boolean;
+    pkiProductEnabled: boolean;
+    kmsProductEnabled: boolean;
+    sshProductEnabled: boolean;
+    scannerProductEnabled: boolean;
+    shareSecretsProductEnabled: boolean;
  }>;
 } & TOrgPermission;

--- a/backend/src/services/secret-sync/secret-sync-schemas.ts
+++ b/backend/src/services/secret-sync/secret-sync-schemas.ts
@@ -28,9 +28,9 @@ const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
    keySchema: z
      .string()
      .optional()
-      .refine((val) => !val || new RE2(/^(?:[a-zA-Z0-9\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9\-/]*)$/).test(val), {
+      .refine((val) => !val || new RE2(/^(?:[a-zA-Z0-9_\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9_\-/]*)$/).test(val), {
        message:
-          "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, slashes, and the {{secretKey}} placeholder."
+          "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, underscores, slashes, and the {{secretKey}} placeholder."
      })
      .describe(SecretSyncs.SYNC_OPTIONS(destination).keySchema),
    disableSecretDeletion: z.boolean().optional().describe(SecretSyncs.SYNC_OPTIONS(destination).disableSecretDeletion)
--- a/docs/documentation/platform/gateways/overview.mdx
+++ b/docs/documentation/platform/gateways/overview.mdx
@@ -158,14 +158,4 @@ Once authenticated, the Gateway establishes a secure connection with Infisical t
    To confirm your Gateway is working, check the deployment status by looking for the message **"Gateway started successfully"** in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to **Organization Access Control**, and selecting the **Gateways** tab. Your newly deployed Gateway should appear in the list.
    ![Gateway List](../../../images/platform/gateways/gateway-list.png)
  </Step>
-
- <Step title="Link Gateway to Projects">
-    To enable Infisical features like dynamic secrets or secret rotation to access private resources through the Gateway, you need to link the Gateway to the relevant projects. 
-    
-    Start by accessing the **Gateway settings** then locate the Gateway in the list, click the options menu (**:**), and select **Edit Details**. 
-    ![Edit Gateway Option](../../../images/platform/gateways/edit-gateway.png) 
-    In the edit modal that appears, choose the projects you want the Gateway to access and click **Save** to confirm your selections. 
-    ![Project Assignment Modal](../../../images/platform/gateways/assign-project.png) 
-    Once added to a project, the Gateway becomes available for use by any feature that supports Gateways within that project.
-  </Step>
 </Steps>
--- a/docs/integrations/platforms/kubernetes-csi.mdx
+++ b/docs/integrations/platforms/kubernetes-csi.mdx
@@ -1,6 +1,6 @@
 ---
 title: "Kubernetes CSI"
-description: "How to use Infisical to inject secrets directly into Kubernetes pods."
+description: "How to use the Infisical Kubernetes CSI provider to inject secrets directly into Kubernetes pods."
 ---

 ## Overview
@@ -15,9 +15,9 @@ flowchart LR
        CSP --> CSD(Secrets Store CSI Driver)
    end

-    subgraph Application
+    subgraph Pod
        CSD --> V(Volume)
-        V <--> P(Pod)
+        V <--> P(Application)
    end

 ```
--- a/docs/integrations/platforms/kubernetes-injector.mdx
+++ b/docs/integrations/platforms/kubernetes-injector.mdx
@@ -0,0 +1,317 @@
+---
+title: "Kubernetes Agent Injector"
+description: "How to use the Infisical Kubernetes Agent Injector to inject secrets directly into Kubernetes pods."
+---
+
+## Overview
+
+The Infisical Kubernetes Agent Injector allows you to inject secrets directly into your Kubernetes pods. The Injector will create a [Infisical Agent](/integrations/platforms/infisical-agent) container within your pod that syncs secrets from Infisical into a shared volume mount within your pod.
+
+
+The Infisical Agent Injector will patch and modify your pod's deployment to contain an [Infisical Agent](/integrations/platforms/infisical-agent) container which renders your Infisical secrets into a shared volume mount within your pod.
+
+The Infisical Agent Injector is built on [Kubernetes Mutating Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers), and will watch for `CREATE` and `UPDATE` events on pods in your cluster.
+The injector is namespace-agnostic, and will watch for pods in any namespace, but will only patch pods that have the `org.infisical.com/inject` annotation set to `true`.
+
+
+```mermaid
+flowchart LR
+    subgraph Secrets Management
+        SS(Infisical) --> INJ(Infisical Injector)
+    end
+
+    subgraph Pod
+        INJ --> INIT(Agent Init Container)
+        INIT --> V(Volume)
+        V <--> P(Application)
+    end
+    
+```
+
+## Install the Infisical Agent Injector
+
+To install the Infisical Agent Injector, you will need to install our helm charts using [Helm](https://helm.sh/).
+
+```bash
+helm repo add infisical-helm-charts 'https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/'
+helm repo update
+helm install --generate-name infisical-helm-charts/infisical-agent-injector
+```
+
+After installing the helm chart you can verify that the injector is running and working as intended by checking the logs of the injector pod.
+```bash
+$ kubectl logs deployment/infisical-agent-injector 
+2025/05/19 14:20:05 Starting infisical-agent-injector...
+2025/05/19 14:20:05 Generating self-signed certificate...
+2025/05/19 14:20:06 Creating directory: /tmp/tls
+2025/05/19 14:20:06 Writing cert to: /tmp/tls/tls.crt
+2025/05/19 14:20:06 Writing key to: /tmp/tls/tls.key
+2025/05/19 14:20:06 Starting HTTPS server on port 8585...
+2025/05/19 14:20:06 Attempting to update webhook config (attempt 1)...
+2025/05/19 14:20:06 Successfully updated webhook configuration with CA bundle
+```
+
+## Supported annotations
+
+The Infisical Agent Injector supports the following annotations:
+
+<Accordion title="org.infisical.com/inject">
+  The inject annotation is used to enable the injector on a pod. Set the value to `true` and the pod will be patched with an Infisical Agent container on update or create.
+</Accordion>
+<Accordion title="org.infisical.com/inject-mode">
+  The inject mode annotation is used to specify the mode to use to inject the secrets into the pod. Currently only `init` mode is supported.
+
+  - `init`: The init method will create an init container for the pod that will render the secrets into a shared volume mount within the pod. The agent init container will run before any other containers in the pod runs, including other init containers.
+</Accordion>
+<Accordion title="org.infisical.com/agent-config-map">
+  The agent config map annotation is used to specify the name of the config map that contains the configuration for the injector. The config map must be in the same namespace as the pod.
+</Accordion>
+
+## ConfigMap Configuration
+
+### Supported Fields
+
+When you are configuring a pod to use the injector, you must create a config map in the same namespace as the pod you want to inject secrets into.
+The entire config needs to be of string format and needs to be assigned to the `config.yaml` key in the config map. You can find a full example of the config at the end of this section.
+
+<Accordion title="infisical.address">
+  The address of your Infisical instance. This field is optional and will default to `https://app.infisical.com` if not provided.
+</Accordion>
+
+<Accordion title="infisical.auth.type">
+  The authentication type to use to connect to Infisical. Currently only the `kubernetes` authentication type is supported.
+  You can refer to our [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) documentation for more information on how to create a machine identity for Kubernetes Auth.
+  Please note that the pod's default service account will be used to authenticate with Infisical.
+</Accordion>
+
+<Accordion title="infisical.auth.config.identity-id">
+  The ID of the machine identity to use to connect to Infisical. This field is required if the `infisical.auth.type` is set to `kubernetes`.
+</Accordion>
+
+<Accordion title="templates[]">
+The templates hold an array of templates that will be rendered and injected into the pod.
+</Accordion>
+
+<Accordion title="templates[].destination-path">
+  The path to inject the secrets into within the pod.
+  If not specified, this will default to `/shared/infisical-secrets`. If you have multiple templates and don't provide a destination path, the destination paths will default to `/shared/infisical-secrets-1`, `/shared/infisical-secrets-2`, etc.
+</Accordion>
+
+<Accordion title="templates[].template-content">
+  The content of the template to render.
+  This will be rendered as a [Go Template](https://pkg.go.dev/text/template) and will have access to the following variables.
+  It follows the templating format and supports the same functions as the [Infisical Agent](/integrations/platforms/infisical-agent#quick-start-infisical-agent)
+</Accordion>
+
+
+### Authentication
+The Infisical Agent Injector only supports Machine Identity [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) authentication at the moment.
+
+To configure Kubernetes Auth, you need to set the `auth.type` field to `kubernetes` and set the `auth.config.identity-id` to the ID of the machine identity you wish to use for authentication.
+
+```yaml
+auth:
+  type: "kubernetes"
+  config:
+    identity-id: "<your-infisical-machine-identity-id>"
+```
+
+### Example ConfigMap
+```yaml config-map.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: demo-config-map
+data:
+  config.yaml: |
+    infisical:
+      address: "https://app.infisical.com"
+      auth:
+        type: "kubernetes"
+        config:
+          identity-id: "<your-infisical-machine-identity-id>"
+    templates:
+      - destination-path: "/path/to/save/secrets/file.txt"
+        template-content: |
+          {{- with secret "<your-project-id>" "dev" "/" }}
+          {{- range . }}
+          {{ .Key }}={{ .Value }}
+          {{- end }}
+          {{- end }}
+```
+
+```bash
+kubectl apply -f config-map.yaml
+```
+
+To use the config map in your pod, you will need to add the `org.infisical.com/agent-config-map` annotation to your pod's deployment. The value of the annotation is the name of the config map you created above.
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: demo
+  labels:
+    app: demo
+  annotations:
+    org.infisical.com/inject: "true" # Set to true for the injector to patch the pod on create/update events
+    org.infisical.com/inject-mode: "init" # The mode to use to inject the secrets into the pod. Currently only `init` mode is supported.
+    org.infisical.com/agent-config-map: "name-of-config-map" # The name of the config map that you created above, which contains all the settings for injecting the secrets into the pod
+spec:
+  # ...
+```
+
+
+## Quick Start
+In this section we'll walk through a full example of how to inject secrets into a pod using the Infisical Agent Injector.
+In this example we'll create a basic nginx deployment and print a Infisical secret called `API_KEY` to the container logs.
+
+### Create secrets in Infisical
+First you'll need to create the secret in Infisical.
+
+- `API_KEY`: The API key to use for the nginx deployment.
+
+Once you've created the secret, save your project ID, environment slug, and secret path, as these will be used in the next step.
+
+### Configuration
+To use the injector you must create a config map in the same namespace as the pod you want to inject secrets into. In this example we'll create a config map in the `test-namespace` namespace.
+
+The agent injector will authenticate with Infisical using a [Kubernetes Auth](/documentation/platform/identities/kubernetes-auth) machine identity. Please follow the [instructions](/documentation/platform/identities/kubernetes-auth) to create a machine identity configured for Kubernetes Auth.
+The agent injector will use the service account token of the pod to authenticate with Infisical.
+
+The `template-content` will be rendered as a [Go Template](https://pkg.go.dev/text/template) and will have access to the following variables. It follows the templating format and supports the same functions as the [Infisical Agent](/integrations/platforms/infisical-agent#quick-start-infisical-agent)
+The `destination-path` refers to the path within the pod that the secrets will be injected into. In this case we're injecting the secrets into a file called `/infisical/secrets`.
+
+
+Replace the `<your-project-id>`, `<your-environment-slug>`, with your project ID and the environment slug of where you created your secrets in Infisical. Replace `<your-infisical-machine-identity-id>` with the ID of your machine identity configured for Kubernetes Auth.
+```yaml config-map.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-infisical-config-map
+  namespace: test-namespace
+data:
+  config.yaml: |
+    infisical:
+      address: "https://app.infisical.com"
+      auth:
+        type: "kubernetes"
+        config:
+          identity-id: "<your-infisical-machine-identity-id>"
+    templates:
+      - destination-path: "/infisical/secrets"
+        template-content: |
+          {{- with secret "<your-project-id>" "<your-environment-slug>" "/" }}
+          {{- range . }}
+          {{ .Key }}={{ .Value }}
+          {{- end }}
+          {{- end }}
+```
+
+Now apply the config map:
+```bash
+kubectl apply -f config-map.yaml
+```
+
+### Injecting secrets into your pod
+
+To inject secrets into your pod, you will need to add the `org.infisical.com/inject: "true"` annotation to your pod's deployment.
+
+The `org.infisical.com/agent-config-map` annotation will point to the config map we created in the previous step. It's important that the config map is in the same namespace as the pod.
+
+We are creating a nginx deployment with a PVC to store the database data.
+
+```yaml nginx.yaml
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-pod
+  namespace: test-namespace
+  labels:
+    app: nginx
+  annotations:
+    org.infisical.com/inject: "true"
+    org.infisical.com/inject-mode: "init"
+    org.infisical.com/agent-config-map: "nginx-infisical-config-map"
+spec:
+  containers:
+    - name: simple-app-demo
+      image: nginx:alpine
+      command: ["/bin/sh", "-c"]
+      args:
+        - |
+          export $(cat /infisical/secrets | xargs)
+          echo "API_KEY is set to: $API_KEY"
+          nginx -g "daemon off;"
+```
+
+### Applying the deployment
+
+To apply the deployment, you can use the following command:
+
+```bash
+kubectl apply -f nginx.yaml
+```
+It may take a few minutes for the pod to be ready and for the Infisical secrets to be injected. You can check the status of the pod by running:
+
+```bash
+kubectl get pods -n test-namespace
+```
+
+### Verifying the secrets are injected
+
+To verify the secrets are injected, you can check the pod's logs:
+
+```bash
+$ kubectl exec -it pod/nginx-pod -n test-namespace -- cat /infisical/secrets
+
+Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)
+
+API_KEY=sk_api_... # The secret you created in Infisical
+```
+
+Additionally you can now check that the `API_KEY` secret is being logged to the nginx container logs:
+```bash
+$ kubectl logs pod/nginx-pod -n test-namespace                              
+Defaulted container "simple-app-demo" out of: simple-app-demo, infisical-agent-init (init)
+API_KEY is set to: sk_api_... # The secret you created in Infisical
+```
+
+
+## Troubleshooting
+
+
+<Accordion title="The pod is stuck in `Init` state">
+  If the pod is stuck in `Init` state, it means the Agent init container is failing to start or is stuck in a restart loop.
+  This could be due to a number of reasons, such as the machine identity not having the correct permissions, or trying to fetch secrets from a non-existent project/environment.
+  
+  You can check the logs of the infisical init container by running:
+  ```bash
+  # For deployments
+  kubectl logs deployment/your-deployment-name -c infisical-agent-init -n "<namespace>"
+
+  # For pods
+  kubectl logs pod/your-pod-name -c infisical-agent-init -n "<namespace>"
+  ```
+
+  You can also check the logs of the pod by running:
+  ```bash
+  kubectl logs deployment/postgres-deployment -n test-namespace
+  ```
+
+  When checking the logs of the agent init container, you may see something like the following:
+  ```bash
+  Starting infisical agent...
+  11:10AM INF starting Infisical agent...
+  11:10AM INF Infisical instance address set to https://daniel1.tunn.dev
+  11:10AM INF template engine started for template 1...
+  11:10AM INF attempting to authenticate...
+  11:10AM INF new access token saved to file at path '/home/infisical/config/identity-access-token'
+  11:10AM ERR unable to process template because template: literalTemplate:1:9: executing "literalTemplate" at <secret "3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111" "dev" "/">: error calling secret: CallGetRawSecretsV3: Unsuccessful response [GET https://daniel1.tunn.dev/api/v3/secrets/raw?environment=dev&expandSecretReferences=true&include_imports=true&secretPath=%2F&workspaceId=3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111] [status-code=404] [response={"reqId":"req-ljqNq567jchFrK","statusCode":404,"message":"Project with ID '3c0d3ff6-165c-4dc9-b52c-ff3ffaedfce311111' not found during bot lookup. Are you sure you are using the correct project ID?","error":"NotFound"}]
+  + echo 'Agent failed with exit code 1'
+  + exit 1
+  Agent failed with exit code 1
+  ```
+
+  In the above error, the project ID was invalid in the config map.
+</Accordion>
--- a/docs/integrations/secret-syncs/overview.mdx
+++ b/docs/integrations/secret-syncs/overview.mdx
@@ -97,24 +97,22 @@ via the UI or API for the third-party service you intend to sync secrets to.

 ## Key Schemas

-Key Schemas let you control how Infisical names your secret keys when syncing to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.
+Key Schemas transform your secret keys by applying a prefix, suffix, or format pattern during sync to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.

-A Key Schema adds a prefix, suffix, or format to your secrets before they reach the destination.
-
-This example demonstrates key behavior if the schema was set to `INFISICAL_{{secretKey}}`:
+**Example:**
+- Infisical key: `SECRET_1`
+- Schema: `INFISICAL_{{secretKey}}`
+- Synced key: `INFISICAL_SECRET_1`

 <div align="center">
    ```mermaid
    graph LR
-        A[SECRET_1] --> T["Syncs as"] --> B[INFISICAL_SECRET_1]
-
-        style A fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
-        style B fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
-        style T fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:2px,font-size:12px
-
+      A[Infisical: **SECRET_1**] -->|Apply Schema| B[Destination: **INFISICAL_SECRET_1**]
+      style B fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
+      style A fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
    ```
 </div>

 <Note>
-    When importing secrets from the destination into infisical, the schema is stripped from imported secret keys.
+    When importing secrets from the destination into Infisical, the schema is stripped from imported secret keys.
 </Note>
--- a/docs/internals/permissions/organization-permissions.mdx
+++ b/docs/internals/permissions/organization-permissions.mdx
@@ -218,3 +218,4 @@ Supports conditions and permission inversion
 | `create-gateways` | Add new gateways to organization  |
 | `edit-gateways`   | Modify existing gateway settings  |
 | `delete-gateways` | Remove gateways from organization |
+| `attach-gateways` | Attach gateways to resources      |
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -441,6 +441,7 @@
                "integrations/platforms/kubernetes/infisical-dynamic-secret-crd"
              ]
            },
+            "integrations/platforms/kubernetes-injector",
            "integrations/platforms/kubernetes-csi",
            "integrations/platforms/docker-swarm-with-agent",
            "integrations/platforms/ecs-with-agent"
--- a/frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts
+++ b/frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts
@@ -13,10 +13,11 @@ export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefi
      .string()
      .optional()
      .refine(
-        (val) => !val || /^(?:[a-zA-Z0-9\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9\-/]*)$/.test(val),
+        (val) =>
+          !val || /^(?:[a-zA-Z0-9_\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9_\-/]*)$/.test(val),
        {
          message:
-            "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, slashes, and the {{secretKey}} placeholder."
+            "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, underscores, slashes, and the {{secretKey}} placeholder."
        }
      )
  });
--- a/frontend/src/context/OrgPermissionContext/types.ts
+++ b/frontend/src/context/OrgPermissionContext/types.ts
@@ -12,7 +12,8 @@ export enum OrgGatewayPermissionActions {
  CreateGateways = "create-gateways",
  ListGateways = "list-gateways",
  EditGateways = "edit-gateways",
-  DeleteGateways = "delete-gateways"
+  DeleteGateways = "delete-gateways",
+  AttachGateways = "attach-gateways"
 }

 export enum OrgPermissionSubjects {
--- a/frontend/src/hooks/api/gateways/mutation.tsx
+++ b/frontend/src/hooks/api/gateways/mutation.tsx
@@ -20,8 +20,8 @@ export const useDeleteGatewayById = () => {
 export const useUpdateGatewayById = () => {
  const queryClient = useQueryClient();
  return useMutation({
-    mutationFn: ({ id, name, projectIds }: TUpdateGatewayDTO) => {
-      return apiRequest.patch(`/api/v1/gateways/${id}`, { name, projectIds });
+    mutationFn: ({ id, name }: TUpdateGatewayDTO) => {
+      return apiRequest.patch(`/api/v1/gateways/${id}`, { name });
    },
    onSuccess: () => {
      queryClient.invalidateQueries(gatewaysQueryKeys.list());
--- a/frontend/src/hooks/api/gateways/queries.tsx
+++ b/frontend/src/hooks/api/gateways/queries.tsx
@@ -2,7 +2,7 @@ import { queryOptions } from "@tanstack/react-query";

 import { apiRequest } from "@app/config/request";

-import { TGateway, TListProjectGatewayDTO, TProjectGateway } from "./types";
+import { TGateway } from "./types";

 export const gatewaysQueryKeys = {
  allKey: () => ["gateways"],
@@ -14,20 +14,5 @@ export const gatewaysQueryKeys = {
        const { data } = await apiRequest.get<{ gateways: TGateway[] }>("/api/v1/gateways");
        return data.gateways;
      }
-    }),
-  listProjectGatewayKey: ({ projectId }: TListProjectGatewayDTO) => [
-    ...gatewaysQueryKeys.allKey(),
-    "list",
-    { projectId }
-  ],
-  listProjectGateways: ({ projectId }: TListProjectGatewayDTO) =>
-    queryOptions({
-      queryKey: gatewaysQueryKeys.listProjectGatewayKey({ projectId }),
-      queryFn: async () => {
-        const { data } = await apiRequest.get<{ gateways: TProjectGateway[] }>(
-          `/api/v1/gateways/projects/${projectId}`
-        );
-        return data.gateways;
-      }
    })
 };
--- a/frontend/src/hooks/api/gateways/types.ts
+++ b/frontend/src/hooks/api/gateways/types.ts
@@ -11,39 +11,13 @@ export type TGateway = {
    name: string;
    id: string;
  };
-  projects: {
-    name: string;
-    id: string;
-    slug: string;
-  }[];
-};
-
-export type TProjectGateway = {
-  id: string;
-  identityId: string;
-  name: string;
-  createdAt: string;
-  updatedAt: string;
-  issuedAt: string;
-  serialNumber: string;
-  heartbeat: string;
-  projectGatewayId: string;
-  identity: {
-    name: string;
-    id: string;
-  };
 };

 export type TUpdateGatewayDTO = {
  id: string;
  name?: string;
-  projectIds?: string[];
 };

 export type TDeleteGatewayDTO = {
  id: string;
 };
-
-export type TListProjectGatewayDTO = {
-  projectId: string;
-};
--- a/frontend/src/hooks/api/identities/mutations.tsx
+++ b/frontend/src/hooks/api/identities/mutations.tsx
@@ -840,7 +840,8 @@ export const useAddIdentityKubernetesAuth = () => {
      accessTokenTTL,
      accessTokenMaxTTL,
      accessTokenNumUsesLimit,
-      accessTokenTrustedIps
+      accessTokenTrustedIps,
+      gatewayId
    }) => {
      const {
        data: { identityKubernetesAuth }
@@ -856,7 +857,8 @@ export const useAddIdentityKubernetesAuth = () => {
          accessTokenTTL,
          accessTokenMaxTTL,
          accessTokenNumUsesLimit,
-          accessTokenTrustedIps
+          accessTokenTrustedIps,
+          gatewayId
        }
      );

@@ -945,7 +947,8 @@ export const useUpdateIdentityKubernetesAuth = () => {
      accessTokenTTL,
      accessTokenMaxTTL,
      accessTokenNumUsesLimit,
-      accessTokenTrustedIps
+      accessTokenTrustedIps,
+      gatewayId
    }) => {
      const {
        data: { identityKubernetesAuth }
@@ -961,7 +964,8 @@ export const useUpdateIdentityKubernetesAuth = () => {
          accessTokenTTL,
          accessTokenMaxTTL,
          accessTokenNumUsesLimit,
-          accessTokenTrustedIps
+          accessTokenTrustedIps,
+          gatewayId
        }
      );

--- a/frontend/src/hooks/api/identities/types.ts
+++ b/frontend/src/hooks/api/identities/types.ts
@@ -388,6 +388,7 @@ export type IdentityKubernetesAuth = {
  accessTokenMaxTTL: number;
  accessTokenNumUsesLimit: number;
  accessTokenTrustedIps: IdentityTrustedIp[];
+  gatewayId?: string | null;
 };

 export type AddIdentityKubernetesAuthDTO = {
@@ -398,6 +399,7 @@ export type AddIdentityKubernetesAuthDTO = {
  allowedNamespaces: string;
  allowedNames: string;
  allowedAudience: string;
+  gatewayId?: string | null;
  caCert: string;
  accessTokenTTL: number;
  accessTokenMaxTTL: number;
@@ -415,6 +417,7 @@ export type UpdateIdentityKubernetesAuthDTO = {
  allowedNamespaces?: string;
  allowedNames?: string;
  allowedAudience?: string;
+  gatewayId?: string | null;
  caCert?: string;
  accessTokenTTL?: number;
  accessTokenMaxTTL?: number;
--- a/frontend/src/hooks/api/organization/queries.tsx
+++ b/frontend/src/hooks/api/organization/queries.tsx
@@ -112,7 +112,13 @@ export const useUpdateOrg = () => {
      selectedMfaMethod,
      allowSecretSharingOutsideOrganization,
      bypassOrgAuthEnabled,
-      userTokenExpiration
+      userTokenExpiration,
+      secretsProductEnabled,
+      pkiProductEnabled,
+      kmsProductEnabled,
+      sshProductEnabled,
+      scannerProductEnabled,
+      shareSecretsProductEnabled
    }) => {
      return apiRequest.patch(`/api/v1/organization/${orgId}`, {
        name,
@@ -124,7 +130,13 @@ export const useUpdateOrg = () => {
        selectedMfaMethod,
        allowSecretSharingOutsideOrganization,
        bypassOrgAuthEnabled,
-        userTokenExpiration
+        userTokenExpiration,
+        secretsProductEnabled,
+        pkiProductEnabled,
+        kmsProductEnabled,
+        sshProductEnabled,
+        scannerProductEnabled,
+        shareSecretsProductEnabled
      });
    },
    onSuccess: () => {
--- a/frontend/src/hooks/api/organization/types.ts
+++ b/frontend/src/hooks/api/organization/types.ts
@@ -20,6 +20,12 @@ export type Organization = {
  allowSecretSharingOutsideOrganization?: boolean;
  userTokenExpiration?: string;
  userRole: string;
+  secretsProductEnabled: boolean;
+  pkiProductEnabled: boolean;
+  kmsProductEnabled: boolean;
+  sshProductEnabled: boolean;
+  scannerProductEnabled: boolean;
+  shareSecretsProductEnabled: boolean;
 };

 export type UpdateOrgDTO = {
@@ -34,6 +40,12 @@ export type UpdateOrgDTO = {
  allowSecretSharingOutsideOrganization?: boolean;
  bypassOrgAuthEnabled?: boolean;
  userTokenExpiration?: string;
+  secretsProductEnabled?: boolean;
+  pkiProductEnabled?: boolean;
+  kmsProductEnabled?: boolean;
+  sshProductEnabled?: boolean;
+  scannerProductEnabled?: boolean;
+  shareSecretsProductEnabled?: boolean;
 };

 export type BillingDetails = {
--- a/frontend/src/layouts/OrganizationLayout/components/MinimizedOrgSidebar/MinimizedOrgSidebar.tsx
+++ b/frontend/src/layouts/OrganizationLayout/components/MinimizedOrgSidebar/MinimizedOrgSidebar.tsx
@@ -268,77 +268,91 @@ export const MinimizedOrgSidebar = () => {
              </DropdownMenu>
            </div>
            <div className="space-y-1">
-              <Link to="/organization/secret-manager/overview">
-                {({ isActive }) => (
-                  <MenuIconButton
-                    isSelected={
-                      isActive ||
-                      window.location.pathname.startsWith(
-                        `/organization/${ProjectType.SecretManager}`
-                      )
-                    }
-                    icon="sliding-carousel"
-                  >
-                    Secrets
-                  </MenuIconButton>
-                )}
-              </Link>
-              <Link to="/organization/cert-manager/overview">
-                {({ isActive }) => (
-                  <MenuIconButton
-                    isSelected={
-                      isActive ||
-                      window.location.pathname.startsWith(
-                        `/organization/${ProjectType.CertificateManager}`
-                      )
-                    }
-                    icon="note"
-                  >
-                    PKI
-                  </MenuIconButton>
-                )}
-              </Link>
-              <Link to="/organization/kms/overview">
-                {({ isActive }) => (
-                  <MenuIconButton
-                    isSelected={
-                      isActive ||
-                      window.location.pathname.startsWith(`/organization/${ProjectType.KMS}`)
-                    }
-                    icon="unlock"
-                  >
-                    KMS
-                  </MenuIconButton>
-                )}
-              </Link>
-              <Link to="/organization/ssh/overview">
-                {({ isActive }) => (
-                  <MenuIconButton
-                    isSelected={
-                      isActive ||
-                      window.location.pathname.startsWith(`/organization/${ProjectType.SSH}`)
-                    }
-                    icon="verified"
-                  >
-                    SSH
-                  </MenuIconButton>
-                )}
-              </Link>
-              <div className="w-full bg-mineshaft-500" style={{ height: "1px" }} />
-              <Link to="/organization/secret-scanning">
-                {({ isActive }) => (
-                  <MenuIconButton isSelected={isActive} icon="secret-scan">
-                    Scanner
-                  </MenuIconButton>
-                )}
-              </Link>
-              <Link to="/organization/secret-sharing">
-                {({ isActive }) => (
-                  <MenuIconButton isSelected={isActive} icon="lock-closed">
-                    Share
-                  </MenuIconButton>
-                )}
-              </Link>
+              {currentOrg.secretsProductEnabled && (
+                <Link to="/organization/secret-manager/overview">
+                  {({ isActive }) => (
+                    <MenuIconButton
+                      isSelected={
+                        isActive ||
+                        window.location.pathname.startsWith(
+                          `/organization/${ProjectType.SecretManager}`
+                        )
+                      }
+                      icon="sliding-carousel"
+                    >
+                      Secrets
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
+              {currentOrg.pkiProductEnabled && (
+                <Link to="/organization/cert-manager/overview">
+                  {({ isActive }) => (
+                    <MenuIconButton
+                      isSelected={
+                        isActive ||
+                        window.location.pathname.startsWith(
+                          `/organization/${ProjectType.CertificateManager}`
+                        )
+                      }
+                      icon="note"
+                    >
+                      PKI
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
+              {currentOrg.kmsProductEnabled && (
+                <Link to="/organization/kms/overview">
+                  {({ isActive }) => (
+                    <MenuIconButton
+                      isSelected={
+                        isActive ||
+                        window.location.pathname.startsWith(`/organization/${ProjectType.KMS}`)
+                      }
+                      icon="unlock"
+                    >
+                      KMS
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
+              {currentOrg.sshProductEnabled && (
+                <Link to="/organization/ssh/overview">
+                  {({ isActive }) => (
+                    <MenuIconButton
+                      isSelected={
+                        isActive ||
+                        window.location.pathname.startsWith(`/organization/${ProjectType.SSH}`)
+                      }
+                      icon="verified"
+                    >
+                      SSH
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
+              {(currentOrg.scannerProductEnabled || currentOrg.shareSecretsProductEnabled) && (
+                <div className="w-full bg-mineshaft-500" style={{ height: "1px" }} />
+              )}
+              {currentOrg.scannerProductEnabled && (
+                <Link to="/organization/secret-scanning">
+                  {({ isActive }) => (
+                    <MenuIconButton isSelected={isActive} icon="secret-scan">
+                      Scanner
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
+              {currentOrg.shareSecretsProductEnabled && (
+                <Link to="/organization/secret-sharing">
+                  {({ isActive }) => (
+                    <MenuIconButton isSelected={isActive} icon="lock-closed">
+                      Share
+                    </MenuIconButton>
+                  )}
+                </Link>
+              )}
              <div className="my-1 w-full bg-mineshaft-500" style={{ height: "1px" }} />
              <DropdownMenu open={open} onOpenChange={setOpen} modal={false}>
                <DropdownMenuTrigger
--- a/frontend/src/pages/auth/LoginPage/LoginPage.tsx
+++ b/frontend/src/pages/auth/LoginPage/LoginPage.tsx
@@ -10,7 +10,7 @@ import { useNavigateToSelectOrganization } from "./Login.utils";

 export const LoginPage = ({ isAdmin }: { isAdmin?: boolean }) => {
  const { t } = useTranslation();
-  const [step, setStep] = useState(0);
+  const [step, setStep] = useState<number | null>(null);
  const [email, setEmail] = useState("");
  const [password, setPassword] = useState("");
  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();
@@ -36,6 +36,8 @@ export const LoginPage = ({ isAdmin }: { isAdmin?: boolean }) => {

    if (isLoggedIn()) {
      handleRedirects();
+    } else {
+      setStep(0);
    }
  }, []);

--- a/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx
+++ b/frontend/src/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm.tsx
@@ -3,22 +3,32 @@ import { Controller, useFieldArray, useForm } from "react-hook-form";
 import { faPlus, faXmark } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { zodResolver } from "@hookform/resolvers/zod";
+import { useQuery } from "@tanstack/react-query";
 import { z } from "zod";

 import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
  Button,
  FormControl,
  IconButton,
  Input,
+  Select,
+  SelectItem,
  Tab,
  TabList,
  TabPanel,
  Tabs,
-  TextArea
+  TextArea,
+  Tooltip
 } from "@app/components/v2";
 import { useOrganization, useSubscription } from "@app/context";
 import {
+  OrgGatewayPermissionActions,
+  OrgPermissionSubjects
+} from "@app/context/OrgPermissionContext/types";
+import {
+  gatewaysQueryKeys,
  useAddIdentityKubernetesAuth,
  useGetIdentityKubernetesAuth,
  useUpdateIdentityKubernetesAuth
@@ -32,6 +42,7 @@ const schema = z
  .object({
    kubernetesHost: z.string().min(1),
    tokenReviewerJwt: z.string().optional(),
+    gatewayId: z.string().optional().nullable(),
    allowedNames: z.string(),
    allowedNamespaces: z.string(),
    allowedAudience: z.string(),
@@ -79,6 +90,8 @@ export const IdentityKubernetesAuthForm = ({
  const { mutateAsync: updateMutateAsync } = useUpdateIdentityKubernetesAuth();
  const [tabValue, setTabValue] = useState<IdentityFormTab>(IdentityFormTab.Configuration);

+  const { data: gateways, isPending: isGatewayLoading } = useQuery(gatewaysQueryKeys.list());
+
  const { data } = useGetIdentityKubernetesAuth(identityId ?? "", {
    enabled: isUpdate
  });
@@ -96,6 +109,7 @@ export const IdentityKubernetesAuthForm = ({
      tokenReviewerJwt: "",
      allowedNames: "",
      allowedNamespaces: "",
+      gatewayId: "",
      allowedAudience: "",
      caCert: "",
      accessTokenTTL: "2592000",
@@ -120,6 +134,7 @@ export const IdentityKubernetesAuthForm = ({
        allowedNamespaces: data.allowedNamespaces,
        allowedAudience: data.allowedAudience,
        caCert: data.caCert,
+        gatewayId: data.gatewayId || null,
        accessTokenTTL: String(data.accessTokenTTL),
        accessTokenMaxTTL: String(data.accessTokenMaxTTL),
        accessTokenNumUsesLimit: String(data.accessTokenNumUsesLimit),
@@ -157,6 +172,7 @@ export const IdentityKubernetesAuthForm = ({
    accessTokenTTL,
    accessTokenMaxTTL,
    accessTokenNumUsesLimit,
+    gatewayId,
    accessTokenTrustedIps
  }: FormData) => {
    try {
@@ -172,6 +188,7 @@ export const IdentityKubernetesAuthForm = ({
          allowedAudience,
          caCert,
          identityId,
+          gatewayId: gatewayId || null,
          accessTokenTTL: Number(accessTokenTTL),
          accessTokenMaxTTL: Number(accessTokenMaxTTL),
          accessTokenNumUsesLimit: Number(accessTokenNumUsesLimit),
@@ -186,6 +203,7 @@ export const IdentityKubernetesAuthForm = ({
          allowedNames: allowedNames || "",
          allowedNamespaces: allowedNamespaces || "",
          allowedAudience: allowedAudience || "",
+          gatewayId: gatewayId || null,
          caCert: caCert || "",
          accessTokenTTL: Number(accessTokenTTL),
          accessTokenMaxTTL: Number(accessTokenMaxTTL),
@@ -217,6 +235,7 @@ export const IdentityKubernetesAuthForm = ({
          [
            "kubernetesHost",
            "tokenReviewerJwt",
+            "gatewayId",
            "accessTokenTTL",
            "accessTokenMaxTTL",
            "accessTokenNumUsesLimit",
@@ -280,6 +299,62 @@ export const IdentityKubernetesAuthForm = ({
              </FormControl>
            )}
          />
+
+          <OrgPermissionCan
+            I={OrgGatewayPermissionActions.AttachGateways}
+            a={OrgPermissionSubjects.Gateway}
+          >
+            {(isAllowed) => (
+              <Controller
+                control={control}
+                name="gatewayId"
+                defaultValue=""
+                render={({ field: { value, onChange }, fieldState: { error } }) => (
+                  <FormControl
+                    isError={Boolean(error?.message)}
+                    errorText={error?.message}
+                    label="Gateway"
+                    isOptional
+                  >
+                    <Tooltip
+                      isDisabled={isAllowed}
+                      content="Restricted access. You don't have permission to attach gateways to resources."
+                    >
+                      <div>
+                        <Select
+                          isDisabled={!isAllowed}
+                          value={value as string}
+                          onValueChange={(v) => {
+                            if (v !== "") {
+                              onChange(v);
+                            }
+                          }}
+                          className="w-full border border-mineshaft-500"
+                          dropdownContainerClassName="max-w-none"
+                          isLoading={isGatewayLoading}
+                          placeholder="Default: Internet Gateway"
+                          position="popper"
+                        >
+                          <SelectItem
+                            value={null as unknown as string}
+                            onClick={() => onChange(null)}
+                          >
+                            Internet Gateway
+                          </SelectItem>
+                          {gateways?.map((el) => (
+                            <SelectItem value={el.id} key={el.id}>
+                              {el.name}
+                            </SelectItem>
+                          ))}
+                        </Select>
+                      </div>
+                    </Tooltip>
+                  </FormControl>
+                )}
+              />
+            )}
+          </OrgPermissionCan>
+
          <Controller
            control={control}
            name="allowedNames"
--- a/frontend/src/pages/organization/Gateways/GatewayListPage/GatewayListPage.tsx
+++ b/frontend/src/pages/organization/Gateways/GatewayListPage/GatewayListPage.tsx
@@ -32,7 +32,6 @@ import {
  Table,
  TableContainer,
  TableSkeleton,
-  Tag,
  TBody,
  Td,
  Th,
@@ -128,7 +127,6 @@ export const GatewayListPage = withPermission(
                      <Tr>
                        <Th className="w-1/3">Name</Th>
                        <Th>Cert Issued At</Th>
-                        <Th>Projects</Th>
                        <Th>Identity</Th>
                        <Th>
                          Health Check
@@ -151,13 +149,6 @@ export const GatewayListPage = withPermission(
                        <Tr key={el.id}>
                          <Td>{el.name}</Td>
                          <Td>{format(new Date(el.issuedAt), "yyyy-MM-dd hh:mm:ss aaa")}</Td>
-                          <Td>
-                            {el.projects.map((projectDetails) => (
-                              <Tag key={projectDetails.id} size="xs">
-                                {projectDetails.name}
-                              </Tag>
-                            ))}
-                          </Td>
                          <Td>{el.identity.name}</Td>
                          <Td>
                            {el.heartbeat
--- a/frontend/src/pages/organization/Gateways/GatewayListPage/components/EditGatewayDetailsModal.tsx
+++ b/frontend/src/pages/organization/Gateways/GatewayListPage/components/EditGatewayDetailsModal.tsx
@@ -3,10 +3,10 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";

 import { createNotification } from "@app/components/notifications";
-import { Button, FilterableSelect, FormControl, Input } from "@app/components/v2";
-import { useGetUserWorkspaces, useUpdateGatewayById } from "@app/hooks/api";
+import { Button, FormControl, Input } from "@app/components/v2";
+import { NoticeBannerV2 } from "@app/components/v2/NoticeBannerV2/NoticeBannerV2";
+import { useUpdateGatewayById } from "@app/hooks/api";
 import { TGateway } from "@app/hooks/api/gateways/types";
-import { ProjectType } from "@app/hooks/api/workspace/types";

 type Props = {
  gatewayDetails: TGateway;
@@ -14,13 +14,7 @@ type Props = {
 };

 const schema = z.object({
-  name: z.string(),
-  projects: z
-    .object({
-      id: z.string(),
-      name: z.string()
-    })
-    .array()
+  name: z.string()
 });

 export type FormData = z.infer<typeof schema>;
@@ -38,20 +32,13 @@ export const EditGatewayDetailsModal = ({ gatewayDetails, onClose }: Props) => {
  });

  const updateGatewayById = useUpdateGatewayById();
-  // when gateway goes to other products switch to all
-  const { data: secretManagerWorkspaces, isLoading: isSecretManagerLoading } = useGetUserWorkspaces(
-    {
-      type: ProjectType.SecretManager
-    }
-  );

-  const onFormSubmit = ({ name, projects }: FormData) => {
+  const onFormSubmit = ({ name }: FormData) => {
    if (isSubmitting) return;
    updateGatewayById.mutate(
      {
        id: gatewayDetails.id,
-        name,
-        projectIds: projects.map((el) => el.id)
+        name
      },
      {
        onSuccess: () => {
@@ -67,6 +54,16 @@ export const EditGatewayDetailsModal = ({ gatewayDetails, onClose }: Props) => {

  return (
    <form onSubmit={handleSubmit(onFormSubmit)}>
+      <NoticeBannerV2 className="mx-auto mb-4" title="Project Linking">
+        <p className="mt-1 text-xs text-mineshaft-300">
+          Since the 15th May 2025, all gateways are automatically available for use in all projects
+          and you no longer need to link them.
+          <br />
+          Organization members with the &quot;Attach Gateways&quot; permission can use gateways
+          anywhere within the organization.
+        </p>
+      </NoticeBannerV2>
+
      <Controller
        control={control}
        name="name"
@@ -76,30 +73,6 @@ export const EditGatewayDetailsModal = ({ gatewayDetails, onClose }: Props) => {
          </FormControl>
        )}
      />
-      <Controller
-        control={control}
-        name="projects"
-        render={({ field: { onChange, value }, fieldState: { error } }) => (
-          <FormControl
-            className="w-full"
-            label="Projects"
-            tooltipText="Select the project(s) that you'd like to add this gateway to"
-            errorText={error?.message}
-            isError={Boolean(error)}
-          >
-            <FilterableSelect
-              options={secretManagerWorkspaces}
-              placeholder="Select projects..."
-              value={value}
-              onChange={onChange}
-              isMulti
-              isLoading={isSecretManagerLoading}
-              getOptionValue={(option) => option.id}
-              getOptionLabel={(option) => option.name}
-            />
-          </FormControl>
-        )}
-      />
      <div className="mt-4 flex items-center">
        <Button className="mr-4" size="sm" type="submit" isLoading={isSubmitting}>
          Update
--- a/frontend/src/pages/organization/IdentityDetailsByIDPage/components/ViewIdentityAuthModal/ViewIdentityKubernetesAuthContent.tsx
+++ b/frontend/src/pages/organization/IdentityDetailsByIDPage/components/ViewIdentityAuthModal/ViewIdentityKubernetesAuthContent.tsx
@@ -1,8 +1,10 @@
+import { useMemo } from "react";
 import { faBan, faEye } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { useQuery } from "@tanstack/react-query";

 import { Badge, EmptyState, Spinner, Tooltip } from "@app/components/v2";
-import { useGetIdentityKubernetesAuth } from "@app/hooks/api";
+import { gatewaysQueryKeys, useGetIdentityKubernetesAuth } from "@app/hooks/api";
 import { IdentityKubernetesAuthForm } from "@app/pages/organization/AccessManagementPage/components/OrgIdentityTab/components/IdentitySection/IdentityKubernetesAuthForm";

 import { IdentityAuthFieldDisplay } from "./IdentityAuthFieldDisplay";
@@ -16,8 +18,14 @@ export const ViewIdentityKubernetesAuthContent = ({
  onDelete,
  popUp
 }: ViewAuthMethodProps) => {
+  const { data: gateways } = useQuery(gatewaysQueryKeys.list());
+
  const { data, isPending } = useGetIdentityKubernetesAuth(identityId);

+  const selectedGateway = useMemo(() => {
+    return gateways?.find((gateway) => gateway.id === data?.gatewayId) || null;
+  }, [gateways, data?.gatewayId]);
+
  if (isPending) {
    return (
      <div className="flex w-full items-center justify-center">
@@ -69,6 +77,7 @@ export const ViewIdentityKubernetesAuthContent = ({
      >
        {data.kubernetesHost}
      </IdentityAuthFieldDisplay>
+      <IdentityAuthFieldDisplay label="Gateway">{selectedGateway?.name}</IdentityAuthFieldDisplay>
      <IdentityAuthFieldDisplay className="col-span-2" label="Token Reviewer JWT">
        {data.tokenReviewerJwt ? (
          <Tooltip
--- a/frontend/src/pages/organization/RoleByIDPage/components/OrgRoleModifySection.utils.ts
+++ b/frontend/src/pages/organization/RoleByIDPage/components/OrgRoleModifySection.utils.ts
@@ -69,7 +69,8 @@ const orgGatewayPermissionSchema = z
    [OrgGatewayPermissionActions.ListGateways]: z.boolean().optional(),
    [OrgGatewayPermissionActions.EditGateways]: z.boolean().optional(),
    [OrgGatewayPermissionActions.DeleteGateways]: z.boolean().optional(),
-    [OrgGatewayPermissionActions.CreateGateways]: z.boolean().optional()
+    [OrgGatewayPermissionActions.CreateGateways]: z.boolean().optional(),
+    [OrgGatewayPermissionActions.AttachGateways]: z.boolean().optional()
  })
  .optional();

--- a/frontend/src/pages/organization/RoleByIDPage/components/RolePermissionsSection/OrgPermissionGatewayRow.tsx
+++ b/frontend/src/pages/organization/RoleByIDPage/components/RolePermissionsSection/OrgPermissionGatewayRow.tsx
@@ -27,7 +27,8 @@ const PERMISSION_ACTIONS = [
  { action: OrgGatewayPermissionActions.ListGateways, label: "List Gateways" },
  { action: OrgGatewayPermissionActions.CreateGateways, label: "Create Gateways" },
  { action: OrgGatewayPermissionActions.EditGateways, label: "Edit Gateways" },
-  { action: OrgGatewayPermissionActions.DeleteGateways, label: "Delete Gateways" }
+  { action: OrgGatewayPermissionActions.DeleteGateways, label: "Delete Gateways" },
+  { action: OrgGatewayPermissionActions.AttachGateways, label: "Attach Gateways" }
 ] as const;

 export const OrgGatewayPermissionRow = ({ isEditable, control, setValue }: Props) => {
--- a/frontend/src/pages/organization/SettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx
@@ -3,14 +3,18 @@ import { useOrgPermission } from "@app/context";
 import { OrgDeleteSection } from "../OrgDeleteSection";
 import { OrgIncidentContactsSection } from "../OrgIncidentContactsSection";
 import { OrgNameChangeSection } from "../OrgNameChangeSection";
+import { OrgProductSelectSection } from "../OrgProductSelectSection";

 export const OrgGeneralTab = () => {
  const { membership } = useOrgPermission();
  return (
-    <div className="rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-6">
-      <OrgNameChangeSection />
-      <OrgIncidentContactsSection />
-      {membership && membership.role === "admin" && <OrgDeleteSection />}
-    </div>
+    <>
+      <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-6">
+        <OrgNameChangeSection />
+        <OrgIncidentContactsSection />
+        {membership && membership.role === "admin" && <OrgDeleteSection />}
+      </div>
+      {membership && membership.role === "admin" && <OrgProductSelectSection />}
+    </>
  );
 };
--- a/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/OrgProductSelectSection.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/OrgProductSelectSection.tsx
@@ -0,0 +1,105 @@
+import { useEffect, useState } from "react";
+
+import { Switch } from "@app/components/v2";
+import { useOrganization } from "@app/context";
+import { useUpdateOrg } from "@app/hooks/api";
+import axios from "axios";
+import { createNotification } from "@app/components/notifications";
+
+export const OrgProductSelectSection = () => {
+  const [toggledProducts, setToggledProducts] = useState<{
+    [key: string]: { name: string; enabled: boolean };
+  }>({
+    secretsProductEnabled: {
+      name: "Secret Management",
+      enabled: true
+    },
+    pkiProductEnabled: {
+      name: "Certificate Management",
+      enabled: true
+    },
+    kmsProductEnabled: {
+      name: "KMS",
+      enabled: true
+    },
+    sshProductEnabled: {
+      name: "SSH",
+      enabled: true
+    },
+    scannerProductEnabled: {
+      name: "Scanner",
+      enabled: true
+    },
+    shareSecretsProductEnabled: {
+      name: "Share Secrets",
+      enabled: true
+    }
+  });
+
+  const [isLoading, setIsLoading] = useState(false);
+
+  const { currentOrg } = useOrganization();
+  const { mutateAsync } = useUpdateOrg();
+
+  useEffect(() => {
+    Object.entries(currentOrg).forEach(([key, value]) => {
+      if (key in toggledProducts && typeof value === "boolean") {
+        setToggledProducts((products) => ({
+          ...products,
+          [key]: { ...products[key], enabled: value }
+        }));
+      }
+    });
+  }, [currentOrg]);
+
+  const onProductToggle = async (value: boolean, key: string) => {
+    setIsLoading(true);
+
+    setToggledProducts((products) => ({
+      ...products,
+      [key]: { ...products[key], enabled: value }
+    }));
+
+    try {
+      await mutateAsync({
+        orgId: currentOrg.id,
+        [key]: value
+      });
+    } catch (e) {
+      if (axios.isAxiosError(e)) {
+        const { message = "Something went wrong" } = e.response?.data as { message: string };
+        createNotification({
+          type: "error",
+          text: message
+        });
+      }
+    }
+
+    setIsLoading(false);
+  };
+
+  return (
+    <div className="mb-6 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-4">
+      <h2 className="text-xl font-semibold text-mineshaft-100">Organization Products</h2>
+      <p className="mb-4 text-gray-400">
+        Select which products are available for your organization.
+      </p>
+
+      <div className="grid grid-cols-2 gap-3">
+        {Object.entries(toggledProducts).map(([key, product]) => (
+          <Switch
+            key={key}
+            id={`enable-${key}`}
+            isDisabled={isLoading}
+            onCheckedChange={(value) => onProductToggle(value, key)}
+            isChecked={product.enabled}
+            className="ml-0"
+            containerClassName="flex-row-reverse gap-3 w-fit"
+          >
+            {product.name}
+          </Switch>
+        ))}
+      </div>
+    </div>
+  );
+};
--- a/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/index.tsx
+++ b/frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/index.tsx
@@ -0,0 +1 @@
+export { OrgProductSelectSection } from "./OrgProductSelectSection";
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/SqlDatabaseInputForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/SqlDatabaseInputForm.tsx
@@ -6,6 +6,7 @@ import { z } from "zod";

 import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
  Accordion,
  AccordionContent,
@@ -18,9 +19,13 @@ import {
  SecretInput,
  Select,
  SelectItem,
-  TextArea
+  TextArea,
+  Tooltip
 } from "@app/components/v2";
-import { useWorkspace } from "@app/context";
+import {
+  OrgGatewayPermissionActions,
+  OrgPermissionSubjects
+} from "@app/context/OrgPermissionContext/types";
 import { gatewaysQueryKeys, useCreateDynamicSecret } from "@app/hooks/api";
 import { DynamicSecretProviders, SqlProviders } from "@app/hooks/api/dynamicSecret/types";
 import { WorkspaceEnv } from "@app/hooks/api/types";
@@ -61,7 +66,7 @@ const formSchema = z.object({
    revocationStatement: z.string().min(1),
    renewStatement: z.string().optional(),
    ca: z.string().optional(),
-    projectGatewayId: z.string().optional()
+    gatewayId: z.string().optional()
  }),
  defaultTTL: z.string().superRefine((val, ctx) => {
    const valMs = ms(val);
@@ -164,8 +169,6 @@ export const SqlDatabaseInputForm = ({
  projectSlug,
  isSingleEnvironmentMode
 }: Props) => {
-  const { currentWorkspace } = useWorkspace();
-
  const {
    control,
    setValue,
@@ -193,9 +196,7 @@ export const SqlDatabaseInputForm = ({
  });

  const createDynamicSecret = useCreateDynamicSecret();
-  const { data: projectGateways, isPending: isProjectGatewaysLoading } = useQuery(
-    gatewaysQueryKeys.listProjectGateways({ projectId: currentWorkspace.id })
-  );
+  const { data: gateways, isPending: isGatewaysLoading } = useQuery(gatewaysQueryKeys.list());

  const handleCreateDynamicSecret = async ({
    name,
@@ -301,40 +302,55 @@ export const SqlDatabaseInputForm = ({
              Configuration
            </div>
            <div>
-              <Controller
-                control={control}
-                name="provider.projectGatewayId"
-                defaultValue=""
-                render={({ field: { value, onChange }, fieldState: { error } }) => (
-                  <FormControl
-                    isError={Boolean(error?.message)}
-                    errorText={error?.message}
-                    label="Gateway"
-                  >
-                    <Select
-                      value={value}
-                      onValueChange={onChange}
-                      className="w-full border border-mineshaft-500"
-                      dropdownContainerClassName="max-w-none"
-                      isLoading={isProjectGatewaysLoading}
-                      placeholder="Internet gateway"
-                      position="popper"
-                    >
-                      <SelectItem
-                        value={null as unknown as string}
-                        onClick={() => onChange(undefined)}
+              <OrgPermissionCan
+                I={OrgGatewayPermissionActions.AttachGateways}
+                a={OrgPermissionSubjects.Gateway}
+              >
+                {(isAllowed) => (
+                  <Controller
+                    control={control}
+                    name="provider.gatewayId"
+                    defaultValue=""
+                    render={({ field: { value, onChange }, fieldState: { error } }) => (
+                      <FormControl
+                        isError={Boolean(error?.message)}
+                        errorText={error?.message}
+                        label="Gateway"
                      >
-                        Internet Gateway
-                      </SelectItem>
-                      {projectGateways?.map((el) => (
-                        <SelectItem value={el.projectGatewayId} key={el.projectGatewayId}>
-                          {el.name}
-                        </SelectItem>
-                      ))}
-                    </Select>
-                  </FormControl>
+                        <Tooltip
+                          isDisabled={isAllowed}
+                          content="Restricted access. You don't have permission to attach gateways to resources."
+                        >
+                          <div>
+                            <Select
+                              isDisabled={!isAllowed}
+                              value={value}
+                              onValueChange={onChange}
+                              className="w-full border border-mineshaft-500"
+                              dropdownContainerClassName="max-w-none"
+                              isLoading={isGatewaysLoading}
+                              placeholder="Default: Internet Gateway"
+                              position="popper"
+                            >
+                              <SelectItem
+                                value={null as unknown as string}
+                                onClick={() => onChange(undefined)}
+                              >
+                                Internet Gateway
+                              </SelectItem>
+                              {gateways?.map((el) => (
+                                <SelectItem value={el.id} key={el.id}>
+                                  {el.name}
+                                </SelectItem>
+                              ))}
+                            </Select>
+                          </div>
+                        </Tooltip>
+                      </FormControl>
+                    )}
+                  />
                )}
-              />
+              </OrgPermissionCan>
            </div>
            <div className="flex flex-col">
              <div className="pb-0.5 pl-1 text-sm text-mineshaft-400">Service</div>
--- a/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretSqlProviderForm.tsx
+++ b/frontend/src/pages/secret-manager/SecretDashboardPage/components/DynamicSecretListView/EditDynamicSecretForm/EditDynamicSecretSqlProviderForm.tsx
@@ -6,6 +6,7 @@ import { z } from "zod";

 import { TtlFormLabel } from "@app/components/features";
 import { createNotification } from "@app/components/notifications";
+import { OrgPermissionCan } from "@app/components/permissions";
 import {
  Accordion,
  AccordionContent,
@@ -17,9 +18,11 @@ import {
  SecretInput,
  Select,
  SelectItem,
-  TextArea
+  TextArea,
+  Tooltip
 } from "@app/components/v2";
-import { useWorkspace } from "@app/context";
+import { OrgPermissionSubjects } from "@app/context";
+import { OrgGatewayPermissionActions } from "@app/context/OrgPermissionContext/types";
 import { gatewaysQueryKeys, useUpdateDynamicSecret } from "@app/hooks/api";
 import { SqlProviders, TDynamicSecret } from "@app/hooks/api/dynamicSecret/types";

@@ -60,7 +63,7 @@ const formSchema = z.object({
      revocationStatement: z.string().min(1),
      renewStatement: z.string().optional(),
      ca: z.string().optional(),
-      projectGatewayId: z.string().optional().nullable()
+      gatewayId: z.string().optional().nullable()
    })
    .partial(),
  defaultTTL: z.string().superRefine((val, ctx) => {
@@ -147,15 +150,11 @@ export const EditDynamicSecretSqlProviderForm = ({
    }
  });

-  const { currentWorkspace } = useWorkspace();
-  const { data: projectGateways, isPending: isProjectGatewaysLoading } = useQuery(
-    gatewaysQueryKeys.listProjectGateways({ projectId: currentWorkspace.id })
-  );
+  const { data: gateways, isPending: isGatewaysLoading } = useQuery(gatewaysQueryKeys.list());

  const updateDynamicSecret = useUpdateDynamicSecret();
-  const selectedProjectGatewayId = watch("inputs.projectGatewayId");
-  const isGatewayInActive =
-    projectGateways?.findIndex((el) => el.projectGatewayId === selectedProjectGatewayId) === -1;
+  const selectedGatewayId = watch("inputs.gatewayId");
+  const isGatewayInActive = gateways?.findIndex((el) => el.id === selectedGatewayId) === -1;

  const handleUpdateDynamicSecret = async ({
    inputs,
@@ -177,7 +176,7 @@ export const EditDynamicSecretSqlProviderForm = ({
          defaultTTL,
          inputs: {
            ...inputs,
-            projectGatewayId: isGatewayInActive ? null : inputs.projectGatewayId
+            gatewayId: isGatewayInActive ? null : inputs.gatewayId
          },
          newName: newName === dynamicSecret.name ? undefined : newName,
          metadata
@@ -250,45 +249,60 @@ export const EditDynamicSecretSqlProviderForm = ({
        <div>
          <div className="mb-4 border-b border-b-mineshaft-600 pb-2">Configuration</div>
          <div>
-            <Controller
-              control={control}
-              name="inputs.projectGatewayId"
-              defaultValue=""
-              render={({ field: { value, onChange }, fieldState: { error } }) => (
-                <FormControl
-                  isError={Boolean(error?.message) || isGatewayInActive}
-                  errorText={
-                    isGatewayInActive && selectedProjectGatewayId
-                      ? `Project Gateway ${selectedProjectGatewayId} is removed`
-                      : error?.message
-                  }
-                  label="Gateway"
-                  helperText=""
-                >
-                  <Select
-                    value={value || undefined}
-                    onValueChange={onChange}
-                    className="w-full border border-mineshaft-500"
-                    dropdownContainerClassName="max-w-none"
-                    isLoading={isProjectGatewaysLoading}
-                    placeholder="Internet Gateway"
-                    position="popper"
-                  >
-                    <SelectItem
-                      value={null as unknown as string}
-                      onClick={() => onChange(undefined)}
+            <OrgPermissionCan
+              I={OrgGatewayPermissionActions.AttachGateways}
+              a={OrgPermissionSubjects.Gateway}
+            >
+              {(isAllowed) => (
+                <Controller
+                  control={control}
+                  name="inputs.gatewayId"
+                  defaultValue=""
+                  render={({ field: { value, onChange }, fieldState: { error } }) => (
+                    <FormControl
+                      isError={Boolean(error?.message) || isGatewayInActive}
+                      errorText={
+                        isGatewayInActive && selectedGatewayId
+                          ? `Project Gateway ${selectedGatewayId} is removed`
+                          : error?.message
+                      }
+                      label="Gateway"
+                      helperText=""
                    >
-                      Internet Gateway
-                    </SelectItem>
-                    {projectGateways?.map((el) => (
-                      <SelectItem value={el.projectGatewayId} key={el.id}>
-                        {el.name}
-                      </SelectItem>
-                    ))}
-                  </Select>
-                </FormControl>
+                      <Tooltip
+                        isDisabled={isAllowed}
+                        content="Restricted access. You don't have permission to attach gateways to resources."
+                      >
+                        <div>
+                          <Select
+                            isDisabled={!isAllowed}
+                            value={value || undefined}
+                            onValueChange={onChange}
+                            className="w-full border border-mineshaft-500"
+                            dropdownContainerClassName="max-w-none"
+                            isLoading={isGatewaysLoading}
+                            placeholder="Default: Internet Gateway"
+                            position="popper"
+                          >
+                            <SelectItem
+                              value={null as unknown as string}
+                              onClick={() => onChange(undefined)}
+                            >
+                              Internet Gateway
+                            </SelectItem>
+                            {gateways?.map((el) => (
+                              <SelectItem value={el.id} key={el.id}>
+                                {el.name}
+                              </SelectItem>
+                            ))}
+                          </Select>
+                        </div>
+                      </Tooltip>
+                    </FormControl>
+                  )}
+                />
              )}
-            />
+            </OrgPermissionCan>
          </div>
          <div className="flex flex-col">
            <Controller
Author	SHA1	Message	Date
Daniel Hougaard	bc4fc9a1ca	docs: injector diagram	2025-05-20 17:20:54 +04:00
Daniel Hougaard	483850441d	Update kubernetes-injector.mdx	2025-05-20 16:58:19 +04:00
Daniel Hougaard	4355fd09cc	requested changes	2025-05-20 16:57:11 +04:00
Daniel Hougaard	7ffa0ef8f5	Update deployment.yaml	2025-05-20 12:36:14 +04:00
Daniel Hougaard	1345ff02e3	docs: k8s agent injector	2025-05-20 01:54:17 +04:00
Daniel Hougaard	5e192539a1	Update identity-kubernetes-auth-service.ts	2025-05-17 22:13:49 +04:00
Daniel Hougaard	021a8ddace	Update identity-kubernetes-auth-service.ts	2025-05-17 22:06:51 +04:00
Daniel Hougaard	677ff62b5c	fix(auth): cli auth bug	2025-05-16 17:22:18 +04:00
Daniel Hougaard	8cc2e08f24	fix(auth): cli auth bug	2025-05-16 16:58:01 +04:00
Maidul Islam	d90178f49a	Merge pull request #3590 from Infisical/daniel/k8s-auth-gateway feat(gateway): gateway support for identities	2025-05-16 00:10:16 -07:00
x032205	7074fdbac3	Merge pull request #3609 from Infisical/ENG-2736 feat(org-settings): Option to hide certain products from the sidebar	2025-05-15 23:24:14 -04:00
x032205	517c613d05	migration fix	2025-05-15 22:50:09 -04:00
x032205	ae8cf06ec6	greptile review fixes	2025-05-15 21:05:39 -04:00
x032205	818778ddc5	Update frontend/src/pages/organization/SettingsPage/components/OrgProductSelectSection/OrgProductSelectSection.tsx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-15 21:01:46 -04:00
x032205	2e12d9a13c	Update frontend/src/pages/organization/SettingsPage/components/OrgGeneralTab/OrgGeneralTab.tsx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-05-15 21:01:30 -04:00
x032205	e678c9d1cf	remove comments	2025-05-15 20:49:01 -04:00
x032205	da0b07ce2a	added the other two products and small UI tweaks	2025-05-15 20:45:32 -04:00
x032205	3306a9ca69	Merge pull request #3608 from Infisical/key-schema-tweak allow underscores in key schema	2025-05-15 18:55:45 -04:00
Maidul Islam	e9af34a6ba	Merge pull request #3607 from Infisical/key-schema-doc-tweaks feat(docs): Key Schema Tweaks	2025-05-15 15:51:23 -07:00
x032205	3de8ed169f	allow underscores in key schema	2025-05-15 18:49:30 -04:00
Scott Wilson	d1eb350bdd	Merge pull request #3606 from Infisical/oidc-groups-claim-handle-string improvement(oidc-group-membership-mapping): Update OIDC group claims to handle single group string	2025-05-15 14:47:46 -07:00
x032205	d268f52a1c	small ui tweak	2025-05-15 16:50:37 -04:00
x032205	c519cee5d1	frontend	2025-05-15 16:32:57 -04:00
x032205	c7dc595e1a	doc overview update	2025-05-15 12:05:06 -04:00
Daniel Hougaard	be26dc9872	requested changes	2025-05-15 16:55:36 +04:00
Daniel Hougaard	aaeb6e73fe	requested changes	2025-05-15 16:06:20 +04:00
Daniel Hougaard	cd028ae133	Update 20250212191958_create-gateway.ts	2025-05-14 16:01:07 +04:00
Daniel Hougaard	63c71fabcd	fix: migrate project gateway	2025-05-14 16:00:27 +04:00
Daniel Hougaard	e90166f1f0	Merge branch 'heads/main' into daniel/k8s-auth-gateway	2025-05-14 14:26:05 +04:00
Daniel Hougaard	8adf4787b9	Update 20250513081738_remove-gateway-project-link.ts	2025-05-13 15:31:13 +04:00
Daniel Hougaard	a12522db55	requested changes	2025-05-13 15:18:23 +04:00
Daniel Hougaard	49ab487dc2	Update organization-permissions.mdx	2025-05-13 15:04:21 +04:00
Daniel Hougaard	daf0731580	feat(gateways): decouple gateways from projects	2025-05-13 14:59:58 +04:00
Daniel Hougaard	fb2b64cb19	feat(identities/k8s): gateway support	2025-05-12 15:19:42 +04:00
				`@@ -0,0 +1 @@`
				`export { OrgProductSelectSection } from "./OrgProductSelectSection";`