Scaffolding for OIDC

Chore: Project upgrade notice

.env.example

@@ -19,10 +19,6 @@ POSTGRES_DB=infisical
 # Redis
 REDIS_URL=redis://redis:6379
 
-# Optional credentials for MongoDB container instance and Mongo-Express
-MONGO_USERNAME=root
-MONGO_PASSWORD=example
-
 # Website URL
 # Required
 SITE_URL=http://localhost:8080

CONTRIBUTING.md

@@ -2,6 +2,6 @@
 
 Thanks for taking the time to contribute! 😃 🚀
 
-Please refer to our [Contributing Guide](https://infisical.com/docs/contributing/overview) for instructions on how to contribute.
+Please refer to our [Contributing Guide](https://infisical.com/docs/contributing/getting-started/overview) for instructions on how to contribute.
 
 We also have some 🔥amazing🔥 merch for our contributors. Please reach out to tony@infisical.com for more info 👀

backend/package-lock.json

@@ -33,7 +33,7 @@
         "axios": "^1.6.7",
         "axios-retry": "^4.0.0",
         "bcrypt": "^5.1.1",
-        "bullmq": "^5.1.6",
+        "bullmq": "^5.3.3",
         "dotenv": "^16.4.1",
         "fastify": "^4.26.0",
         "fastify-plugin": "^4.5.1",
@@ -53,6 +53,7 @@
         "passport-github": "^1.1.0",
         "passport-gitlab2": "^5.0.0",
         "passport-google-oauth20": "^2.0.0",
+        "passport-openidconnect": "^0.1.2",
         "pg": "^8.11.3",
         "picomatch": "^3.0.1",
         "pino": "^8.16.2",
@@ -76,6 +77,7 @@
         "@types/nodemailer": "^6.4.14",
         "@types/passport-github": "^1.1.12",
         "@types/passport-google-oauth20": "^2.0.14",
+        "@types/passport-openidconnect": "^0.1.3",
         "@types/pg": "^8.10.9",
         "@types/picomatch": "^2.3.3",
         "@types/prompt-sync": "^4.2.3",
@@ -2193,7 +2195,6 @@
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
       "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "2.0.5",
         "run-parallel": "^1.1.9"
@@ -2206,7 +2207,6 @@
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
       "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
-      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -2215,7 +2215,6 @@
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
       "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.scandir": "2.1.5",
         "fastq": "^1.6.0"
@@ -4075,6 +4074,18 @@
         "@types/passport": "*"
       }
     },
+    "node_modules/@types/passport-openidconnect": {
+      "version": "0.1.3",
+      "resolved": "https://registry.npmjs.org/@types/passport-openidconnect/-/passport-openidconnect-0.1.3.tgz",
+      "integrity": "sha512-k1Ni7bG/9OZNo2Qpjg2W6GajL+pww6ZPaNWMXfpteCX4dXf4QgaZLt2hjR5IiPrqwBT9+W8KjCTJ/uhGIoBx/g==",
+      "dev": true,
+      "dependencies": {
+        "@types/express": "*",
+        "@types/oauth": "*",
+        "@types/passport": "*",
+        "@types/passport-strategy": "*"
+      }
+    },
     "node_modules/@types/passport-strategy": {
       "version": "0.2.38",
       "resolved": "https://registry.npmjs.org/@types/passport-strategy/-/passport-strategy-0.2.38.tgz",
@@ -5442,7 +5453,6 @@
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
       "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
-      "dev": true,
       "dependencies": {
         "fill-range": "^7.0.1"
       },
@@ -5492,14 +5502,15 @@
       }
     },
     "node_modules/bullmq": {
-      "version": "5.1.6",
-      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.1.6.tgz",
-      "integrity": "sha512-VkLfig+xm4U3hc4QChzuuAy0NGQ9dfPB8o54hmcZHCX9ofp0Zn6bEY+W3Ytkk76eYwPAgXfywDBlAb2Unjl1Rg==",
+      "version": "5.3.3",
+      "resolved": "https://registry.npmjs.org/bullmq/-/bullmq-5.3.3.tgz",
+      "integrity": "sha512-Gc/68HxiCHLMPBiGIqtINxcf8HER/5wvBYMY/6x3tFejlvldUBFaAErMTLDv4TnPsTyzNPrfBKmFCEM58uVnJg==",
       "dependencies": {
         "cron-parser": "^4.6.0",
-        "glob": "^8.0.3",
+        "fast-glob": "^3.3.2",
         "ioredis": "^5.3.2",
         "lodash": "^4.17.21",
+        "minimatch": "^9.0.3",
         "msgpackr": "^1.10.1",
         "node-abort-controller": "^3.1.1",
         "semver": "^7.5.4",
@@ -5507,6 +5518,28 @@
         "uuid": "^9.0.0"
       }
     },
+    "node_modules/bullmq/node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/bullmq/node_modules/minimatch": {
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
+      "integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/bundle-require": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/bundle-require/-/bundle-require-4.0.2.tgz",
@@ -6906,7 +6939,6 @@
       "version": "3.3.2",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.2.tgz",
       "integrity": "sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "^2.0.2",
         "@nodelib/fs.walk": "^1.2.3",
@@ -7058,7 +7090,6 @@
       "version": "7.0.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
       "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
-      "dev": true,
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -7510,7 +7541,6 @@
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
       "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
-      "dev": true,
       "dependencies": {
         "is-glob": "^4.0.1"
       },
@@ -8111,7 +8141,6 @@
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
-      "dev": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -8142,7 +8171,6 @@
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
       "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
-      "dev": true,
       "dependencies": {
         "is-extglob": "^2.1.1"
       },
@@ -8177,7 +8205,6 @@
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
-      "dev": true,
       "engines": {
         "node": ">=0.12.0"
       }
@@ -8934,7 +8961,6 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
       "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
-      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -8951,7 +8977,6 @@
       "version": "4.0.5",
       "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
       "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
-      "dev": true,
       "dependencies": {
         "braces": "^3.0.2",
         "picomatch": "^2.3.1"
@@ -8964,7 +8989,6 @@
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
       "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
       "engines": {
         "node": ">=8.6"
       },
@@ -9784,6 +9808,27 @@
         "url": "https://github.com/sponsors/jaredhanson"
       }
     },
+    "node_modules/passport-openidconnect": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/passport-openidconnect/-/passport-openidconnect-0.1.2.tgz",
+      "integrity": "sha512-JX3rTyW+KFZ/E9OF/IpXJPbyLO9vGzcmXB5FgSP2jfL3LGKJPdV7zUE8rWeKeeI/iueQggOeFa3onrCmhxXZTg==",
+      "dependencies": {
+        "oauth": "0.10.x",
+        "passport-strategy": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.6.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/jaredhanson"
+      }
+    },
+    "node_modules/passport-openidconnect/node_modules/oauth": {
+      "version": "0.10.0",
+      "resolved": "https://registry.npmjs.org/oauth/-/oauth-0.10.0.tgz",
+      "integrity": "sha512-1orQ9MT1vHFGQxhuy7E/0gECD3fd2fCC+PIX+/jgmU/gI3EpRocXtmtvxCO5x3WZ443FLTLFWNDjl5MPJf9u+Q=="
+    },
     "node_modules/passport-strategy": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz",
@@ -10557,7 +10602,6 @@
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
       "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
-      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -10904,7 +10948,6 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
       "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
-      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -11705,7 +11748,6 @@
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
       "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
-      "dev": true,
       "dependencies": {
         "is-number": "^7.0.0"
       },

backend/package.json

@@ -41,6 +41,7 @@
     "@types/nodemailer": "^6.4.14",
     "@types/passport-github": "^1.1.12",
     "@types/passport-google-oauth20": "^2.0.14",
+    "@types/passport-openidconnect": "^0.1.3",
     "@types/pg": "^8.10.9",
     "@types/picomatch": "^2.3.3",
     "@types/prompt-sync": "^4.2.3",
@@ -94,7 +95,7 @@
     "axios": "^1.6.7",
     "axios-retry": "^4.0.0",
     "bcrypt": "^5.1.1",
-    "bullmq": "^5.1.6",
+    "bullmq": "^5.3.3",
     "dotenv": "^16.4.1",
     "fastify": "^4.26.0",
     "fastify-plugin": "^4.5.1",
@@ -114,6 +115,7 @@
     "passport-github": "^1.1.0",
     "passport-gitlab2": "^5.0.0",
     "passport-google-oauth20": "^2.0.0",
+    "passport-openidconnect": "^0.1.2",
     "pg": "^8.11.3",
     "picomatch": "^3.0.1",
     "pino": "^8.16.2",

backend/src/server/routes/v1/sso-router.ts

@@ -8,9 +8,12 @@
 
 import { Authenticator } from "@fastify/passport";
 import fastifySession from "@fastify/session";
+// import { FastifyRequest } from "fastify";
 import { Strategy as GitHubStrategy } from "passport-github";
 import { Strategy as GitLabStrategy } from "passport-gitlab2";
 import { Strategy as GoogleStrategy } from "passport-google-oauth20";
+import { Strategy as OpenIDConnectStrategy } from "passport-openidconnect";
+// const OpenIDConnectStrategy = require('passport-openidconnect');
 import { z } from "zod";
 
 import { getConfig } from "@app/lib/config/env";
@@ -133,6 +136,136 @@ export const registerSsoRouter = async (server: FastifyZodProvider) => {
     );
   }
 
+  /**
+   * TODO:
+   * 1. Test w static config
+   * 2. Fetch config from db
+   */
+
+  // const getOIDCConfiguration = (req: FastifyRequest, callback: any) => {
+  //   // Fetching things from database or whatever
+  //   const { username } = req.body as { username: string };
+
+  //   process.nextTick(() => {
+  //     const opts = {
+  //       issuer: "",
+  //       authorizationURL: "",
+  //       tokenURL: "",
+  //       userInfoURL: "",
+  //       clientID: "",
+  //       clientSecret: "",
+  //       callbackURL: `${'test'}/api/sso/oidc`,
+  //       // issuer: ISSUER_URL_OIDC_LOGIN,
+  //       // authorizationURL: AUTHORIZATION_URL_OIDC_LOGIN,
+  //       // tokenURL: TOKEN_URL_OIDC_LOGIN,
+  //       // userInfoURL: USER_INFO_URL_OIDC_LOGIN,
+  //       // clientID: CLIENT_ID_OIDC_LOGIN,
+  //       // clientSecret: CLIENT_SECRET_OIDC_LOGIN,
+  //       // callbackURL: `${SITE_URL}/api/sso/oidc`,
+  //       scope: ['profile', 'email'],
+  //       passReqToCallback: true
+  //     }
+
+  //     callback(null, opts);
+  //   });
+  // };
+
+  const ISSUER_URL_OIDC_LOGIN = "https://oauth.id.jumpcloud.com/";
+  const AUTHORIZATION_URL_OIDC_LOGIN = "https://oauth.id.jumpcloud.com/oauth2/auth";
+  const TOKEN_URL_OIDC_LOGIN = "https://oauth.id.jumpcloud.com/oauth2/token";
+  const USER_INFO_URL_OIDC_LOGIN = "https://oauth.id.jumpcloud.com/userinfo";
+  const CLIENT_ID_OIDC_LOGIN = "";
+  const CLIENT_SECRET_OIDC_LOGIN = "";
+  const SITE_URL = "";
+
+  const config = {
+    issuer: ISSUER_URL_OIDC_LOGIN,
+    authorizationURL: AUTHORIZATION_URL_OIDC_LOGIN,
+    tokenURL: TOKEN_URL_OIDC_LOGIN,
+    userInfoURL: USER_INFO_URL_OIDC_LOGIN,
+    clientID: CLIENT_ID_OIDC_LOGIN,
+    clientSecret: CLIENT_SECRET_OIDC_LOGIN,
+    callbackURL: `${SITE_URL}/api/v1/sso/oidc`,
+    scope: ["profile", "email"],
+    passReqToCallback: true
+  };
+
+  if (config) {
+    passport.use(
+      new OpenIDConnectStrategy(config, (req: any, issuer: any, profile: any, done: any) => {
+        try {
+          console.log("oidc");
+          console.log("oidc issuer: ", issuer);
+          console.log("oidc profile: ", profile);
+          // const { name: { familyName, givenName }, emails } = profile;
+          done(null, profile);
+        } catch (err) {
+          console.log("oidc err: ", err);
+          done(null, false);
+        }
+      })
+    );
+  }
+
+  server.route({
+    url: "/login/oidc",
+    method: "GET",
+    preValidation: (req, res) => {
+      console.log("oidc login");
+      return (
+        passport.authenticate("openidconnect", {
+          session: false,
+          scope: ["profile", "email"]
+        }) as any
+      )(req, res);
+    },
+    handler: async (req, res) => {
+      console.log("oidc login 2");
+      if (req.passportUser) {
+        return res.code(200).send({ message: "Authentication successful", user: req.passportUser });
+      }
+      return res.code(401).send({ error: "Authentication failed" });
+    }
+  });
+
+  server.route({
+    url: "/oidc",
+    method: "GET",
+    preValidation: (req, res) => {
+      console.log("oidcx req: ", req); // code, state
+      return (
+        passport.authenticate("openidconnect", {
+          session: false,
+          failureRedirect: "/api/v1/sso/login/provider/error",
+          failureMessage: true
+        }) as any
+      )(req, res);
+    },
+    handler: (req, res) => {
+      console.log("oidc 3");
+      if (req.passportUser.isUserCompleted) {
+        // login
+        return res.redirect(`${SITE_URL}/login/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`);
+      }
+
+      // signup
+      return res.redirect(`${SITE_URL}/signup/sso?token=${encodeURIComponent(req.passportUser.providerAuthToken)}`);
+    }
+  });
+
+  server.route({
+    url: "/login/provider/error",
+    method: "GET",
+    handler: (req, res) => {
+      console.log("reqyx: ", req);
+      console.log("resyx: ", res);
+      return res.status(500).send({
+        error: "Authentication error",
+        details: req.query
+      });
+    }
+  });
+
   server.route({
     url: "/redirect/google",
     method: "GET",

docker-compose.prod.yml

@@ -4,10 +4,12 @@ services:
   db-migration:
     container_name: infisical-db-migration
     depends_on:
-      - db
+      db:
+        condition: service_healthy
     image: infisical/infisical:latest-postgres
     env_file: .env
     command: npm run migration:latest
+    pull_policy: always
     networks:
       - infisical
 
@@ -16,12 +18,13 @@ services:
     restart: unless-stopped
     depends_on:
       db:
-        condition: service_started
+        condition: service_healthy
       redis:
         condition: service_started
       db-migration:
         condition: service_completed_successfully
     image: infisical/infisical:latest-postgres
+    pull_policy: always
     env_file: .env
     ports:
       - 80:8080
@@ -52,6 +55,11 @@ services:
       - pg_data:/data/db
     networks:
       - infisical
+    healthcheck:
+      test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
+      interval: 5s
+      timeout: 10s
+      retries: 10
 
 volumes:
   pg_data:

docs/contributing/platform/developing.mdx

@@ -16,49 +16,7 @@ git checkout -b MY_BRANCH_NAME
 ## Set up environment variables
 
 
-Start by creating a .env file at the root of the Infisical directory then copy the contents of the file below into the .env file.
-
-<Accordion title=".env file content">
-  ```env 
-    # Keys
-    # Required key for platform encryption/decryption ops
-    ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
-
-    # JWT
-    # Required secrets to sign JWT tokens
-    JWT_SIGNUP_SECRET=3679e04ca949f914c03332aaaeba805a
-    JWT_REFRESH_SECRET=5f2f3c8f0159068dc2bbb3a652a716ff
-    JWT_AUTH_SECRET=4be6ba5602e0fa0ac6ac05c3cd4d247f
-    JWT_SERVICE_SECRET=f32f716d70a42c5703f4656015e76200
-
-    # MongoDB
-    # Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
-    # to the MongoDB container instance or Mongo Cloud
-    # Required
-    MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
-
-    # Optional credentials for MongoDB container instance and Mongo-Express
-    MONGO_USERNAME=root
-    MONGO_PASSWORD=example
-
-    # Website URL
-    # Required
-    SITE_URL=http://localhost:8080
-
-    # Mail/SMTP
-    SMTP_HOST='smtp-server'
-    SMTP_PORT='1025'
-    SMTP_NAME='local'
-    SMTP_USERNAME='team@infisical.com'
-    SMTP_PASSWORD=
-  ```
-</Accordion>
-
-<Warning>
-    The pre-populated environment variable values above are meant to be used in development only. They should never be used in production.
-</Warning>
-
-View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each.
+Start by creating a .env file at the root of the Infisical directory then copy the contents of the file linked [here](https://github.com/Infisical/infisical/blob/main/.env.example). View all available [environment variables](https://infisical.com/docs/self-hosting/configuration/envars) and guidance for each.
 
 ## Starting Infisical for development
 
@@ -72,10 +30,7 @@ docker-compose -f docker-compose.dev.yml up --build --force-recreate
 ```
 #### Access local server 
 
-Once all the services have spun up, browse to http://localhost:8080. To sign in, you may use the default credentials listed below.
-
-Email: `test@localhost.local`
-Password: `testInfisical1`
+Once all the services have spun up, browse to http://localhost:8080.
 
 #### Shutdown local server 
 

docs/documentation/platform/ldap.mdx

@@ -0,0 +1,36 @@
+---
+title: "LDAP"
+description: "Log in to Infisical with LDAP"
+---
+
+<Info>
+    LDAP is a paid feature.
+   
+   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
+   then you should contact team@infisical.com to purchase an enterprise license to use it.
+</Info>
+
+You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol); this includes support for Active Directory.
+
+<Steps>
+   <Step title="Prepare the LDAP configuration in Infisical">
+        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+        
+        Next, input your LDAP server settings.
+        
+        ![LDAP configuration](/images/platform/ldap/ldap-config.png)
+        
+        Here's some guidance for each field:
+
+        - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
+        - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
+        - Bind Pass: The password to use along with `Bind DN` when performing the user search.
+        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
+        - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
+   </Step>
+   <Step title="Enable LDAP in Infisical">
+        Enabling LDAP allows members in your organization to log into Infisical via LDAP.
+        
+        ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
+   </Step>
+</Steps>

docs/documentation/platform/ldap/general.mdx

@@ -0,0 +1,36 @@
+---
+title: "General LDAP"
+description: "Log in to Infisical with LDAP"
+---
+
+<Info>
+    LDAP is a paid feature.
+
+   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
+   then you should contact team@infisical.com to purchase an enterprise license to use it.
+</Info>
+
+You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
+
+<Steps>
+   <Step title="Prepare the LDAP configuration in Infisical">
+        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+
+        Next, input your LDAP server settings.
+
+        ![LDAP configuration](/images/platform/ldap/ldap-config.png)
+
+        Here's some guidance for each field:
+
+        - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
+        - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
+        - Bind Pass: The password to use along with `Bind DN` when performing the user search.
+        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
+        - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
+   </Step>
+   <Step title="Enable LDAP in Infisical">
+        Enabling LDAP allows members in your organization to log into Infisical via LDAP.
+
+        ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
+   </Step>
+</Steps>

docs/documentation/platform/ldap/jumpcloud.mdx

@@ -0,0 +1,56 @@
+---
+title: "JumpCloud LDAP"
+description: "Configure JumpCloud LDAP for Logging into Infisical"
+---
+
+<Info>
+    LDAP is a paid feature.
+
+    If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
+    then you should contact team@infisical.com to purchase an enterprise license to use it.
+</Info>
+
+<Steps>
+    <Step title="Prepare LDAP in JumpCloud">
+        In JumpCloud, head to USER MANAGEMENT > Users and create a new user via the **Manual user entry** option. This user
+        will be used as a privileged service account to facilitate Infisical's ability to bind/search the LDAP directory.
+
+        When creating the user, input their **First Name**, **Last Name**, **Username** (required), **Company Email** (required), and **Description**.
+        Also, create a password for the user.
+
+        Next, under User Security Settings and Permissions > Permission Settings, check the box next to **Enable as LDAP Bind DN**. 
+
+        ![LDAP JumpCloud](/images/platform/ldap/jumpcloud/ldap-jumpcloud-enable-bind-dn.png)
+
+    </Step>
+    <Step title="Prepare the LDAP configuration in Infisical">
+            In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+
+            Next, input your JumpCloud LDAP server settings.
+
+            ![LDAP configuration](/images/platform/ldap/ldap-config.png)
+
+            Here's some guidance for each field:
+
+            - URL: The LDAP server to connect to (`ldaps://ldap.jumpcloud.com:636`).
+            - Bind DN: The distinguished name of object to bind when performing the user search (`uid=<ldap-user-username>,ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - Bind Pass: The password to use along with `Bind DN` when performing the user search.
+            - Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - CA Certificate: The CA certificate to use when verifying the LDAP server certificate (instructions to obtain the certificate for JumpCloud [here](https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl)).
+
+            <Tip>
+                When filling out the **Bind DN** and **Bind Pass** fields, refer to the username and password of the user created in Step 1.
+
+                Also, for the **Bind DN** and **Search Base / User DN** fields, you'll want to use the organization ID that appears 
+                in your LDAP instance **ORG DN**.
+            </Tip>
+    </Step>
+    <Step title="Enable LDAP in Infisical">
+            Enabling LDAP allows members in your organization to log into Infisical via LDAP.
+
+            ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
+    </Step>
+</Steps>
+
+Resources:
+- [JumpCloud Cloud LDAP Guide](https://jumpcloud.com/support/use-cloud-ldap)

docs/documentation/platform/ldap/overview.mdx

@@ -0,0 +1,23 @@
+---
+title: "LDAP Overview"
+description: "Log in to Infisical with LDAP"
+---
+<Info>
+    LDAP is a paid feature.
+
+   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
+   then you should contact sales@infisical.com to purchase an enterprise license to use it.
+</Info>
+
+You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
+
+To note, configuring LDAP retains the end-to-end encrypted architecture of Infisical because we decouple the authentication and decryption steps; the LDAP server cannot and will not have access to the decryption key needed to decrypt your secrets.
+
+LDAP providers:
+
+- Active Directory
+- [JumpCloud LDAP](/documentation/platform/ldap/jumpcloud)
+- AWS Directory Service
+- Foxpass
+
+Check out the general instructions for configuring LDAP [here](/documentation/platform/ldap/general).

docs/documentation/platform/project-upgrade.mdx

@@ -0,0 +1,21 @@
+---
+title: "Enhancing Security and Usability: Project Upgrades"
+---
+
+
+At Infisical, we're constantly striving to elevate the security and usability standards of our platform to better serve our users.
+With this commitment in mind, we're excited to introduce our latest addition, non-E2EE projects, aimed at addressing two significant issues while enhancing how clients interact with Infisical programmatically.
+
+Previously, users encountered a challenge where projects risked becoming inaccessible if the project creator deleted their account.
+Additionally, our API lacked the capability to interact with projects without dealing with complex cryptographic operations.
+These obstacles made API driven automation and collaboration a painful experience for a majority of our users.
+
+To overcome these limitations, our upgrade focuses on disabling end-to-end encryption (E2EE) for projects.
+While this may raise eyebrows, it's important to understand that this decision is a strategic move to make Infisical easer to use and interact with.
+
+But what does this mean for our users? Essentially nothing, there are no changes required on your end. 
+Rest assured, all sensitive data remains encrypted at rest according to the latest industry standards.
+Our commitment to security remains unwavering, and this upgrade is a testament to our dedication to delivering on our promises in both security and usability when it comes to secrets management.
+
+To increase consistency with existing and future integrations, all projects created on Infisical from now on will have end-to-end encryption (E2EE) disabled by default. 
+This will not only reduce confusion for end users, but will also make the Infisical API seamless to use.

docs/mint.json

@@ -149,6 +149,14 @@
             "documentation/platform/sso/jumpcloud"
           ]
         },
+        {
+          "group": "LDAP",
+          "pages": [
+            "documentation/platform/ldap/overview",
+            "documentation/platform/ldap/jumpcloud",
+            "documentation/platform/ldap/general"
+          ]
+        },
         {
           "group": "SCIM",
           "pages": [
@@ -165,7 +173,6 @@
       "pages": [
         "self-hosting/overview",
         "self-hosting/configuration/requirements",
-        "self-hosting/configuration/schema-migrations",
         {
           "group": "Installation methods",
           "pages": [
@@ -175,6 +182,13 @@
           ]
         },
         "self-hosting/configuration/envars",
+        {
+          "group": "Guides",
+          "pages": [
+            "self-hosting/configuration/schema-migrations",
+            "self-hosting/guides/mongo-to-postgres"
+          ]
+        },
         "self-hosting/faq"
       ]
     },

docs/self-hosting/configuration/envars.mdx

@@ -4,7 +4,7 @@ description: "Configure environment variables for self-hosted Infisical"
 ---
 
 
-Infisical accepts all configurations via environment variables. For a basic self-hosted instance, at least `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI` and `REDIS_URL` must be defined. 
+Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least `ENCRYPTION_KEY`, `AUTH_SECRET`, `DB_CONNECTION_URI` and `REDIS_URL` must be defined. 
 However, you can configure additional settings to activate more features as needed.
 
 ## General platform    

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -166,7 +166,7 @@ description: "Use Helm chart to install Infisical on your Kubernetes cluster"
   <Step title="Access Infisical">
     After deployment, please wait for 2-5 minutes for all pods to reach a running state. Once a significant number of pods are operational, access the IP address revealed through Ingress by your load balancer. 
     You can find the IP address/hostname by executing the command `kubectl get ingress`.
-    ![self host sign up](images/self-hosting/applicable-to-all/selfhost-signup.png)
+    ![infisical-selfhost](images/self-hosting/applicable-to-all/selfhost-signup.png)
   </Step>
   <Step title="Upgrade your instance">
     To upgrade your instance of Infisical simply update the docker image tag in your Halm values and rerun the command below.
@@ -176,8 +176,8 @@ description: "Use Helm chart to install Infisical on your Kubernetes cluster"
     ```
 
     <Tip>
-      Always back up your database before each upgrade, especially in a production environment
+      Always back up your database before each upgrade, especially in a production environment.
     </Tip>
 
   </Step>
-</Steps>
+</Steps>

docs/self-hosting/faq.mdx

@@ -15,3 +15,7 @@ However, in the event you choose to use Infisical without SSL, you can do so by
 [Learn more about secure cookies](https://really-simple-ssl.com/definition/what-are-secure-cookies/)
 </Accordion>
 
+<Accordion title="How can I upgrade my Infisical instance to Postgres version?">
+  Follow the step by step guide [here](self-hosting/guides/mongo-to-postgres) to learn how.
+</Accordion>
+

docs/self-hosting/guides/mongo-to-postgres.mdx

@@ -0,0 +1,195 @@
+---
+title: "Migrate Mongo to Postgres"
+description: "How to migrate from MongoDB to PostgreSQL for Infisical"
+---
+
+This guide will provide step by step instructions on migrating your Infisical instance running on MongoDB to the newly released PostgreSQL version of Infisical.
+The newly released Postgres version of Infisical is the only version of Infisical that will receive feature updates and patches going forward. 
+
+<Tip>
+  If you have a small set of secrets, we recommend you to download the secrets and upload them to your new instance of Infisical instead of running the migration script.
+</Tip>
+
+## Prerequisites
+
+Before starting the migration, ensure you have the following command line tools installed:
+
+- [pg_dump](https://www.postgresql.org/docs/current/app-pgrestore.html) 
+- [pg_restore](https://www.postgresql.org/docs/current/app-pgdump.html)
+- [mongodump](https://www.mongodb.com/docs/database-tools/mongodump/)
+- [mongorestore](https://www.mongodb.com/docs/database-tools/mongorestore/)
+- [Docker](https://docs.docker.com/engine/install/) 
+
+## Prepare for migration
+
+<Steps>
+  <Step title="Backup Production MongoDB Data">
+     While the migration script will not mutate any MongoDB production data, we recommend you to take a backup of your MongoDB instance if possible.
+  </Step>
+  <Step title="Set Migration Mode">
+    To prevent new data entries during the migration, set your Infisical instance to migration mode by setting the environment variable `MIGRATION_MODE=true` and redeploying your instance. 
+    This mode will block all write operations, only allowing GET requests. It also disables user logins and sets up a migration page to prevent UI interactions.
+    ![migration mode](/images/self-hosting/guides/mongo-postgres/mongo-migration.png)
+  </Step>
+  <Step title="Start local instances of Mongo and Postgres databases">
+    Start local instances of MongoDB and Postgres. This will be used in later steps to process and transform the data locally.
+
+    To start local instances of the two databases, create a file called `docker-compose.yaml` as shown below.
+
+    ```yaml docker-compose.yaml
+      version: '3.1'
+
+      services:
+        mongodb:
+          image: mongo
+          restart: always
+          environment:
+            MONGO_INITDB_ROOT_USERNAME: root
+            MONGO_INITDB_ROOT_PASSWORD: example
+          ports:
+            - "27017:27017"
+          volumes:
+            - mongodb_data:/data/db
+
+        postgres:
+          image: postgres
+          restart: always
+          environment:
+            POSTGRES_PASSWORD: example
+          ports:
+            - "5432:5432"
+          volumes:
+            - postgres_data:/var/lib/postgresql/data
+
+      volumes:
+        mongodb_data:
+        postgres_data:
+    ```
+
+    Next, run the command below in the same working directory where the `docker-compose.yaml` file resides to start both services.
+
+    ```
+    docker-compose up
+    ```
+
+  </Step>
+</Steps>
+
+## Dump MongoDB
+To speed up the data transformation process, the first step involves transferring the production data from Infisical's MongoDB to a local machine. 
+This is achieved by creating a dump of the production database and then uploading this dumped data into a local Mongo instance. 
+By having a running local instance of the production database, we will significantly reduce the time it takes to run the migration script.
+
+<Steps>
+  <Step title="Dump MongoDB data to your local machine using">
+  
+   ```
+   mongodump --uri=<your_mongo_prod_uri> --archive="mongodump-db" --db=<db name> --excludeCollection=auditlogs
+   ```
+
+  </Step>
+  <Step title="Restore this data to the local MongoDB instance">
+   ```
+   mongorestore --uri=mongodb://root:example@localhost:27017/ --archive="mongodump-db"
+   ```
+  </Step>
+</Steps>
+
+## Start the migration
+
+Once started, the migration script will transform MongoDB data into an equivalent PostgreSQL format.
+
+<Steps>
+  <Step title="Clone Infisical Repository">
+    Clone the Infisical MongoDB repository.
+    ```
+    git clone https://github.com/Infisical/infisical.git
+    ```
+  </Step>
+  <Step title="Install dependencies for backend">
+    ```
+    cd backend
+    ```
+
+    ```
+    npm install
+    ```
+  </Step>
+  <Step title="Install dependencies for script">
+    ```
+    cd pg-migrator
+    ```
+
+    ```
+      npm install
+    ```
+  </Step>
+  <Step title="Execute Migration Script">
+    ```
+      npm run migration
+    ```
+
+    When executing the above command, you'll be asked to provide the MongoDB connection string for the database containing your production Infisical data. Since our production Mongo data is transferred to a local Mongo instance, you should input the connection string for this local instance.
+    
+    ```
+    mongodb://root:example@localhost:27017/<db-name>?authSource=admin
+    ```
+
+    <Tip>
+      Remember to replace `<db-name>` with the name of the MongoDB database. If you are not sure the name, you can use [Compass](https://www.mongodb.com/products/tools/compass) to view the available databases.
+    </Tip>
+
+    
+    Next, you will be asked to enter the Postgres connection string for the database where the transformed data should be stored. 
+    Input the connection string of the local Postgres instance that was set up earlier in the guide.
+    
+    ```
+    postgres://infisical:infisical@localhost/infisical?sslmode=disable
+    ```
+  </Step>
+
+  <Step title="Store migration metadata">
+    Once the script has completed, you will notice a new folder has been created called `db` in the `pg-migrator` folder. 
+    This folder contains meta data for schema mapping and can be helpful when debugging migration related issues. 
+    We highly recommend you to make a copy of this folder in case you need assistance from the Infisical team during your migration process.  
+
+    <Info>
+      The `db` folder does not contain any sensitive data
+    </Info>
+  </Step>
+</Steps>
+
+## Finalizing Migration
+At this stage, the data from the Mongo instance of Infisical should have been successfully converted into its Postgres equivalent. 
+The remaining step involves transferring the local Postgres database, which now contains all the migrated data, to your chosen production Postgres environment. 
+Rather than transferring the data row-by-row from your local machine to the production Postgres database, we will first create a dump file from the local Postgres and then upload this file to your production Postgres instance.
+
+<Steps>
+  <Step title="Dump from local PostgreSQL">
+   ```
+   pg_dump -h localhost -U infisical -Fc -b -v -f dumpfilelocation.sql -d infisical
+   ```
+  </Step>
+  <Step title="Upload to production PostgreSQL">
+   ```
+   pg_restore --clean -v -h <host> -U <db-user-name> -d <database-name> -j 2 dumpfilelocation.sql 
+   ```
+
+   <Tip>
+    Remember to replace `<host>`, `<db-user-name>`, `<database-name>` with the corresponding details of your production Postgres database.
+   </Tip>
+  </Step>
+  <Step title="Verify Data Upload">
+    Use a tool like Beekeeper Studio to confirm that the data has been successfully transferred to your production Postgres DB.
+  </Step>
+</Steps>
+
+## Post-Migration Steps
+
+After successfully migrating the data to PostgreSQL, you can proceed to deploy Infisical using your preferred deployment method. 
+Refer to [Infisical's self-hosting documentation](https://infisical.com/docs/self-hosting/overview) for deployment options. 
+Remember to use your production PostgreSQL connection string for the new deployment and transfer all [environment variables](/self-hosting/configuration/envars) from the MongoDB version of Infisical to the new version (they are all compatible).
+
+## Additional discussion 
+- When you visit Infisical's [docker hub](https://hub.docker.com/r/infisical/infisical) page, you will notice that image tags end with `-postgres`. 
+This is to indicate that this version of Infisical runs on the new Postgres backend. Any image tag that does not end in `postgres` runs on MongoDB.

frontend/src/components/signup/EnterEmailStep.tsx

@@ -28,7 +28,7 @@ export default function EnterEmailStep({
   incrementStep
 }: DownloadBackupPDFStepProps): JSX.Element {
   const { createNotification } = useNotificationContext();
-  const { mutateAsync } = useSendVerificationEmail();
+  const { mutateAsync, isLoading } = useSendVerificationEmail();
   const [emailError, setEmailError] = useState(false);
   const { t } = useTranslation();
 
@@ -91,6 +91,8 @@ export default function EnterEmailStep({
               className='h-14'
               colorSchema="primary"
               variant="outline_bg"
+              isLoading={isLoading}
+              isDisabled={isLoading}
             > {String(t("signup.step1-submit"))} </Button>
           </div>
         </div>

frontend/src/components/utilities/cryptography/crypto.ts

@@ -210,7 +210,14 @@ const decryptSymmetric = ({ ciphertext, iv, tag, key }: DecryptSymmetricProps):
   try {
     plaintext = aes.decrypt({ ciphertext, iv, tag, secret: key });
   } catch (err) {
-    console.log("Failed to perform decryption");
+    console.log("Failed to decrypt with the following parameters", {
+      ciphertext,
+      iv,
+      tag,
+      key
+    });
+    console.log("Failed to perform decryption", err);
+
     process.exit(1);
   }
 

frontend/src/components/v2/UpgradeProjectAlert/UpgradeProjectAlert.tsx

@@ -1,4 +1,5 @@
 import { useCallback, useState } from "react";
+import Link from "next/link";
 import { useRouter } from "next/router";
 import { faWarning } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
@@ -97,16 +98,31 @@ export const UpgradeProjectAlert = ({ project }: UpgradeProjectAlertProps): JSX.
       <div className="flex w-full flex-col text-sm">
         <span className="mb-2 text-lg font-semibold">Upgrade your project</span>
         {membership.role === "admin" ? (
-          <p>
-            Upgrade your project version to continue receiving the latest improvements and patches.
-          </p>
+          <>
+            <p>
+              Upgrade your project version to continue receiving the latest improvements and
+              patches.
+            </p>
+            <Link href="/docs/documentation/platform/project-upgrade">
+              <a target="_blank" className="text-primary-400">
+                Learn more
+              </a>
+            </Link>
+          </>
         ) : (
-          <p>
-            <span className="font-bold">Please ask a project admin to upgrade the project.</span>
-            <br />
-            Upgrading the project version is required to continue receiving the latest improvements
-            and patches.
-          </p>
+          <>
+            <p>
+              <span className="font-bold">Please ask a project admin to upgrade the project.</span>
+              <br />
+              Upgrading the project version is required to continue receiving the latest
+              improvements and patches.
+            </p>
+            <Link href="/docs/documentation/platform/project-upgrade">
+              <a target="_blank" className="text-primary-400">
+                Learn more
+              </a>
+            </Link>
+          </>
         )}
         {currentStatus && <p className="mt-2 opacity-80">Status: {currentStatus}</p>}
       </div>

frontend/src/views/SecretRotationPage/components/CreateRotationForm/CreateRotationForm.tsx

@@ -90,7 +90,7 @@ export const CreateRotationForm = ({
       <ModalContent
         title={`Secret rotation for ${provider.name}`}
         subTitle="Provide the required inputs needed for the rotation"
-        className="max-w-2xl"
+        className="max-w-2xl max-h-screen overflow-scroll my-4"
       >
         <Stepper activeStep={wizardStep} direction="horizontal" className="mb-4">
           {WIZARD_STEPS.map(({ title, description }, index) => (

helm-charts/infisical-standalone-postgres/Chart.yaml

@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.0
+version: 1.0.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm-charts/infisical-standalone-postgres/templates/ingress.yaml

@@ -0,0 +1,50 @@
+{{ if .Values.ingress.enabled }}
+{{- $ingress := .Values.ingress }}
+{{- if and $ingress.ingressClassName (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey $ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set $ingress.annotations "kubernetes.io/ingress.class" $ingress.ingressClassName}}
+  {{- end }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: infisical-ingress
+  {{- with $ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and $ingress.ingressClassName (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ $ingress.ingressClassName | default "nginx" }}
+  {{- end }}
+{{- if $ingress.tls }}
+  tls:
+  {{- range $ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - http:
+        paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: {{ include "infisical.fullname" . }}
+              port:
+                number: 8080
+        - path: /ss-webhook
+          pathType: Exact
+          backend:
+            service:
+              name: {{ include "infisical.fullname" . }}
+              port:
+                number: 8080
+      {{- if $ingress.hostName }}
+      host: {{ $ingress.hostName }}
+      {{- end }}
+{{ end }}

helm-charts/infisical-standalone-postgres/values.yaml

@@ -24,9 +24,9 @@ infisical:
 
   resources:
     limits:
-      memory: 210Mi
+      memory: 350Mi
     requests:
-      cpu: 200m
+      cpu: 350m
 
 ingress:
   enabled: true

pg-migrator/src/index.ts

@@ -66,7 +66,7 @@ enum SecretEncryptionAlgo {
   AES_256_GCM = "aes-256-gcm",
 }
 
-const ENV_SLUG_LENGTH = 15;
+const ENV_SLUG_LENGTH = 500;
 
 enum SecretKeyEncoding {
   UTF8 = "utf8",
@@ -210,9 +210,9 @@ export const migrateCollection = async <
           return (await tx
             .batchInsert<Tables[K]["base"]>(postgresTableName, pgDoc as any)
             .returning(returnKeys as any)) as Pick<
-            Tables[K]["base"],
-            R[number]
-          >[];
+              Tables[K]["base"],
+              R[number]
+            >[];
         });
         await postPgProcessing?.(mongooseDoc, newUserIds);
       }
@@ -230,9 +230,9 @@ export const migrateCollection = async <
         return (await tx
           .batchInsert(postgresTableName, pgDoc as any)
           .returning(returnKeys as any)) as Pick<
-          Tables[K]["base"],
-          R[number]
-        >[];
+            Tables[K]["base"],
+            R[number]
+          >[];
       });
       await postPgProcessing?.(mongooseDoc, newUserIds);
     }
@@ -258,9 +258,9 @@ const main = async () => {
   try {
     dotenv.config();
 
-    process.env.MONGO_DB_URL = "mongodb://root:example@localhost:27017/test?authSource=admin"
+    // process.env.MONGO_DB_URL = "mongodb://root:example@localhost:27017/test?authSource=admin"
 
-    process.env.POSTGRES_DB_URL = "postgres://infisical:infisical@localhost/infisical?sslmode=disable"
+    // process.env.POSTGRES_DB_URL = "postgres://infisical:infisical@localhost/infisical?sslmode=disable"
 
     process.env.START_FRESH = "true";
     const prompt = promptSync({ sigint: true });
@@ -313,7 +313,7 @@ const main = async () => {
       preProcessing: async (doc) => {
         if (["64058e0ea5c55c6a8203fed7", "64155f5d75c91bf4e176eb85", "6434ff80b82e04f17008aa13"].includes(doc._id.toString())) {
           console.log("Skipping duplicate user")
-          return 
+          return
         }
 
         const id = uuidV4();
@@ -843,9 +843,9 @@ const main = async () => {
             await folderKv.put(folder.id, id);
             const parentId = folder?.parentId
               ? await folderKv.get(folder?.parentId).catch((e) => {
-                  console.log("parent folder not found==>", folder);
-                  throw e;
-                })
+                console.log("parent folder not found==>", folder);
+                throw e;
+              })
               : null;
 
             pgFolder.push({
@@ -1548,8 +1548,8 @@ const main = async () => {
       returnKeys: ["id"],
       preProcessing: async (doc) => {
         // dangling identity
-        if (!await identityKv.get(doc.identity.toString()).catch(() => null)){
-          return 
+        if (!await identityKv.get(doc.identity.toString()).catch(() => null)) {
+          return
         }
 
         const id = uuidV4();
@@ -1584,8 +1584,8 @@ const main = async () => {
       returnKeys: ["id"],
       preProcessing: async (doc) => {
         // dangling identity
-        if (!await identityKv.get(doc.identity.toString()).catch(() => null)){
-          return 
+        if (!await identityKv.get(doc.identity.toString()).catch(() => null)) {
+          return
         }
 
         const identityUAId = await identityUaKv.get(
@@ -1617,15 +1617,15 @@ const main = async () => {
       returnKeys: ["id"],
       preProcessing: async (doc) => {
         // dangling identity
-        if (!await identityKv.get(doc.identity.toString()).catch(() => null)){
-          return 
+        if (!await identityKv.get(doc.identity.toString()).catch(() => null)) {
+          return
         }
 
         await identityAccessTokenKv.put(doc._id.toString(), doc._id.toString());
         const identityUAClientSecretId = doc?.identityUniversalAuthClientSecret
           ? await identityUaClientSecKv.get(
-              doc.identityUniversalAuthClientSecret.toString(),
-            )
+            doc.identityUniversalAuthClientSecret.toString(),
+          )
           : null;
         const identityId = await identityKv.get(doc.identity.toString());
         return {
@@ -1652,8 +1652,8 @@ const main = async () => {
       returnKeys: ["id"],
       preProcessing: async (doc) => {
         // dangling identity
-        if (!await identityKv.get(doc.identity.toString()).catch(() => null)){
-          return 
+        if (!await identityKv.get(doc.identity.toString()).catch(() => null)) {
+          return
         }
 
         const id = uuidV4();
@@ -1687,8 +1687,8 @@ const main = async () => {
       returnKeys: ["id"],
       preProcessing: async (doc) => {
         // dangling identity
-        if (!await identityKv.get(doc.identity.toString()).catch(() => null)){
-          return 
+        if (!await identityKv.get(doc.identity.toString()).catch(() => null)) {
+          return
         }
 
         const id = uuidV4();
@@ -2317,8 +2317,8 @@ const main = async () => {
 
         const statusChangeBy = doc.statusChangeBy
           ? await projectMembKv
-              .get(doc.statusChangeBy.toString())
-              .catch(() => null)
+            .get(doc.statusChangeBy.toString())
+            .catch(() => null)
           : null;
         return {
           id,
@@ -2454,7 +2454,7 @@ const main = async () => {
                 secretCommentCiphertext:
                   commit.newVersion.secretCommentCiphertext ||
                   secret.secretCommentCiphertext,
-                  secretVersion,
+                secretVersion,
                 createdAt: new Date((doc as any).createdAt),
                 updatedAt: new Date((doc as any).updatedAt),
               };