diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 72d995a..c98209e 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -35,7 +35,8 @@ jobs:
         run: mkdocs build
 
       - name: Copy files to the s3 website content bucket
-        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        # for the time being, let's just always deploy the docs
+        # if: ${{ startsWith(github.ref, 'refs/tags/v') }}
         run: rclone sync site/ HCLOUD:/1661580-supabase-operator-docs/
         env:
           RCLONE_CONFIG_HCLOUD_TYPE: s3
diff --git a/assets/migrations/migrations/20221207154255_create_vault.sql b/assets/migrations/migrations/20221207154255_create_vault.sql
new file mode 100644
index 0000000..f6d5012
--- /dev/null
+++ b/assets/migrations/migrations/20221207154255_create_vault.sql
@@ -0,0 +1,17 @@
+-- migrate:up
+
+DO $$
+BEGIN
+  IF EXISTS (select from pg_available_extensions where name = 'supabase_vault')
+  THEN
+    create extension if not exists supabase_vault;
+
+    -- for some reason extension custom scripts aren't run during AMI build, so
+    -- we manually run it here
+    grant usage on schema vault to postgres with grant option;
+    grant select on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+    grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+  END IF;
+END $$;
+
+-- migrate:down
diff --git a/assets/migrations/migrations/20230529180330_alter_api_roles_for_inherit.sql b/assets/migrations/migrations/20230529180330_alter_api_roles_for_inherit.sql
index 4df82e3..013a074 100644
--- a/assets/migrations/migrations/20230529180330_alter_api_roles_for_inherit.sql
+++ b/assets/migrations/migrations/20230529180330_alter_api_roles_for_inherit.sql
@@ -4,7 +4,5 @@ ALTER ROLE authenticated inherit;
 ALTER ROLE anon inherit;
 ALTER ROLE service_role inherit;
 
-GRANT pgsodium_keyholder to service_role;
-
 -- migrate:down
 
diff --git a/docs/api/supabase.k8s.icb4dc0.de.md b/docs/api/supabase.k8s.icb4dc0.de.md
index b81cd28..b81bd05 100644
--- a/docs/api/supabase.k8s.icb4dc0.de.md
+++ b/docs/api/supabase.k8s.icb4dc0.de.md
@@ -93,6 +93,7 @@ _Appears in:_
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
 | `jwks` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secretkeyselector-v1-core)_ | JWKSSelector - selector where the JWKS can be retrieved from to enable the API gateway to validate JWTs |  |  |
+| `tls` _[EndpointTlsSpec](#endpointtlsspec)_ | TLS - enable and configure TLS for the API endpoint |  |  |
 
 
 #### AuthProviderMeta
@@ -317,6 +318,38 @@ _Appears in:_
 | `spec` _[DashboardSpec](#dashboardspec)_ |  |  |  |
 
 
+#### DashboardAuthSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [DashboardEndpointSpec](#dashboardendpointspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `oauth2` _[DashboardOAuth2Spec](#dashboardoauth2spec)_ |  |  |  |
+| `basic` _[DashboardBasicAuthSpec](#dashboardbasicauthspec)_ |  |  |  |
+
+
+
+
+#### DashboardBasicAuthSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [DashboardAuthSpec](#dashboardauthspec)
+
+
+
 #### DashboardDbSpec
 
 
@@ -347,6 +380,10 @@ _Appears in:_
 _Appears in:_
 - [APIGatewaySpec](#apigatewayspec)
 
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `auth` _[DashboardAuthSpec](#dashboardauthspec)_ | Auth - configure authentication for the dashboard endpoint |  |  |
+| `tls` _[EndpointTlsSpec](#endpointtlsspec)_ | TLS - enable and configure TLS for the Dashboard endpoint |  |  |
 
 
 #### DashboardList
@@ -367,6 +404,27 @@ DashboardList contains a list of Dashboard.
 | `items` _[Dashboard](#dashboard) array_ |  |  |  |
 
 
+#### DashboardOAuth2Spec
+
+
+
+
+
+
+
+_Appears in:_
+- [DashboardAuthSpec](#dashboardauthspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `tokenEndpoint` _string_ | TokenEndpoint - endpoint where Envoy will retrieve the OAuth2 access and identity token from |  |  |
+| `authorizationEndpoint` _string_ | AuthorizationEndpoint - endpoint where the user will be redirected to authenticate |  |  |
+| `clientId` _string_ | ClientID - client ID to authenticate with the OAuth2 provider |  |  |
+| `scopes` _string array_ | Scopes - scopes to request from the OAuth2 provider (e.g. "openid", "profile", ...) - optional |  |  |
+| `resources` _string array_ | Resources - resources to request from the OAuth2 provider (e.g. "user", "email", ...) - optional |  |  |
+| `clientSecretRef` _[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#secretkeyselector-v1-core)_ | ClientSecretRef - reference to the secret that contains the client secret |  |  |
+
+
 #### DashboardSpec
 
 
@@ -519,6 +577,23 @@ _Appears in:_
 | `credentialsRef` _[SmtpCredentialsReference](#smtpcredentialsreference)_ |  |  |  |
 
 
+#### EndpointTlsSpec
+
+
+
+
+
+
+
+_Appears in:_
+- [ApiEndpointSpec](#apiendpointspec)
+- [DashboardEndpointSpec](#dashboardendpointspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `cert` _[TlsCertRef](#tlscertref)_ |  |  |  |
+
+
 #### EnvoySpec
 
 
@@ -535,6 +610,7 @@ _Appears in:_
 | `nodeName` _string_ | NodeName - identifies the Envoy cluster within the current namespace<br />if not set, the name of the APIGateway resource will be used<br />The primary use case is to make the assignment of multiple supabase instances in a single namespace explicit. |  |  |
 | `controlPlane` _[ControlPlaneSpec](#controlplanespec)_ | ControlPlane - configure the control plane where Envoy will retrieve its configuration from |  |  |
 | `workloadTemplate` _[WorkloadTemplate](#workloadtemplate)_ | WorkloadTemplate - customize the Envoy deployment |  |  |
+| `disableIPv6` _boolean_ | DisableIPv6 - disable IPv6 for the Envoy instance<br />this will force Envoy to use IPv4 for upstream hosts (mostly for the OAuth2 token endpoint) |  |  |
 
 
 #### EnvoyStatus
@@ -550,7 +626,6 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `configVersion` _string_ |  |  |  |
 | `resourceHash` _integer array_ |  |  |  |
 
 
@@ -921,6 +996,25 @@ _Appears in:_
 | `externalUrl` _string_ | APIExternalURL is referring to the URL where Supabase API will be available<br />Typically this is the ingress of the API gateway |  |  |
 
 
+#### TlsCertRef
+
+
+
+
+
+
+
+_Appears in:_
+- [EndpointTlsSpec](#endpointtlsspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `secretName` _string_ |  |  |  |
+| `serverCertKey` _string_ | ServerCertKey - key in the secret that contains the server certificate | tls.crt |  |
+| `serverKeyKey` _string_ | ServerKeyKey - key in the secret that contains the server private key | tls.key |  |
+| `caCertKey` _string_ | CaCertKey - key in the secret that contains the CA certificate | ca.crt |  |
+
+
 #### UploadTempSpec