diff --git a/docs.json b/docs.json
index 79c3a40..77d90a3 100644
--- a/docs.json
+++ b/docs.json
@@ -52,7 +52,6 @@
               "reference/auditctx",
               "reference/cloudaccount",
               "reference/domain",
-              "reference/external-secret-syncer",
               "reference/group",
               "reference/gvc",
               "reference/identity",
@@ -217,6 +216,33 @@
           }
         ]
       },
+      {
+        "tab": "Template Catalog",
+        "groups": [
+          {
+            "group": "Template Catalog",
+            "pages": [
+              "template-catalog/overview",
+              {
+                "group": "Install & Manage",
+                "pages": [
+                  "template-catalog/install-manage/ui",
+                  "template-catalog/install-manage/cli",
+                  "template-catalog/install-manage/terraform",
+                  "template-catalog/install-manage/pulumi"
+                ]
+              }
+            ]
+          },
+          {
+            "group": "Templates",
+            "pages": [
+              "template-catalog/templates/cockroachdb",
+              "template-catalog/templates/external-secret-syncer"
+            ]
+          }
+        ]
+      },
       {
         "tab": "Managed Kubernetes",
         "groups": [
diff --git a/reference/external-secret-syncer.mdx b/reference/external-secret-syncer.mdx
deleted file mode 100644
index c85691d..0000000
--- a/reference/external-secret-syncer.mdx
+++ /dev/null
@@ -1,123 +0,0 @@
----
-title: External Secret Syncer
----
-
-## Overview
-
-The External Secret Syncer is a marketplace application that can be used to continuously sync externally-stored secrets/parameters with Control Plane secrets. If you store your secrets externally, you can use this app to automatically keep Control Plane configuration options up to date.
-
-## Supported External Services
-
-- [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
-- [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
-- [Hashicorp Vault](https://www.hashicorp.com/en/products/vault)
-- [1Password](https://1password.com/)
-- [Doppler](https://www.doppler.com/)
-
-## Setup
-
-### Prerequisies
-
-1. Have a secret/parameter set up in one of the external services supported
-2. Get an IAM account ready that allows to read permissions for the desired secret
-
-### Steps
-
-1. Click the `ESS` application on the Console marketplace
-2. Configure the options for your external secrets. See [configuration](#configuration)
-3. (optional) Add cloud access to [identity](/reference/identity) if available, instead of supplying keys in configuration.
-
-## Configuration
-
-```yaml
-providers:
-  - name: my-vault # unique across all providers
-    syncInterval: 20s # override the default interval of 30s
-    vault:
-      address: https://myvault.com:6443 # required for vault
-      token: <my vault token> # required for vault
-  - name: my-param-store
-    awsParameterStore:
-      region: us-west-2
-      endpoint: <endpoint> # optional
-      accessKeyId: <access key ID> # optional
-      secretAccessKey: <secret access key> # optional
-  - name: my-secret-manager
-    awsSecretManager:
-      region: us-west-2
-      endpoint: <endpoint> # optional
-      accessKeyId: <access key ID> # optional
-      secretAccessKey: <secret access key> # optional
-  - name: my-1password
-    onePassword:
-      serviceAccountToken: <token> # can use OP_SERVICE_ACCOUNT_TOKEN env instead
-      integrationName: my-ess # defaults to syncer.cpln.io
-      integrationVersion: v1.0.0 # defaults to ESS version
-  - name: my-doppler
-    doppler:
-      accessToken: <token>
-secrets:
-  - name: hello # creates a dictionary secret named "hello" with these key-value pairs
-    provider: my-vault
-    syncInterval: 1m # override vault specific sync interval for this secret
-    dictionary:
-      PORT:
-        path: /v1/secret/data/app
-        parse: data.port
-        default: 5432
-      PASSWORD:
-        path: /v1/secret/data/app
-        parse: data.password
-        default: 'no pass'
-  - name: hello2 # creates an opaque secret named "hello2" containing the value of "user" key in /path/to/secret
-    provider: my-secret-manager
-    opaque:
-      path: /path/to/secret
-      parse: user
-  - name: hello3 # creates an opaque secret named "hello3" containing the full /path/to/secret payload
-    provider: my-secret-manager
-    opaque: /path/to/secret # stores whole aws secret (potentially JSON) in opaque secret
-    encoding: base64 # decode the secret from base64 to plaintext (utf-8)
-  - name: one-password-secret
-    provider: my-1password
-    opaque: /vault/item/password # format /<vault>/<item>/[section/]<field>
-  - name: doppler-secret
-    provider: my-doppler
-    opaque: /project/config/secret # format /<project>/<config>/<secret>
-```
-
-<Note>
-Vault KV engine secrets look like:
-``` json
-{
-  "data": {
-    "PORT": "1234"
-  },
-  "metadata": {
-    "created_time": "2025-03-11T20:05:41.865209462Z",
-    "custom_metadata": null,
-    "deletion_time": "",
-    "destroyed": false,
-    "version": 1
-  }
-}
-```
-If you use `parse`, make sure to start with `data` to get the secret content
-</Note>
-
-## Secret
-
-A secret generated by ESS will look like:
-
-```yaml
-kind: secret
-name: hello
-description: hello
-tags:
-  syncer.cpln.io/lastError: '' # if ESS is experiencing an error, it will populate this tag
-  syncer.cpln.io/source: //gvc/<gvc name>/workload/<name of ess workload>
-type: dictionary
-data:
-  PORT: '1234'
-  PASSWORD: 'no pass' # if PASSWORD was not found in the secret, a default is used
-```
diff --git a/template-catalog/install-manage/cli.mdx b/template-catalog/install-manage/cli.mdx
new file mode 100644
index 0000000..e058da7
--- /dev/null
+++ b/template-catalog/install-manage/cli.mdx
@@ -0,0 +1,123 @@
+---
+title: Install and Manage using the CLI
+sidebarTitle: CLI
+---
+
+## Prerequisites
+
+<AccordionGroup>
+<Accordion title="CLI installed">
+  Install the Control Plane CLI. See [Installation](/cli-reference/installation).
+</Accordion>
+
+<Accordion title="Helm installed">
+  Install [Helm](https://helm.sh/docs/intro/install/) (v3 or later).
+</Accordion>
+</AccordionGroup>
+
+## Install a Template
+
+<Steps>
+  <Step title="Choose a Template">
+    Download the [template repo](https://github.com/controlplane-com/templates) and browse for the template and version you wish to deploy. 
+  </Step>
+  <Step title="Configure Values">
+    Create or edit a values file to customize the template for your environment. This can include settings such as resource limits, replica counts, and any template-specific options.
+    <Note>
+    Your values file must follow the same structure and format as the template's default values file.
+    </Note>
+  </Step>
+  <Step title="Install the Release">
+    Run the following command to install the template as a release:
+
+    ```bash
+cpln helm install <RELEASE_NAME> <TEMPLATE> -f <VALUES_FILE> --org <ORG_NAME> --gvc <GVC_NAME>
+    ```
+
+    Replace:
+    - `<RELEASE_NAME>` — A unique name for this installation.
+    - `<TEMPLATE>` — The path to the template Chart.yaml file (e.g., `/cockroachdb/versions/1.1.0`).
+    - `<VALUES_FILE>` — The path to your configured values file. If using the existing values.yaml file in the same path as `<TEMPLATE>`, this can be omitted. 
+    - `<ORG_NAME>` - The name of the org to deploy to.
+    - `<GVC_NAME>` — The GVC to deploy to. If the template creates its own GVC, this may be set in the values file instead.
+  </Step>
+</Steps>
+
+## Manage a Template
+
+### View Releases
+
+List all template releases in your organization:
+
+```bash
+cpln helm list
+```
+
+### Release Details
+
+View full details for a specific release, including the manifest, values, and notes:
+
+```bash
+cpln helm get all <RELEASE_NAME>
+```
+
+You can also retrieve individual pieces of release information:
+
+```bash
+# View the rendered manifest
+cpln helm get manifest <RELEASE_NAME>
+
+# View the configured values
+cpln helm get values <RELEASE_NAME> --all
+
+# View release notes
+cpln helm get notes <RELEASE_NAME>
+```
+
+### Upgrade
+
+To upgrade a release with new values or a new template version:
+
+```bash
+cpln helm upgrade <RELEASE_NAME> <TEMPLATE> -f <VALUES_FILE> --org <ORG_NAME> --gvc <GVC_NAME>
+```
+
+Replace `<TEMPLATE>` or `<VALUES_FILE>` with updated paths.
+
+<Note>
+Any workloads affected by the change will roll out new deployments. Unchanged items will not be redeployed.
+</Note>
+
+### Template Preview
+
+Generate a preview of the resources that will be created without deploying:
+
+```bash
+cpln helm template <RELEASE_NAME> <TEMPLATE> -f <VALUES_FILE> --org <ORG_NAME> --gvc <GVC_NAME>
+```
+
+### Revisions
+
+View the revision history for a release:
+
+```bash
+cpln helm history <RELEASE_NAME>
+```
+
+Roll back to a previous revision:
+
+```bash
+# Roll back to the previous revision
+cpln helm rollback <RELEASE_NAME>
+
+# Roll back to a specific revision
+cpln helm rollback <RELEASE_NAME> <REVISION_NUMBER>
+```
+
+## Uninstall a Template
+
+Remove all resources created by the release and delete the release state:
+
+```bash
+cpln helm uninstall <RELEASE_NAME>
+```
diff --git a/template-catalog/install-manage/pulumi.mdx b/template-catalog/install-manage/pulumi.mdx
new file mode 100644
index 0000000..a0a9893
--- /dev/null
+++ b/template-catalog/install-manage/pulumi.mdx
@@ -0,0 +1,189 @@
+---
+title: Install and Manage using Pulumi
+sidebarTitle: Pulumi
+---
+
+## Prerequisites
+
+<AccordionGroup>
+<Accordion title="Pulumi installed">
+  Install the Pulumi CLI. See [Pulumi Provider](/iac/pulumi) for installation instructions.
+</Accordion>
+
+<Accordion title="Control Plane provider installed">
+  Install the Control Plane Pulumi provider and configure your organization. See [Pulumi Provider](/iac/pulumi) for setup instructions.
+</Accordion>
+</AccordionGroup>
+
+## Install a Template
+
+Use the `CatalogTemplate` resource to install a template from the catalog.
+
+<Steps>
+  <Step title="Choose a Template">
+    Browse the available templates in the [Template Catalog](/template-catalog/overview#available-templates) and identify the template name and version you want to install.
+  </Step>
+  <Step title="Add a Values File">
+    Create a `values.yaml` file in your Pulumi project directory with the template's configuration. Refer to the specific template's documentation for available options.
+
+  </Step>
+  <Step title="Define the Resource">
+    Add a `CatalogTemplate` resource to your Pulumi program, reading the values from the file:
+
+    <Tabs>
+    <Tab title="TypeScript">
+    ```typescript
+    import * as cpln from '@pulumiverse/cpln';
+    import * as fs from 'fs';
+
+    const values = fs.readFileSync('values.yaml', 'utf8');
+
+    const release = new cpln.CatalogTemplate('example', {
+        name: 'my-release',
+        template: 'postgres',
+        version: '1.0.0',
+        gvc: 'my-gvc',
+        values: values,
+    });
+    ```
+    </Tab>
+
+    <Tab title="Python">
+    ```python
+    import pulumiverse_cpln as cpln
+    from pathlib import Path
+
+    values = Path("values.yaml").read_text()
+
+    release = cpln.CatalogTemplate(
+        "example",
+        name="my-release",
+        template="postgres",
+        version="1.0.0",
+        gvc="my-gvc",
+        values=values,
+    )
+    ```
+    </Tab>
+
+    <Tab title="Go">
+    ```go
+    package main
+
+    import (
+        "os"
+
+        "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+        "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
+    )
+
+    func main() {
+        pulumi.Run(func(ctx *pulumi.Context) error {
+            valuesBytes, err := os.ReadFile("values.yaml")
+            if err != nil {
+                return err
+            }
+
+            _, err = cpln.NewCatalogTemplate(ctx, "example", &cpln.CatalogTemplateArgs{
+                Name:     pulumi.String("my-release"),
+                Template: pulumi.String("postgres"),
+                Version:  pulumi.String("1.0.0"),
+                Gvc:      pulumi.String("my-gvc"),
+                Values:   pulumi.String(string(valuesBytes)),
+            })
+            return err
+        })
+    }
+    ```
+    </Tab>
+
+    <Tab title="C#">
+    ```csharp
+    using Pulumi;
+    using Pulumiverse.Cpln;
+    using System.IO;
+
+    return await Deployment.RunAsync(() =>
+    {
+        var values = File.ReadAllText("values.yaml");
+
+        var release = new CatalogTemplate("example", new CatalogTemplateArgs
+        {
+            Name = "my-release",
+            Template = "postgres",
+            Version = "1.0.0",
+            Gvc = "my-gvc",
+            Values = values,
+        });
+    });
+    ```
+    </Tab>
+    </Tabs>
+
+    {/* TODO: Confirm exact property names and casing per language */}
+
+    Properties:
+    - **name** — A unique release name for this installation.
+    - **template** — The name of the catalog template (e.g., `postgres`).
+    - **version** — The template version to install.
+    - **gvc** — The GVC to deploy to. Leave empty if the template creates its own GVC.
+    - **values** — YAML-formatted string to customize the template configuration.
+  </Step>
+  <Step title="Deploy">
+    Deploy the stack:
+
+    ```bash
+    pulumi up
+    ```
+
+    Pulumi will provision the required Control Plane resources based on your configuration.
+  </Step>
+</Steps>
+
+### Outputs
+
+After deploying, the resource exposes a `resources` output containing a list of all Control Plane resources created by the release. Each entry includes:
+
+- **kind** — The resource type (e.g., `workload`, `secret`, `gvc`).
+- **name** — The resource name.
+- **link** — The full Control Plane URL for the resource.
+
+{/* TODO: Confirm output access syntax per language */}
+
+## Manage a Template
+
+### Upgrade
+
+To upgrade a release with new values or a new template version, update the `version` property and/or your `values.yaml` file and re-deploy:
+
+```bash
+pulumi up
+```
+
+<Note>
+Any workloads affected by the change will roll out new deployments. Unchanged items will not be redeployed.
+</Note>
+
+### Preview Changes
+
+Use `pulumi preview` to see the changes that will be applied before upgrading:
+
+```bash
+pulumi preview
+```
+
+## Uninstall a Template
+
+Remove the `CatalogTemplate` resource from your program and deploy:
+
+```bash
+pulumi up
+```
+
+Alternatively, destroy all resources in the stack:
+
+```bash
+pulumi destroy
+```
+
+This deletes all Control Plane resources created by the release.
diff --git a/template-catalog/install-manage/terraform.mdx b/template-catalog/install-manage/terraform.mdx
new file mode 100644
index 0000000..189a33d
--- /dev/null
+++ b/template-catalog/install-manage/terraform.mdx
@@ -0,0 +1,113 @@
+---
+title: Install and Manage using Terraform
+sidebarTitle: Terraform
+---
+
+## Prerequisites
+
+<AccordionGroup>
+<Accordion title="Terraform installed">
+  Install [Terraform](https://www.terraform.io/downloads.html) (v0.13+).
+</Accordion>
+
+<Accordion title="Control Plane provider configured">
+  Add the Control Plane provider to your Terraform configuration. See [Terraform Provider](/iac/terraform) for setup instructions.
+</Accordion>
+</AccordionGroup>
+
+## Install a Template
+
+Use the `cpln_catalog_template` resource to install a template from the catalog.
+
+<Steps>
+  <Step title="Choose a Template">
+    Browse the available templates in the [Template Catalog](/template-catalog/overview#available-templates) and identify the template name and version you want to install.
+  </Step>
+  <Step title="Add a Values File">
+    Create a `values.yaml` file in your Terraform project directory with the template's configuration. Refer to the specific template's documentation for available options.
+
+  </Step>
+  <Step title="Define the Resource">
+    Add a `cpln_catalog_template` resource to your Terraform configuration, referencing the values file:
+
+    ```hcl main.tf
+    resource "cpln_catalog_template" "example" {
+      name     = "my-release"
+      template = "postgres"
+      version  = "1.0.0"
+      gvc      = "my-gvc"
+      values   = file("${path.module}/values.yaml")
+    }
+    ```
+
+    {/* TODO: Confirm exact attribute names and whether values is a string or a block */}
+
+    Arguments:
+    - **name** — A unique release name for this installation.
+    - **template** — The name of the catalog template (e.g., `cockroachdb`).
+    - **version** — The template version to install.
+    - **gvc** — The GVC to deploy to. Leave empty if the template creates its own GVC.
+    - **values** — YAML-formatted string to customize the template configuration.
+  </Step>
+  <Step title="Apply">
+    Initialize and apply the configuration:
+
+    ```bash
+    terraform init
+    terraform plan
+    terraform apply
+    ```
+
+    Terraform will provision the required Control Plane resources based on your configuration.
+  </Step>
+</Steps>
+
+### Outputs
+
+After applying, the resource exposes a `resources` attribute containing a list of all Control Plane resources created by the release. Each entry includes:
+
+- **kind** — The resource type (e.g., `workload`, `secret`, `gvc`).
+- **name** — The resource name.
+- **link** — The full Control Plane URL for the resource.
+
+{/* TODO: Confirm output attribute access syntax, e.g. cpln_catalog_template.example.resources */}
+
+## Manage a Template
+
+### Upgrade
+
+To upgrade a release with new values or a new template version, update the `version` argument and/or your `values.yaml` file and re-apply:
+
+```bash
+terraform plan
+terraform apply
+```
+
+<Note>
+Any workloads affected by the change will roll out new deployments. Unchanged items will not be redeployed.
+</Note>
+
+### Preview Changes
+
+Use `terraform plan` to preview the changes that will be applied before upgrading:
+
+```bash
+terraform plan
+```
+
+## Uninstall a Template
+
+Remove the `cpln_catalog_template` resource from your configuration and apply:
+
+```bash
+terraform plan
+terraform apply
+```
+
+Alternatively, destroy the specific resource:
+
+```bash
+terraform destroy -target=cpln_catalog_template.example
+```
+
+This deletes all Control Plane resources created by the release.
diff --git a/template-catalog/install-manage/ui.mdx b/template-catalog/install-manage/ui.mdx
new file mode 100644
index 0000000..3c75684
--- /dev/null
+++ b/template-catalog/install-manage/ui.mdx
@@ -0,0 +1,65 @@
+---
+title: Install and Manage using the UI
+sidebarTitle: UI
+---
+
+## Install a Template
+
+<Steps>
+  <Step title="Open the Template Catalog">
+    Select **Catalog** under the templates dropdown in the navigation menu.
+  </Step>
+  <Step title="Select a Template">
+    Browse the catalog and select a template to install.
+  </Step>
+  <Step title="Review the Template">
+    Read through the **README** page to understand the template's configuration options and usage.
+  </Step>
+  <Step title="Configure the Release">
+    Click **Create Template Release**
+
+    On the **Install** page, provide the following:
+    - **Release Name** — A unique name for this installation.
+    - **GVC** — Select the GVC to deploy to. If no GVC select option is available, you will need to configure the GVC name in the values file.
+  </Step>
+  <Step title="Configure Values">
+    Review and modify the **values** file to customize the template for your environment. This can include settings such as resource limits, replica counts, and any template-specific options.
+  </Step>
+  <Step title="Install">
+    Click **Install App** to deploy the template. Control Plane will provision the required resources based on your configuration and you will be redirected to the [Releases](/template-catalog/install-manage/ui#manage-a-template) page.
+  </Step>
+</Steps>
+
+<Note>
+The **Template** option generates raw YAML manifests that you can review and manually apply. The equivalent CLI install command is also shown — see [Install through the CLI](/template-catalog/install-manage/cli) for details.
+</Note>
+
+## Manage a Template
+
+### View Releases
+
+Select **Releases** under the templates dropdown in the navigation menu to view all created template releases.
+
+### Release Details
+
+When viewing a release, the info section displays the template version, app version, GVC, number of items created, and a list of created items with their details.
+
+### Upgrade
+
+To upgrade a release with new values or a new template version, select **Upgrade** and provide any updated values or the template version you wish to use. Click **Upgrade App** to apply the changes.
+
+<Note>
+Any workloads affected by the change will roll out new deployments. Unchanged items will not be redeployed.
+</Note>
+
+### Template Preview
+
+From the **Upgrade** section, click **Template** to generate a preview YAML file of the items that will be created. This allows you to review changes before applying them.
+
+### Revisions
+
+Click **Revisions** to view all revisions to the release, including upgrades and rollbacks. You can inspect individual changes and roll back to any previous revision.
+
+## Uninstall a Template
+
+Navigate to the template release, click the **Actions** dropdown, and select **Uninstall**.
diff --git a/template-catalog/overview.mdx b/template-catalog/overview.mdx
new file mode 100644
index 0000000..070c502
--- /dev/null
+++ b/template-catalog/overview.mdx
@@ -0,0 +1,64 @@
+---
+title: Template Catalog
+sidebarTitle: Overview
+---
+
+## Overview
+
+Quickly deploy and manage applications such as databases, queues, and stateless services directly on Control Plane.
+
+<CardGroup cols={2}>
+  <Card title="Instant Provisioning" icon="bolt">
+    Each template provisions the required Control Plane resources from user-provided values, producing a production-ready application in seconds.
+  </Card>
+  <Card title="Customizable" icon="sliders">
+    Configure resource limits, firewall rules, replica counts, backups, and more to fit your specific needs.
+  </Card>
+  <Card title="Versioned Releases" icon="code-branch">
+    Templates are versioned, allowing you to target a specific release when installing or upgrading.
+  </Card>
+  <Card title="Full Revision History" icon="clock-rotate-left">
+    Every installation and revision is tracked, giving you the ability to upgrade or roll back at any time.
+  </Card>
+</CardGroup>
+
+## Available Templates
+
+The catalog covers many of the most popular open-source projects and is continuously growing. Select a template below to learn more about its configuration and usage.
+
+All Control Plane template files are publicly available in the [template repo](https://github.com/controlplane-com/templates).
+
+<CardGroup cols={3}>
+  <Card title="CockroachDB" href="/template-catalog/templates/cockroachdb" icon="/template-catalog/templates/icons/cockroachdb.png">
+    Distributed SQL database built for high availability and horizontal scaling
+  </Card>
+  <Card title="External Secret Syncer" href="/template-catalog/templates/external-secret-syncer" icon="/template-catalog/templates/icons/ess.png">
+    Continuously sync externally-stored secrets and parameters with Control Plane
+  </Card>
+</CardGroup>
+
+## Getting Started
+
+Install and manage templates using any of the supported methods:
+
+<CardGroup cols={2}>
+    <Card title="UI" href="/template-catalog/install-manage/ui" icon="laptop">
+    Browse, install, and manage templates visually
+    </Card>
+    <Card title="CLI" href="/template-catalog/install-manage/cli" icon="terminal">
+    Manage templates from your terminal
+    </Card>
+    <Card title="Terraform" href="/template-catalog/install-manage/terraform" icon={<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><g fill-rule="evenodd"><path d="M77.941 44.5v36.836L46.324 62.918V26.082zm0 0" fill="#5c4ee5"/><path d="M81.41 81.336l31.633-18.418V26.082L81.41 44.5zm0 0" fill="#4040b2"/><path d="M11.242 42.36L42.86 60.776V23.941L11.242 5.523zm0 0M77.941 85.375L46.324 66.957v36.82l31.617 18.418zm0 0" fill="#5c4ee5"/></g></svg>}>
+    Declare templates in your Terraform configurations
+    </Card>
+    <Card title="Pulumi" href="/template-catalog/install-manage/pulumi" icon={<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" id="Pulumi-Icon--Streamline-Svg-Logos" height="24" width="24">
+        <desc>
+            Pulumi Icon Streamline Icon: https://streamlinehq.com
+        </desc>
+        <path fill="#f26e7e" d="M4.683025 13.3318c0.869125 -0.5018 0.870575 -2.1264 0.003225 -3.62865s-2.27504 -2.313275 -3.1441725 -1.811475C0.672945 8.3935 0.6715 10.0181 1.53885 11.52035c0.86735 1.502275 2.27505 2.313275 3.144175 1.81145Zm0.0052 3.2167c0.86735 1.502275 0.865925 3.126875 -0.003225 3.628675 -0.86915 0.5018 -2.2768275 -0.309225 -3.144175 -1.81145 -0.8673525 -1.50225 -0.8659075 -3.126875 0.003225 -3.628675 0.8691325 -0.5018 2.276825 0.309225 3.144175 1.81145Zm5.922875 3.4243c0.86735 1.50225 0.8659 3.126775 -0.003225 3.62875 -0.869125 0.501775 -2.27685 -0.309325 -3.1442 -1.81155 -0.867325 -1.50225 -0.865875 -3.12685 0.00325 -3.628675 0.869125 -0.5018 2.276825 0.309225 3.144175 1.811475Zm-0.001925 -6.845275c0.86735 1.50225 0.8659 3.12685 -0.003225 3.628675 -0.869125 0.5018 -2.276825 -0.309225 -3.144175 -1.811475 -0.86735 -1.50225 -0.8659 -3.12685 0.003225 -3.62865 0.869125 -0.501825 2.276825 0.3092 3.144175 1.81145Z" stroke-width="0.25"></path>
+        <path fill="#8a3391" d="M22.45775 11.524125c0.86725 -1.502225 0.865925 -3.12685 -0.003225 -3.62865 -0.869125 -0.501825 -2.276825 0.3092 -3.144175 1.811475 -0.86735 1.50225 -0.8659 3.126825 0.003225 3.62865 0.869125 0.501825 2.276825 -0.3092 3.144175 -1.811475Zm0.000175 3.2151c0.869075 0.5018 0.870625 2.1264 0.003225 3.62865 -0.86735 1.50225 -2.27505 2.313275 -3.144175 1.81145 -0.869125 -0.5018 -0.870575 -2.126425 -0.003225 -3.62865 0.86735 -1.50225 2.27505 -2.313275 3.144175 -1.81145ZM16.536225 18.157875c0.86915 0.501825 0.8706 2.126425 0.00325 3.628675 -0.86735 1.502125 -2.275075 2.313225 -3.1442 1.81145 -0.869125 -0.50175 -0.870575 -2.126425 -0.003225 -3.62865 0.867375 -1.502275 2.27505 -2.3133 3.144175 -1.811475Zm-0.003325 -6.843775c0.869125 0.5018 0.870575 2.126425 0.003225 3.628675s-2.27505 2.313275 -3.1442 1.811475c-0.869125 -0.501825 -0.870575 -2.126425 -0.003225 -3.628675 0.86735 -1.502275 2.27505 -2.313275 3.1442 -1.811475Z" stroke-width="0.25"></path>
+        <path fill="#f7bf2a" d="M15.138225 2.06721c0 1.003615 -1.40625 1.817215 -3.14095 1.817215 -1.7347 0 -3.14095 -0.8136 -3.14095 -1.817215C8.856325 1.06359 10.262575 0.25 11.997275 0.25c1.7347 0 3.14095 0.81359 3.14095 1.81721ZM9.2166 5.482375c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172s1.40625 -1.817225 3.14095 -1.817225c1.7347 0 3.14095 0.8136 3.14095 1.817225Zm8.71005 1.8172c1.7347 0 3.14095 -0.813575 3.14095 -1.8172s-1.40625 -1.817225 -3.14095 -1.817225c-1.7347 0 -3.14095 0.8136 -3.14095 1.817225s1.40625 1.8172 3.14095 1.8172Zm-2.788425 1.605625c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172 0 -1.0036 1.40625 -1.8172 3.14095 -1.8172 1.7347 0 3.14095 0.8136 3.14095 1.8172Z" stroke-width="0.25"></path>
+        </svg>}>
+    Declare templates in your Pulumi programs
+    </Card>
+</CardGroup>
diff --git a/template-catalog/templates/cockroachdb.mdx b/template-catalog/templates/cockroachdb.mdx
new file mode 100644
index 0000000..94d0686
--- /dev/null
+++ b/template-catalog/templates/cockroachdb.mdx
@@ -0,0 +1,166 @@
+---
+title: CockroachDB
+---
+
+## Overview
+
+CockroachDB is a distributed SQL database that provides automatic replication, horizontal scalability, and built-in fault tolerance across multiple regions. This template deploys a multi-region CockroachDB cluster on Control Plane as a stateful workload with replica-direct load balancing.
+
+Each location runs a configurable number of replicas that discover and join one another using Control Plane's internal DNS. On first deployment, the cluster initializes itself, creates a database and user, registers all regions, and sets the survival goal to `SURVIVE REGION FAILURE`.
+
+### What Gets Created
+
+- **GVC** — A dedicated GVC across the specified locations.
+- **Stateful Workload** — CockroachDB (`v25.4.0`) with per-location replica scaling and replica-direct load balancing.
+- **Volume Set** — Persistent ext4 storage (general-purpose-ssd) with final snapshot creation and 7-day retention.
+- **Identity & Policy** — An identity bound to the workload with `reveal` access to the startup and user secrets.
+- **Secrets** — A startup script for cluster join/initialization and an opaque secret for the database user credential.
+
+### Architecture
+
+CockroachDB uses the [Raft consensus protocol](https://www.cockroachlabs.com/docs/stable/architecture/replication-layer#raft) to replicate data across nodes. Each Control Plane location maps to a CockroachDB locality region, and replicas advertise their address via internal DNS (`replica-N.WORKLOAD.LOCATION.GVC.cpln.local`).
+
+With 3 or more regions and the `SURVIVE REGION FAILURE` survival goal, the cluster tolerates the complete loss of one region without impacting availability.
+
+## Installation
+
+This template has no external prerequisites. To install, follow the instructions for your preferred method:
+
+<CardGroup cols={2}>
+    <Card title="UI" href="/template-catalog/install-manage/ui" icon="laptop">
+    Browse, install, and manage templates visually
+    </Card>
+    <Card title="CLI" href="/template-catalog/install-manage/cli" icon="terminal">
+    Manage templates from your terminal
+    </Card>
+    <Card title="Terraform" href="/template-catalog/install-manage/terraform" icon={<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><g fill-rule="evenodd"><path d="M77.941 44.5v36.836L46.324 62.918V26.082zm0 0" fill="#5c4ee5"/><path d="M81.41 81.336l31.633-18.418V26.082L81.41 44.5zm0 0" fill="#4040b2"/><path d="M11.242 42.36L42.86 60.776V23.941L11.242 5.523zm0 0M77.941 85.375L46.324 66.957v36.82l31.617 18.418zm0 0" fill="#5c4ee5"/></g></svg>}>
+    Declare templates in your Terraform configurations
+    </Card>
+    <Card title="Pulumi" href="/template-catalog/install-manage/pulumi" icon={<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" id="Pulumi-Icon--Streamline-Svg-Logos" height="24" width="24">
+        <desc>
+            Pulumi Icon Streamline Icon: https://streamlinehq.com
+        </desc>
+        <path fill="#f26e7e" d="M4.683025 13.3318c0.869125 -0.5018 0.870575 -2.1264 0.003225 -3.62865s-2.27504 -2.313275 -3.1441725 -1.811475C0.672945 8.3935 0.6715 10.0181 1.53885 11.52035c0.86735 1.502275 2.27505 2.313275 3.144175 1.81145Zm0.0052 3.2167c0.86735 1.502275 0.865925 3.126875 -0.003225 3.628675 -0.86915 0.5018 -2.2768275 -0.309225 -3.144175 -1.81145 -0.8673525 -1.50225 -0.8659075 -3.126875 0.003225 -3.628675 0.8691325 -0.5018 2.276825 0.309225 3.144175 1.81145Zm5.922875 3.4243c0.86735 1.50225 0.8659 3.126775 -0.003225 3.62875 -0.869125 0.501775 -2.27685 -0.309325 -3.1442 -1.81155 -0.867325 -1.50225 -0.865875 -3.12685 0.00325 -3.628675 0.869125 -0.5018 2.276825 0.309225 3.144175 1.811475Zm-0.001925 -6.845275c0.86735 1.50225 0.8659 3.12685 -0.003225 3.628675 -0.869125 0.5018 -2.276825 -0.309225 -3.144175 -1.811475 -0.86735 -1.50225 -0.8659 -3.12685 0.003225 -3.62865 0.869125 -0.501825 2.276825 0.3092 3.144175 1.81145Z" stroke-width="0.25"></path>
+        <path fill="#8a3391" d="M22.45775 11.524125c0.86725 -1.502225 0.865925 -3.12685 -0.003225 -3.62865 -0.869125 -0.501825 -2.276825 0.3092 -3.144175 1.811475 -0.86735 1.50225 -0.8659 3.126825 0.003225 3.62865 0.869125 0.501825 2.276825 -0.3092 3.144175 -1.811475Zm0.000175 3.2151c0.869075 0.5018 0.870625 2.1264 0.003225 3.62865 -0.86735 1.50225 -2.27505 2.313275 -3.144175 1.81145 -0.869125 -0.5018 -0.870575 -2.126425 -0.003225 -3.62865 0.86735 -1.50225 2.27505 -2.313275 3.144175 -1.81145ZM16.536225 18.157875c0.86915 0.501825 0.8706 2.126425 0.00325 3.628675 -0.86735 1.502125 -2.275075 2.313225 -3.1442 1.81145 -0.869125 -0.50175 -0.870575 -2.126425 -0.003225 -3.62865 0.867375 -1.502275 2.27505 -2.3133 3.144175 -1.811475Zm-0.003325 -6.843775c0.869125 0.5018 0.870575 2.126425 0.003225 3.628675s-2.27505 2.313275 -3.1442 1.811475c-0.869125 -0.501825 -0.870575 -2.126425 -0.003225 -3.628675 0.86735 -1.502275 2.27505 -2.313275 3.1442 -1.811475Z" stroke-width="0.25"></path>
+        <path fill="#f7bf2a" d="M15.138225 2.06721c0 1.003615 -1.40625 1.817215 -3.14095 1.817215 -1.7347 0 -3.14095 -0.8136 -3.14095 -1.817215C8.856325 1.06359 10.262575 0.25 11.997275 0.25c1.7347 0 3.14095 0.81359 3.14095 1.81721ZM9.2166 5.482375c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172s1.40625 -1.817225 3.14095 -1.817225c1.7347 0 3.14095 0.8136 3.14095 1.817225Zm8.71005 1.8172c1.7347 0 3.14095 -0.813575 3.14095 -1.8172s-1.40625 -1.817225 -3.14095 -1.817225c-1.7347 0 -3.14095 0.8136 -3.14095 1.817225s1.40625 1.8172 3.14095 1.8172Zm-2.788425 1.605625c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172 0 -1.0036 1.40625 -1.8172 3.14095 -1.8172 1.7347 0 3.14095 0.8136 3.14095 1.8172Z" stroke-width="0.25"></path>
+        </svg>}>
+    Declare templates in your Pulumi programs
+    </Card>
+</CardGroup>
+
+## Configuration
+
+The default `values.yaml` for this template:
+
+```yaml
+gvc:
+  name: cockroach-gvc
+  locations:
+    - name: aws-us-east-2
+      replicas: 3
+    - name: aws-eu-central-1
+      replicas: 3
+    - name: aws-us-west-2
+      replicas: 3
+
+resources:
+  cpu: 2000m
+  memory: 4096Mi
+
+database:
+  name: mydb
+  user: myuser
+
+volumeset:
+  capacity: 10 # initial capacity in GiB (minimum is 10)
+
+cockroach_defaults:
+  sql_port: 26257
+  http_port: 8080
+
+internal_access:
+  type: same-gvc # options: same-gvc, same-org, workload-list
+  workloads: # Note: can only be used if type is same-gvc or workload-list
+    #- //gvc/GVC_NAME/workload/WORKLOAD_NAME
+```
+
+### Locations and Replicas
+
+Configure the `gvc.locations` section to control which regions the cluster spans and how many replicas run in each.
+
+<Note>
+While CockroachDB can run on 2 locations, a minimum of 3 locations with 3 replicas per location is recommended. This is the minimum required for CockroachDB to survive a full region failure.
+</Note>
+
+Setting a location's `replicas` to `0` suspends the workload in that location without removing it from the configuration.
+
+### Database Initialization
+
+The `database` section specifies a database and user to create automatically when the cluster first initializes:
+
+```yaml
+database:
+  name: mydb
+  user: myuser
+```
+
+The created user is granted full access to the specified database. These values are only applied on the first initialization — they are skipped if the cluster has already been initialized (e.g., after a restart or upgrade).
+
+### Resources and Storage
+
+- `resources.cpu` and `resources.memory` set the CPU and memory allocated to each CockroachDB replica.
+- `volumeset.capacity` sets the initial persistent volume size in GiB (minimum 10).
+
+### Internal Access
+
+The `internal_access` section controls which workloads can reach the CockroachDB cluster internally:
+
+| Type | Description |
+|------|-------------|
+| `same-gvc` | Allow access from all workloads in the same GVC |
+| `same-org` | Allow access from all workloads in the same organization |
+| `workload-list` | Allow access only from specific workloads listed in `workloads` (can be combined with `same-gvc`) |
+
+When using `workload-list`, specify each workload using its full link format:
+
+```yaml
+internal_access:
+  type: workload-list
+  workloads:
+    - //gvc/GVC_NAME/workload/WORKLOAD_NAME
+```
+
+### Connecting to CockroachDB
+
+Once deployed, the SQL interface is available on port 26257 (default). You can connect from a workload within the same GVC using:
+
+```bash
+cockroach sql --insecure
+```
+
+The DB Console (HTTP UI) is available on port 8080 for monitoring cluster health, query performance, and node status.
+
+<Note>
+This template deploys CockroachDB in insecure mode (no TLS). It is intended for internal workloads that connect through Control Plane's internal network.
+</Note>
+
+<Note>
+This template creates a GVC with a default name defined in the values file. If you plan to deploy multiple instances, you **must assign a unique GVC name** for each deployment.
+</Note>
+
+## External References
+
+<CardGroup cols={2}>
+    <Card title="CockroachDB Documentation" icon="book" href="https://www.cockroachlabs.com/docs/stable/">
+    Official CockroachDB documentation
+    </Card>
+    <Card title="Multi-Region Overview" icon="globe" href="https://www.cockroachlabs.com/docs/stable/multiregion-overview">
+    Learn about multi-region deployments
+    </Card>
+    <Card title="Survive Region Failure" icon="shield" href="https://www.cockroachlabs.com/docs/stable/alter-database#survive-region-failure">
+    Configure region failure survival goals
+    </Card>
+    <Card title="CockroachDB Template" icon="github" href="https://github.com/controlplane-com/templates/tree/main/cockroach">
+    View the source files, default values, and chart definition
+    </Card>
+</CardGroup>
\ No newline at end of file
diff --git a/template-catalog/templates/external-secret-syncer.mdx b/template-catalog/templates/external-secret-syncer.mdx
new file mode 100644
index 0000000..957109d
--- /dev/null
+++ b/template-catalog/templates/external-secret-syncer.mdx
@@ -0,0 +1,239 @@
+---
+title: External Secret Syncer
+---
+
+## Overview
+
+The External Secret Syncer (ESS) continuously syncs secrets and parameters from external providers into Control Plane secrets. This template deploys ESS as a workload that polls your configured providers on a set interval and creates or updates Control Plane secrets to match.
+
+### Supported Providers
+
+- [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
+- [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
+- [HashiCorp Vault](https://www.hashicorp.com/en/products/vault)
+- [1Password](https://1password.com/)
+- [Doppler](https://www.doppler.com/)
+
+### What Gets Created
+
+- **Workload** — An ESS container (`v1.2.4`) with CPU-based autoscaling (1–3 replicas) and a readiness probe on `/about`.
+- **Identity & Policy** — An identity bound to the workload with `manage` permissions on all secrets, allowing ESS to create and update Control Plane secrets.
+- **Secret** — An opaque secret containing the sync configuration (providers and secret mappings).
+
+<Note>
+This template does not create a GVC. You must deploy it into an existing GVC.
+</Note>
+
+## Prerequisites
+
+1. A secret or parameter stored in one of the [supported providers](#supported-providers).
+2. Credentials with read access to the desired secret (API token, IAM keys, etc.). Alternatively, you can use a cloud access [identity](/reference/identity) instead of supplying keys directly.
+
+To install, follow the instructions for your preferred method:
+
+<CardGroup cols={2}>
+    <Card title="UI" href="/template-catalog/install-manage/ui" icon="laptop">
+    Browse, install, and manage templates visually
+    </Card>
+    <Card title="CLI" href="/template-catalog/install-manage/cli" icon="terminal">
+    Manage templates from your terminal
+    </Card>
+    <Card title="Terraform" href="/template-catalog/install-manage/terraform" icon={<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><g fill-rule="evenodd"><path d="M77.941 44.5v36.836L46.324 62.918V26.082zm0 0" fill="#5c4ee5"/><path d="M81.41 81.336l31.633-18.418V26.082L81.41 44.5zm0 0" fill="#4040b2"/><path d="M11.242 42.36L42.86 60.776V23.941L11.242 5.523zm0 0M77.941 85.375L46.324 66.957v36.82l31.617 18.418zm0 0" fill="#5c4ee5"/></g></svg>}>
+    Declare templates in your Terraform configurations
+    </Card>
+    <Card title="Pulumi" href="/template-catalog/install-manage/pulumi" icon={<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" id="Pulumi-Icon--Streamline-Svg-Logos" height="24" width="24">
+        <desc>
+            Pulumi Icon Streamline Icon: https://streamlinehq.com
+        </desc>
+        <path fill="#f26e7e" d="M4.683025 13.3318c0.869125 -0.5018 0.870575 -2.1264 0.003225 -3.62865s-2.27504 -2.313275 -3.1441725 -1.811475C0.672945 8.3935 0.6715 10.0181 1.53885 11.52035c0.86735 1.502275 2.27505 2.313275 3.144175 1.81145Zm0.0052 3.2167c0.86735 1.502275 0.865925 3.126875 -0.003225 3.628675 -0.86915 0.5018 -2.2768275 -0.309225 -3.144175 -1.81145 -0.8673525 -1.50225 -0.8659075 -3.126875 0.003225 -3.628675 0.8691325 -0.5018 2.276825 0.309225 3.144175 1.81145Zm5.922875 3.4243c0.86735 1.50225 0.8659 3.126775 -0.003225 3.62875 -0.869125 0.501775 -2.27685 -0.309325 -3.1442 -1.81155 -0.867325 -1.50225 -0.865875 -3.12685 0.00325 -3.628675 0.869125 -0.5018 2.276825 0.309225 3.144175 1.811475Zm-0.001925 -6.845275c0.86735 1.50225 0.8659 3.12685 -0.003225 3.628675 -0.869125 0.5018 -2.276825 -0.309225 -3.144175 -1.811475 -0.86735 -1.50225 -0.8659 -3.12685 0.003225 -3.62865 0.869125 -0.501825 2.276825 0.3092 3.144175 1.81145Z" stroke-width="0.25"></path>
+        <path fill="#8a3391" d="M22.45775 11.524125c0.86725 -1.502225 0.865925 -3.12685 -0.003225 -3.62865 -0.869125 -0.501825 -2.276825 0.3092 -3.144175 1.811475 -0.86735 1.50225 -0.8659 3.126825 0.003225 3.62865 0.869125 0.501825 2.276825 -0.3092 3.144175 -1.811475Zm0.000175 3.2151c0.869075 0.5018 0.870625 2.1264 0.003225 3.62865 -0.86735 1.50225 -2.27505 2.313275 -3.144175 1.81145 -0.869125 -0.5018 -0.870575 -2.126425 -0.003225 -3.62865 0.86735 -1.50225 2.27505 -2.313275 3.144175 -1.81145ZM16.536225 18.157875c0.86915 0.501825 0.8706 2.126425 0.00325 3.628675 -0.86735 1.502125 -2.275075 2.313225 -3.1442 1.81145 -0.869125 -0.50175 -0.870575 -2.126425 -0.003225 -3.62865 0.867375 -1.502275 2.27505 -2.3133 3.144175 -1.811475Zm-0.003325 -6.843775c0.869125 0.5018 0.870575 2.126425 0.003225 3.628675s-2.27505 2.313275 -3.1442 1.811475c-0.869125 -0.501825 -0.870575 -2.126425 -0.003225 -3.628675 0.86735 -1.502275 2.27505 -2.313275 3.1442 -1.811475Z" stroke-width="0.25"></path>
+        <path fill="#f7bf2a" d="M15.138225 2.06721c0 1.003615 -1.40625 1.817215 -3.14095 1.817215 -1.7347 0 -3.14095 -0.8136 -3.14095 -1.817215C8.856325 1.06359 10.262575 0.25 11.997275 0.25c1.7347 0 3.14095 0.81359 3.14095 1.81721ZM9.2166 5.482375c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172s1.40625 -1.817225 3.14095 -1.817225c1.7347 0 3.14095 0.8136 3.14095 1.817225Zm8.71005 1.8172c1.7347 0 3.14095 -0.813575 3.14095 -1.8172s-1.40625 -1.817225 -3.14095 -1.817225c-1.7347 0 -3.14095 0.8136 -3.14095 1.817225s1.40625 1.8172 3.14095 1.8172Zm-2.788425 1.605625c0 1.003625 -1.40625 1.8172 -3.14095 1.8172 -1.7347 0 -3.14095 -0.813575 -3.14095 -1.8172 0 -1.0036 1.40625 -1.8172 3.14095 -1.8172 1.7347 0 3.14095 0.8136 3.14095 1.8172Z" stroke-width="0.25"></path>
+        </svg>}>
+    Declare templates in your Pulumi programs
+    </Card>
+</CardGroup>
+
+## Configuration
+
+The default `values.yaml` for this template:
+
+```yaml
+workload:
+  name: ess
+  image: ghcr.io/controlplane-com/cpln-build/external-secret-syncer:v1.2.4
+  resources:
+    cpu: 200m
+    memory: 256Mi
+  port: 3004
+  allowedIp:
+    - 1.2.3.4 # Replace with your IP
+
+essConfig:
+  providers:
+    - name: my-vault
+      vault:
+        address: https://my-vault.com:8200
+        token: <TOKEN>
+      syncInterval: 1m
+    - name: my-aws-ssm
+      awsParameterStore:
+        region: us-east-1
+        accessKeyId: <ACCESS_KEY>
+        secretAccessKey: <SECRET_ACCESS_KEY>
+    # - name: my-aws-secrets-manager
+    #   awsSecretsManager:
+    #     region: us-east-1
+    #     accessKeyId: <ACCESS_KEY>
+    #     secretAccessKey: <SECRET_ACCESS_KEY>
+    # - name: my-1password
+    #   onePassword:
+    #     serviceAccountToken: <TOKEN>
+    #     integrationName: my-ess <optional - defaults to syncer.cpln.io>
+    #     integrationVersion: 1.0.0 <optional - defaults to image tag>
+    # - name: my-doppler
+    #   doppler:
+    #     accessToken: <TOKEN>
+  secrets:
+    - name: auth
+      provider: my-vault
+      syncInterval: 20s
+      dictionary:
+        PORT:
+          path: /v1/secret/data/app
+          parse: data.port
+          default: 5432
+        PASSWORD:
+          path: /v1/secret/data/app
+          parse: data.password
+        USERNAME:
+          default: "no username"
+          path: /v1/secret/data/app
+          parse: data.username
+    - name: ssm
+      provider: my-aws
+      syncInterval: 20s
+      opaque: /example/app
+    # - name: secrets-manager
+    #   provider: my-aws-secrets-manager
+    #   dictionary:
+    #     PASSWORD:
+    #       path: /example/app
+    #       parse: password
+    # - name: doppler
+    #   provider: my-doppler
+    #   opaque: /project/config/secret
+```
+
+### Workload
+
+- `workload.name` — The name of the ESS workload.
+- `workload.resources` — CPU and memory allocated to the workload.
+- `workload.port` — The port ESS listens on (default `3004`).
+- `workload.allowedIp` — IP addresses allowed inbound access to the workload.
+
+### Providers
+
+Each entry in `essConfig.providers` defines a connection to an external secret store. Every provider must have a unique `name`.
+
+| Provider | Required Fields |
+|----------|----------------|
+| HashiCorp Vault | `vault.address`, `vault.token` |
+| AWS Parameter Store | `awsParameterStore.region` |
+| AWS Secrets Manager | `awsSecretsManager.region` |
+| 1Password | `onePassword.serviceAccountToken` |
+| Doppler | `doppler.accessToken` |
+
+AWS providers optionally accept `accessKeyId` and `secretAccessKey`. If omitted, ESS falls back to credentials provided through the workload's cloud access [identity](/reference/identity).
+
+A `syncInterval` can be set per provider to control how frequently ESS polls for changes (e.g., `30s`, `1m`, `5m`).
+
+### Secrets
+
+Each entry in `essConfig.secrets` maps an external secret to a Control Plane secret. Secrets support two types:
+
+**Dictionary** — Creates a dictionary secret with multiple key-value pairs. Each key specifies a `path` to fetch from, a `parse` expression to extract a specific field, and an optional `default` value.
+
+```yaml
+secrets:
+  - name: auth
+    provider: my-vault
+    dictionary:
+      PORT:
+        path: /v1/secret/data/app
+        parse: data.port
+        default: 5432
+```
+
+**Opaque** — Creates an opaque secret containing the raw value (or a parsed field) from the external source.
+
+```yaml
+secrets:
+  - name: ssm
+    provider: my-aws-ssm
+    opaque: /example/app
+```
+
+For opaque secrets that return base64-encoded content, add `encoding: base64` to decode to plaintext.
+
+Each secret can also override the provider's `syncInterval` with its own value.
+
+<Note>
+Vault KV engine secrets are nested under a `data` key:
+```json
+{
+  "data": {
+    "PORT": "1234"
+  },
+  "metadata": {
+    "created_time": "2025-03-11T20:05:41.865209462Z",
+    "custom_metadata": null,
+    "deletion_time": "",
+    "destroyed": false,
+    "version": 1
+  }
+}
+```
+When using `parse`, start with `data` to access the secret content (e.g., `data.port`).
+</Note>
+
+## Synced Secret Output
+
+A secret created by ESS will look like:
+
+```yaml
+kind: secret
+name: hello
+description: hello
+tags:
+  syncer.cpln.io/lastError: '' # populated if ESS encounters an error
+  syncer.cpln.io/source: //gvc/<gvc name>/workload/<ess workload name>
+type: dictionary
+data:
+  PORT: '1234'
+  PASSWORD: 'no pass' # default used if the key was not found
+```
+
+The `syncer.cpln.io/lastError` tag is empty on success. If ESS encounters an error syncing a secret, the tag is populated with the error message.
+
+## External References
+
+<CardGroup cols={2}>
+    <Card title="AWS Parameter Store" icon="aws" href="https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html">
+    AWS Systems Manager Parameter Store documentation
+    </Card>
+    <Card title="AWS Secrets Manager" icon="aws" href="https://aws.amazon.com/secrets-manager/">
+    AWS Secrets Manager documentation
+    </Card>
+    <Card title="HashiCorp Vault" icon="vault" href="https://www.hashicorp.com/en/products/vault">
+    HashiCorp Vault secret management
+    </Card>
+    <Card title="1Password" icon="key" href="https://1password.com/">
+    1Password secret management
+    </Card>
+    <Card title="Doppler" icon="lock" href="https://www.doppler.com/">
+    Doppler secrets platform
+    </Card>
+    <Card title="ESS Template" icon="github" href="https://github.com/controlplane-com/templates/tree/main/ess">
+    View the source files, default values, and chart definition
+    </Card>
+</CardGroup>
\ No newline at end of file
diff --git a/template-catalog/templates/icons/cockroachdb.png b/template-catalog/templates/icons/cockroachdb.png
new file mode 100644
index 0000000..9b7dc66
Binary files /dev/null and b/template-catalog/templates/icons/cockroachdb.png differ
diff --git a/template-catalog/templates/icons/ess.png b/template-catalog/templates/icons/ess.png
new file mode 100644
index 0000000..999017a
Binary files /dev/null and b/template-catalog/templates/icons/ess.png differ