diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..f2a7beb
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,12 @@
+FROM golang:1.23-alpine AS builder
+WORKDIR /usr/src/app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN go build -o /usr/local/bin/app .
+
+
+FROM alpine:3.20.3
+COPY --from=builder /usr/local/bin/app /usr/local/bin/secrets-store-csi-driver-provider-pulumi-esc
+
+CMD ["secrets-store-csi-driver-provider-pulumi-esc"]
diff --git a/Tiltfile b/Tiltfile
new file mode 100644
index 0000000..bdb4f38
--- /dev/null
+++ b/Tiltfile
@@ -0,0 +1,23 @@
+docker_build(
+    'dirien/secrets-store-csi-driver-provider-pulumi-esc',
+    context='.',
+    dockerfile='./Dockerfile',
+    live_update=[
+        sync('./pkg/', '/main.go'),
+    ],
+)
+
+k8s_yaml(
+    'deployment/pulumi-esc-csi-provider.yaml'
+)
+
+k8s_yaml(
+    listdir('examples')
+)
+
+k8s_resource(
+    'secrets-store-csi-driver-provider-pulumi-esc',
+    labels=['secrets-store-csi-driver-provider-pulumi-esc']
+)
+
+tiltfile_path = config.main_path
diff --git a/deployment/pulumi-esc-csi-provider.yaml b/deployment/pulumi-esc-csi-provider.yaml
new file mode 100644
index 0000000..18f23e1
--- /dev/null
+++ b/deployment/pulumi-esc-csi-provider.yaml
@@ -0,0 +1,83 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secrets-store-csi-driver-provider-pulumi-esc
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/version: "0.4.2"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: secrets-store-csi-driver-provider-pulumi-esc
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/version: "0.4.2"
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secrets-store-csi-driver-provider-pulumi-esc
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/version: "0.4.2"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secrets-store-csi-driver-provider-pulumi-esc
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: secrets-store-csi-driver-provider-pulumi-esc
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: secrets-store-csi-driver-provider-pulumi-esc
+  namespace: kube-system
+  labels:
+    app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+    app.kubernetes.io/version: "0.4.2"
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+      app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: secrets-store-csi-driver-provider-pulumi-esc
+        app.kubernetes.io/instance: secrets-store-csi-driver-provider-pulumi-esc
+        app.kubernetes.io/version: "0.4.2"
+    spec:
+      serviceAccountName: secrets-store-csi-driver-provider-pulumi-esc
+      securityContext:
+        {}
+      containers:
+      - name: secrets-store-csi-driver-provider-pulumi-esc
+        image: "dirien/secrets-store-csi-driver-provider-pulumi-esc"
+        imagePullPolicy: Always
+        resources:
+          {}
+        volumeMounts:
+        - name: socket
+          mountPath: /etc/kubernetes/secrets-store-csi-providers
+      volumes:
+      - name: socket
+        hostPath:
+          path: /etc/kubernetes/secrets-store-csi-providers
+          type: DirectoryOrCreate
+      nodeSelector:
+        kubernetes.io/os: linux
diff --git a/examples/deployment.yaml b/examples/deployment.yaml
new file mode 100644
index 0000000..6f9652b
--- /dev/null
+++ b/examples/deployment.yaml
@@ -0,0 +1,44 @@
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: example-provider-pulumi-esc
+  namespace: default
+  labels:
+    app: example-provider-pulumi-esc
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: example-provider-pulumi-esc
+  template:
+    metadata:
+      labels:
+        app: example-provider-pulumi-esc
+    spec:
+      containers:
+      - name: client
+        image: busybox:latest
+        command: ["sh", "-c"]
+        env:
+        - name: SECRET_FROM_K8S_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: example-provider-secret
+              key: password
+        args:
+        - |
+          set -eux
+          ls /run/secrets
+          find /run/secrets/ -mindepth 1 -maxdepth 1 -not -name '.*' | xargs -t -I {} sh -c 'echo "$(cat "{}")"'
+          tail -f /dev/null
+        volumeMounts:
+        - name: data
+          mountPath: /run/secrets
+      volumes:
+      - name: data
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: "example-provider-pulumi-esc"
diff --git a/examples/secret.yaml b/examples/secret.yaml
new file mode 100644
index 0000000..5d7fc23
--- /dev/null
+++ b/examples/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pulumi-secret-provider-auth-credentials
+  namespace: default
+type: Opaque
+stringData:
+  pulumi-access-token: xxx
+
diff --git a/examples/secretproviderclass.yaml b/examples/secretproviderclass.yaml
new file mode 100644
index 0000000..bf232c1
--- /dev/null
+++ b/examples/secretproviderclass.yaml
@@ -0,0 +1,22 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: example-provider-pulumi-esc
+  namespace: default
+spec:
+  provider: pulumi
+  parameters:
+    apiUrl: https://api.pulumi.com/api/esc
+    organization: dirien
+    project: voting-app
+    environment: db
+    authSecretName: pulumi-secret-provider-auth-credentials
+    authSecretNamespace: default
+    objects:  |
+      - objectName: postgres
+  secretObjects:
+  - secretName: example-provider-secret
+    type: Opaque
+    data:
+    - objectName: postgres
+      key: password
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..7ec3b7e
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,58 @@
+module github.com/dirien/pulumi-esc-csi-provider
+
+go 1.23.1
+
+require (
+	github.com/go-playground/validator/v10 v10.22.1
+	github.com/pulumi/esc-sdk/sdk v0.10.0
+	google.golang.org/grpc v1.63.2
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/apimachinery v0.30.0
+	k8s.io/client-go v0.30.0
+	sigs.k8s.io/secrets-store-csi-driver v1.4.2
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/ghodss/yaml.v1 v1.0.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.30.0 // indirect
+	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..e96e5f5
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,192 @@
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
+github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
+github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
+github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
+github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
+github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
+github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
+github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/gomega v1.31.0 h1:54UJxxj6cPInHS3a35wm6BK/F9nHYueZ1NVujHDrnXE=
+github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pulumi/esc-sdk/sdk v0.10.0 h1:tVZGVSVgSf/3UkKI3iC9E287eXw9VERvmdI4vN2BD4o=
+github.com/pulumi/esc-sdk/sdk v0.10.0/go.mod h1:J6+8bCUJyLXvYOmTAc90/EhU1iUPr1Koo3NUnFzY78k=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
+golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
+google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:H4O17MA/PE9BsGx3w+a+W2VOLLD1Qf7oJneAoU6WktY=
+google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
+google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/ghodss/yaml.v1 v1.0.0 h1:JlY4R6oVz+ZSvcDhVfNQ/k/8Xo6yb2s1PBhslPZPX4c=
+gopkg.in/ghodss/yaml.v1 v1.0.0/go.mod h1:HDvRMPQLqycKPs9nWLuzZWxsxRzISLCRORiDpBUOMqg=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
+k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
+k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
+k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
+k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
+k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/secrets-store-csi-driver v1.4.2 h1:y2ETKPoYcJAVIJAlja2RKE4/gHJ0EoCZf+CalKRs2DA=
+sigs.k8s.io/secrets-store-csi-driver v1.4.2/go.mod h1:ZUdzEpDMuT6mtXzRUppfkSmyKSwVRNt0kYE92g2FGtE=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..f5fff6c
--- /dev/null
+++ b/main.go
@@ -0,0 +1,53 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"github.com/dirien/pulumi-esc-csi-provider/pkg/provider"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/dirien/pulumi-esc-csi-provider/pkg/auth"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+var (
+	runtimeVersion = "0.1.0"
+	versionFlag    = flag.Bool("version", false, "print version information")
+)
+
+func main() {
+	flag.Parse()
+	if *versionFlag {
+		fmt.Println(runtimeVersion)
+		os.Exit(0)
+	}
+
+	socketPath := "/etc/kubernetes/secrets-store-csi-providers/pulumi.sock"
+	_ = os.MkdirAll("/etc/kubernetes/secrets-store-csi-providers", 0755)
+	_ = os.Remove(socketPath)
+
+	kubeConfig, err := rest.InClusterConfig()
+	if err != nil {
+		panic(fmt.Errorf("unable to get kubeconfig: %v", err))
+	}
+	kubeClient := kubernetes.NewForConfigOrDie(kubeConfig)
+
+	auth := auth.NewAuth(kubeClient)
+	provider := provider.NewCSIProviderServer(runtimeVersion, socketPath, auth)
+	defer provider.Stop()
+
+	if err := provider.Start(); err != nil {
+		panic(fmt.Errorf("unable to start server: %v", err))
+	}
+
+	log.Printf("server started at: %s\n", socketPath)
+	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer stop()
+	<-ctx.Done()
+	log.Println("shutting down server")
+}
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
new file mode 100644
index 0000000..b941872
--- /dev/null
+++ b/pkg/auth/auth.go
@@ -0,0 +1,50 @@
+//go:generate mockgen -destination=mock_$GOPACKAGE/mock_$GOFILE -source=$GOFILE
+package auth
+
+import (
+	"context"
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+)
+
+var (
+	pulumiAccessToken = "pulumi-access-token"
+)
+
+type Credentials struct {
+	Pat string
+}
+
+type Auth interface {
+	TokenFromKubeSecret(ctx context.Context, secretRef types.NamespacedName) (*Credentials, error)
+}
+
+type auth struct {
+	kubeClient kubernetes.Interface
+}
+
+func NewAuth(kubeClient kubernetes.Interface) Auth {
+	return &auth{
+		kubeClient: kubeClient,
+	}
+}
+
+func (a *auth) TokenFromKubeSecret(ctx context.Context, secretRef types.NamespacedName) (*Credentials, error) {
+	secret, err := a.kubeClient.CoreV1().Secrets(secretRef.Namespace).Get(ctx, secretRef.Name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	credentials := &Credentials{}
+
+	pat, ok := secret.Data[pulumiAccessToken]
+	if !ok {
+		return nil, fmt.Errorf("token not found in secret %s", secretRef)
+	}
+	credentials.Pat = string(pat)
+
+	return credentials, nil
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
new file mode 100644
index 0000000..b061a96
--- /dev/null
+++ b/pkg/config/config.go
@@ -0,0 +1,112 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"reflect"
+	"strings"
+
+	"github.com/go-playground/validator/v10"
+	"gopkg.in/yaml.v3"
+)
+
+type Config struct {
+	APIURL                   string  `json:"apiUrl" validate:"required"`
+	Organization             string  `json:"organization" validate:"required"`
+	Project                  string  `json:"project" validate:"required"`
+	Environment              string  `json:"environment" validate:"required"`
+	Path                     string  `json:"secretsPath" validate:"required"`
+	AuthSecretName           string  `json:"authSecretName" validate:"required"`
+	AuthSecretNamespace      string  `json:"authSecretNamespace" validate:"required"`
+	RawObjects               *string `json:"objects"`
+	CSIPodName               string  `json:"csi.storage.k8s.io/pod.name"`
+	CSIPodNamespace          string  `json:"csi.storage.k8s.io/pod.namespace"`
+	CSIPodUID                string  `json:"csi.storage.k8s.io/pod.uid"`
+	CSIPodServiceAccountName string  `json:"csi.storage.k8s.io/serviceAccount.name"`
+	CSIEphemeral             string  `json:"csi.storage.k8s.io/ephemeral"`
+	SecretProviderClass      string  `json:"secretProviderClass"`
+	parsedObjects            []object
+	validator                validator.Validate
+}
+
+type object struct {
+	Name  string `yaml:"objectName" validate:"required"`
+	Alias string `yaml:"objectAlias" validate:"excludes=/"`
+}
+
+func NewValidator() *validator.Validate {
+	validator := validator.New(validator.WithRequiredStructEnabled())
+	validator.RegisterTagNameFunc(func(fld reflect.StructField) string {
+		var tag string
+		if v, ok := fld.Tag.Lookup("yaml"); ok {
+			tag = v
+		} else if v, ok := fld.Tag.Lookup("json"); ok {
+			tag = v
+		} else {
+			return fld.Name
+		}
+
+		name := strings.SplitN(tag, ",", 2)[0]
+		// skip if tag key says it should be ignored
+		if name == "-" {
+			return ""
+		}
+		return name
+	})
+
+	return validator
+}
+
+func NewMountConfig(validator validator.Validate) *Config {
+	return &Config{
+		Path:      "/",
+		validator: validator,
+	}
+}
+
+func (a *Config) Objects() ([]object, error) {
+	if a.parsedObjects != nil {
+		return a.parsedObjects, nil
+	}
+
+	if a.RawObjects == nil {
+		return nil, nil
+	}
+
+	var objects []object
+	objectDecoder := yaml.NewDecoder(strings.NewReader(*a.RawObjects))
+	objectDecoder.KnownFields(true)
+	// Decode returns io.EOF error when empty string is passed
+	// c.f. https://github.com/go-yaml/yaml/blob/v3.0.1/yaml.go#L123-L126
+	if err := objectDecoder.Decode(&objects); err != nil && !errors.Is(err, io.EOF) {
+		return nil, err
+	}
+
+	a.parsedObjects = objects
+	return objects, nil
+}
+
+func (a *Config) Validate() error {
+	if err := a.validator.Struct(a); err != nil {
+		return err
+	}
+
+	if a.APIURL == "" {
+		slog.Info("apiUrl is empty, using default value", "default", "https://api.pulumi.com/api/esc")
+		a.APIURL = "https://api.pulumi.com/api/esc"
+	}
+
+	objects, err := a.Objects()
+	if err != nil {
+		return NewConfigError("objects", err)
+	}
+	for i, object := range objects {
+		if err := a.validator.Struct(object); err != nil {
+			return NewConfigError("objects", fmt.Errorf("[%d]: %w", i, err))
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/config/error.go b/pkg/config/error.go
new file mode 100644
index 0000000..0d9e4d5
--- /dev/null
+++ b/pkg/config/error.go
@@ -0,0 +1,25 @@
+package config
+
+type ConfigError struct {
+	Path string
+	Err  error
+}
+
+func NewConfigError(path string, err error) *ConfigError {
+	return &ConfigError{
+		Path: path,
+		Err:  err,
+	}
+}
+
+func (e *ConfigError) Error() string {
+	child := e.Err
+	if child, ok := child.(*ConfigError); ok {
+		return e.Path + "." + child.Error()
+	}
+	return e.Path + ": " + child.Error()
+}
+
+func (e *ConfigError) Unwrap() error {
+	return e.Err
+}
diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
new file mode 100644
index 0000000..84d4660
--- /dev/null
+++ b/pkg/provider/provider.go
@@ -0,0 +1,33 @@
+package provider
+
+import (
+	"context"
+	esc "github.com/pulumi/esc-sdk/sdk/go"
+)
+
+type PulumiClient struct {
+	escClient    esc.EscClient
+	authCtx      context.Context
+	project      string
+	environment  string
+	organization string
+}
+
+func NewPulumiESCClient(accessToken, APIURL, project, environment, organization string) *PulumiClient {
+	configuration := esc.NewConfiguration()
+	configuration.UserAgent = "secrets-store-csi-driver-provider-pulumi-esc"
+	configuration.Servers = esc.ServerConfigurations{
+		esc.ServerConfiguration{
+			URL: APIURL,
+		},
+	}
+	authCtx := esc.NewAuthContext(accessToken)
+	escClient := esc.NewClient(configuration)
+	return &PulumiClient{
+		escClient:    *escClient,
+		authCtx:      authCtx,
+		project:      project,
+		environment:  environment,
+		organization: organization,
+	}
+}
diff --git a/pkg/provider/server.go b/pkg/provider/server.go
new file mode 100644
index 0000000..5f2ce59
--- /dev/null
+++ b/pkg/provider/server.go
@@ -0,0 +1,245 @@
+package provider
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"log/slog"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/dirien/pulumi-esc-csi-provider/pkg/auth"
+	"github.com/dirien/pulumi-esc-csi-provider/pkg/config"
+	"github.com/go-playground/validator/v10"
+	esc "github.com/pulumi/esc-sdk/sdk/go"
+	"google.golang.org/grpc"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1"
+)
+
+var (
+	ErrorInvalidSecretProviderClass = "InvalidSecretProviderClass"
+	ErrorUnauthorized               = "Unauthorized"
+	ErrorBadRequest                 = "BadRequest"
+	ErrorInterfaceType              = "interface{} is not of type map[string]interface{}"
+	ErrSecretType                   = "can not handle secret value with type"
+	ErrUnableToGetValues            = "unable to get value for key %s: %w"
+)
+
+type CSIProviderServer struct {
+	version    string
+	grpcServer *grpc.Server
+	listener   net.Listener
+	socketPath string
+	auth       auth.Auth
+	validator  *validator.Validate
+}
+
+var _ v1alpha1.CSIDriverProviderServer = &CSIProviderServer{}
+
+// NewCSIProviderServer returns a mock csi-provider grpc server
+func NewCSIProviderServer(version, socketPath string, auth auth.Auth) *CSIProviderServer {
+	server := grpc.NewServer()
+	s := &CSIProviderServer{
+		version:    version,
+		grpcServer: server,
+		socketPath: socketPath,
+		auth:       auth,
+		validator:  config.NewValidator(),
+	}
+	v1alpha1.RegisterCSIDriverProviderServer(server, s)
+	return s
+}
+
+func (m *CSIProviderServer) Start() error {
+	var err error
+	m.listener, err = net.Listen("unix", m.socketPath)
+	if err != nil {
+		return err
+	}
+	go func() {
+		if err = m.grpcServer.Serve(m.listener); err != nil {
+			return
+		}
+	}()
+	return nil
+}
+
+func (m *CSIProviderServer) Stop() {
+	m.grpcServer.GracefulStop()
+}
+
+// Mount implements provider csi-provider method
+func (s *CSIProviderServer) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error) {
+	mountResponse := &v1alpha1.MountResponse{
+		Error: &v1alpha1.Error{},
+	}
+
+	slog.Info("mount", "request", req)
+
+	// parse request
+	mountConfig := config.NewMountConfig(*s.validator)
+	var secret map[string]string
+	var filePermission os.FileMode
+	attributesDecoder := json.NewDecoder(strings.NewReader(req.GetAttributes()))
+	attributesDecoder.DisallowUnknownFields()
+	if err := attributesDecoder.Decode(&mountConfig); err != nil {
+		mountResponse.Error.Code = ErrorInvalidSecretProviderClass
+		return mountResponse, fmt.Errorf("failed to unmarshal parameters, error: %w", err)
+	}
+	if err := mountConfig.Validate(); err != nil {
+		mountResponse.Error.Code = ErrorInvalidSecretProviderClass
+		return mountResponse, fmt.Errorf("failed to validate parameters, error: %w", err)
+	}
+	if err := json.Unmarshal([]byte(req.GetSecrets()), &secret); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal secrets, error: %w", err)
+	}
+	if err := json.Unmarshal([]byte(req.GetPermission()), &filePermission); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal file permission, error: %w", err)
+	}
+	objects, err := mountConfig.Objects()
+	if err != nil {
+		mountResponse.Error.Code = ErrorInvalidSecretProviderClass
+		return mountResponse, fmt.Errorf("failed to get objects, error: %w", err)
+	}
+	if mountConfig.RawObjects != nil && len(objects) == 0 {
+		mountResponse.ObjectVersion = []*v1alpha1.ObjectVersion{
+			{
+				Id:      "NO_SECRETS",
+				Version: "0",
+			},
+		}
+		return mountResponse, nil
+	}
+	// get credentials
+	kubeSecret := types.NamespacedName{
+		Namespace: mountConfig.AuthSecretNamespace,
+		Name:      mountConfig.AuthSecretName,
+	}
+	credentials, err := s.auth.TokenFromKubeSecret(ctx, kubeSecret)
+	if err != nil {
+		mountResponse.Error.Code = ErrorBadRequest
+		return mountResponse, fmt.Errorf("failed to get credentials, error: %w", err)
+	}
+	configuration := esc.NewConfiguration()
+	configuration.UserAgent = "external-secrets-operator"
+	configuration.Servers = esc.ServerConfigurations{
+		esc.ServerConfiguration{
+			URL: mountConfig.APIURL,
+		},
+	}
+	authCtx := esc.NewAuthContext(credentials.Pat)
+	escClient := esc.NewClient(configuration)
+	env, err := escClient.OpenEnvironment(authCtx, mountConfig.Organization, mountConfig.Project, mountConfig.Environment)
+	if err != nil {
+		return nil, err
+	}
+
+	// store secrets
+	var objectVersions []*v1alpha1.ObjectVersion
+	var files []*v1alpha1.File
+
+	fmt.Println("objects")
+	fmt.Println(objects)
+	fmt.Println("-----------------")
+	for _, object := range objects {
+		fmt.Println("inside ..-.---")
+		fmt.Println(object)
+
+		_, values, err := escClient.OpenAndReadEnvironment(authCtx, mountConfig.Organization, mountConfig.Project, mountConfig.Environment)
+		if err != nil {
+			log.Fatalf("Failed to open and read environment: %v", err)
+		}
+		if err != nil {
+			mountResponse.Error.Code = ErrorBadRequest
+			return mountResponse, fmt.Errorf("failed to list secrets, error: %w", err)
+		}
+
+		objectVersions = append(objectVersions, &v1alpha1.ObjectVersion{
+			Id:      object.Name,
+			Version: fmt.Sprint(env.GetId()),
+		})
+
+		jsonData, err := json.Marshal(values[object.Name])
+		if err != nil {
+			return nil, err
+		}
+		fmt.Println(string(jsonData))
+
+		files = append(files, &v1alpha1.File{
+			Path: func() string {
+				if object.Alias != "" {
+					return object.Alias
+				} else {
+					return object.Name
+				}
+			}(),
+			Mode:     int32(filePermission),
+			Contents: jsonData,
+		})
+	}
+
+	mountResponse.ObjectVersion = objectVersions
+	mountResponse.Files = files
+
+	return mountResponse, nil
+}
+
+func GetMapFromInterface(i interface{}) (map[string][]byte, error) {
+	// Assert the interface{} to map[string]interface{}
+	m, ok := i.(map[string]interface{})
+	if !ok {
+		return nil, errors.New(ErrorInterfaceType)
+	}
+
+	// Create a new map to hold the result
+	result := make(map[string][]byte)
+
+	// Iterate over the map and convert each value to []byte
+	for key, value := range m {
+		result[key], _ = GetByteValue(value)
+	}
+
+	return result, nil
+}
+
+func GetByteValue(v any) ([]byte, error) {
+	switch t := v.(type) {
+	case string:
+		return []byte(t), nil
+	case map[string]any:
+		return json.Marshal(t)
+	case []string:
+		return []byte(strings.Join(t, "\n")), nil
+	case json.RawMessage:
+		return t, nil
+	case []byte:
+		return t, nil
+	// also covers int and float32 due to json.Marshal
+	case float64:
+		return []byte(strconv.FormatFloat(t, 'f', -1, 64)), nil
+	case json.Number:
+		return []byte(t.String()), nil
+	case []any:
+		return json.Marshal(t)
+	case bool:
+		return []byte(strconv.FormatBool(t)), nil
+	case nil:
+		return []byte(nil), nil
+	default:
+		return nil, fmt.Errorf("%w: %T", errors.New(ErrSecretType), t)
+	}
+}
+
+// Version implements provider csi-provider method
+func (m *CSIProviderServer) Version(ctx context.Context, req *v1alpha1.VersionRequest) (*v1alpha1.VersionResponse, error) {
+	return &v1alpha1.VersionResponse{
+		Version:        "v1alpha1",
+		RuntimeName:    "secrets-store-csi-driver-provider-pulumi-esc",
+		RuntimeVersion: m.version,
+	}, nil
+}