holos --version prints only the version to stdout

Without this patch holos --version printed to os.Stderr and used the
default cobra template.  This is incompatible with our use of `git tag
v$(./bin/holos --version)`.

.github/workflows/lint.yaml

@@ -0,0 +1,27 @@
+# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
+name: Lint
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: [self-hosted, k8s]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest

.github/workflows/test.yaml

@@ -0,0 +1,27 @@
+name: Unit Tests
+
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: [self-hosted, k8s]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Test
+        run: ./scripts/test

Makefile

@@ -71,11 +71,14 @@ clean: ## Clean executables.
 
 .PHONY: test
 test: ## Run tests.
-	go test ./...
+	scripts/test
+
+.PHONY: lint
+lint: ## Run linters.
+	golangci-lint run
 
 .PHONY: coverage
-coverage:  ## Test coverage profile.
-	go test -coverprofile=coverage.out ./...
+coverage: test  ## Test coverage profile.
 	go tool cover   -html=coverage.out
 
 .PHONY: snapshot

cmd/holos/main.go

@@ -1,10 +1,28 @@
 package main
 
 import (
-  "fmt"
-  "github.com/holos-run/holos/pkg/version"
+	"context"
+	"errors"
+	"github.com/holos-run/holos/pkg/cli"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"log/slog"
+	"os"
 )
 
 func main() {
-	fmt.Println(version.Version)
+	cfg := config.New()
+	slog.SetDefault(cfg.Logger())
+	ctx := context.Background()
+	if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
+		log := cfg.NewTopLevelLogger()
+		var errAt *wrapper.ErrorAt
+		const msg = "could not execute"
+		if ok := errors.As(err, &errAt); ok {
+			log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
+		} else {
+			log.ErrorContext(ctx, msg, "err", err)
+		}
+		os.Exit(1)
+	}
 }

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start?: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
+// Topology Aware Hints for a Service. This may be set to "Auto" or
+// "Disabled". Any other value is treated as "Disabled". This annotation has
+// been deprecated in favor of the "service.kubernetes.io/topology-mode"
+// annotation.
+#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
+
+// AnnotationTopologyMode can be used to enable or disable Topology Aware
+// Routing for a Service. Well known values are "Auto" and "Disabled".
+// Implementations may choose to develop new topology approaches, exposing
+// them with domain-prefixed values. For example, "example.com/lowest-rtt"
+// could be a valid implementation-specific value for this annotation. These
+// heuristics will often populate topology hints on EndpointSlices, but that
+// is not a requirement.
+#AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1

docs/examples/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#GroupName: ""

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,59 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#LabelHostname: "kubernetes.io/hostname"
+
+// Label value is the network location of kube-apiserver stored as <ip:port>
+// Stored in APIServer Identity lease objects to view what address is used for peer proxy
+#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address"
+#LabelTopologyZone:              "topology.kubernetes.io/zone"
+#LabelTopologyRegion:            "topology.kubernetes.io/region"
+
+// These label have been deprecated since 1.17, but will be supported for
+// the foreseeable future, to accommodate things like long-lived PVs that
+// use them.  New users should prefer the "topology.kubernetes.io/*"
+// equivalents.
+#LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
+#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
+
+// Retained for compat when vendored.  Do not use these consts in new code.
+#LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
+#LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
+#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
+#LabelZoneRegionStable:        "topology.kubernetes.io/region"
+#LabelInstanceType:            "beta.kubernetes.io/instance-type"
+#LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
+#LabelOSStable:                "kubernetes.io/os"
+#LabelArchStable:              "kubernetes.io/arch"
+
+// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
+// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
+#LabelWindowsBuild: "node.kubernetes.io/windows-build"
+
+// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
+#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
+
+// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
+#LabelNamespaceSuffixNode: "node.kubernetes.io"
+
+// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
+#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
+
+// IsHeadlessService is added by Controller to an Endpoint denoting if its parent
+// Service is Headless. The existence of this label can be used further by other
+// controllers and kube-proxy to check if the Endpoint objects should be replicated when
+// using Headless Services
+#IsHeadlessService: "service.kubernetes.io/headless"
+
+// LabelNodeExcludeBalancers specifies that the node should not be considered as a target
+// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
+// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
+// any backends on excluded nodes are not reachable by those external load-balancers.
+// Implementations of this exclusion may vary based on provider.
+#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
+
+// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
+#LabelMetadataName: "kubernetes.io/metadata.name"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,38 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// TaintNodeNotReady will be added when node is not ready
+// and removed when node becomes ready.
+#TaintNodeNotReady: "node.kubernetes.io/not-ready"
+
+// TaintNodeUnreachable will be added when node becomes unreachable
+// (corresponding to NodeReady status ConditionUnknown)
+// and removed when node becomes reachable (NodeReady status ConditionTrue).
+#TaintNodeUnreachable: "node.kubernetes.io/unreachable"
+
+// TaintNodeUnschedulable will be added when node becomes unschedulable
+// and removed when node becomes schedulable.
+#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
+
+// TaintNodeMemoryPressure will be added when node has memory pressure
+// and removed when node has enough memory.
+#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
+
+// TaintNodeDiskPressure will be added when node has disk pressure
+// and removed when node has enough disk.
+#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
+
+// TaintNodeNetworkUnavailable will be added when node's network is unavailable
+// and removed when network becomes ready.
+#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
+
+// TaintNodePIDPressure will be added when node has pid pressure
+// and removed when node has enough pid.
+#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"
+
+// TaintNodeOutOfService can be added when node is out of service in case of
+// a non-graceful shutdown
+#TaintNodeOutOfService: "node.kubernetes.io/out-of-service"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+// Package v1 is the v1 version of the API.
+package v1

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+#GroupName: "apiextensions.k8s.io"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConversionStrategyType describes different conversion types.
+#ConversionStrategyType: string // #enumConversionStrategyType
+
+#enumConversionStrategyType:
+	#NoneConverter |
+	#WebhookConverter
+
+// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
+// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
+// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
+#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
+
+// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
+#NoneConverter: #ConversionStrategyType & "None"
+
+// WebhookConverter is a converter that calls to an external webhook to convert the CR.
+#WebhookConverter: #ConversionStrategyType & "Webhook"
+
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
+#CustomResourceDefinitionSpec: {
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	group: string @go(Group) @protobuf(1,bytes,opt)
+
+	// names specify the resource and kind names for the custom resource.
+	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
+
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
+
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
+
+	// conversion defines conversion settings for the CRD.
+	// +optional
+	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
+
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	// +optional
+	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
+}
+
+// CustomResourceConversion describes how to convert different versions of a CR.
+#CustomResourceConversion: {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
+
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
+	// +optional
+	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
+}
+
+// WebhookConversion describes how to call a conversion webhook
+#WebhookConversion: {
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// +optional
+	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
+
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
+#WebhookClientConfig: {
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// namespace is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// name is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// path is an optional URL path at which the webhook will be contacted.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// CustomResourceDefinitionVersion describes a version for CRD.
+#CustomResourceDefinitionVersion: {
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	served: bool @go(Served) @protobuf(2,varint,opt)
+
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	storage: bool @go(Storage) @protobuf(3,varint,opt)
+
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	// +optional
+	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
+
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	// +optional
+	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
+
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	// +optional
+	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
+
+	// subresources specify what subresources this version of the defined custom resource have.
+	// +optional
+	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
+
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
+	// +optional
+	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
+}
+
+// CustomResourceColumnDefinition specifies a column for server side printing.
+#CustomResourceColumnDefinition: {
+	// name is a human readable name for the column.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	type: string @go(Type) @protobuf(2,bytes,opt)
+
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	// +optional
+	format?: string @go(Format) @protobuf(3,bytes,opt)
+
+	// description is a human readable description of this column.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	// +optional
+	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
+
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
+}
+
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
+#CustomResourceDefinitionNames: {
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	plural: string @go(Plural) @protobuf(1,bytes,opt)
+
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	// +optional
+	singular?: string @go(Singular) @protobuf(2,bytes,opt)
+
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
+	// +optional
+	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
+
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	kind: string @go(Kind) @protobuf(4,bytes,opt)
+
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	// +optional
+	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
+
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
+	// +optional
+	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
+}
+
+// ResourceScope is an enum defining the different scopes available to a custom resource
+#ResourceScope: string // #enumResourceScope
+
+#enumResourceScope:
+	#ClusterScoped |
+	#NamespaceScoped
+
+#ClusterScoped:   #ResourceScope & "Cluster"
+#NamespaceScoped: #ResourceScope & "Namespaced"
+
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+#ConditionTrue:    #ConditionStatus & "True"
+#ConditionFalse:   #ConditionStatus & "False"
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
+#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
+
+#enumCustomResourceDefinitionConditionType:
+	#Established |
+	#NamesAccepted |
+	#NonStructuralSchema |
+	#Terminating |
+	#KubernetesAPIApprovalPolicyConformant
+
+// Established means that the resource has become active. A resource is established when all names are
+// accepted without a conflict for the first time. A resource stays established until deleted, even during
+// a later NamesAccepted due to changed names. Note that not all names can be changed.
+#Established: #CustomResourceDefinitionConditionType & "Established"
+
+// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
+// the group and are therefore accepted.
+#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
+
+// NonStructuralSchema means that one or more OpenAPI schema is not structural.
+//
+// A schema is structural if it specifies types for all values, with the only exceptions of those with
+// - x-kubernetes-int-or-string: true — for fields which can be integer or string
+// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
+// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
+// specified under allOf, anyOf, oneOf or not.
+//
+// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
+// available for non-structural CRDs:
+// - pruning
+// - defaulting
+// - read-only
+// - OpenAPI publishing
+// - webhook conversion
+#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
+
+// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
+#Terminating: #CustomResourceDefinitionConditionType & "Terminating"
+
+// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
+// outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
+// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
+// See https://github.com/kubernetes/enhancements/pull/1111 for more details.
+#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
+
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
+#CustomResourceDefinitionCondition: {
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
+
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
+
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
+#CustomResourceDefinitionStatus: {
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	conditions?: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
+
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	// +optional
+	acceptedNames?: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
+
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	// +optional
+	storedVersions?: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
+
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+#CustomResourceDefinition: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec describes how the user wants the resources to appear
+	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status indicates the actual state of the CustomResourceDefinition
+	// +optional
+	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
+#CustomResourceDefinitionList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items list individual CustomResourceDefinition objects
+	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
+}
+
+// CustomResourceValidation is a list of validation methods for CustomResources.
+#CustomResourceValidation: {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+	// +optional
+	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
+}
+
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
+#CustomResourceSubresources: {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	// +optional
+	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
+
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	// +optional
+	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
+}
+
+// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
+// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
+// * exposes a /status subresource for the custom resource
+// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
+// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
+#CustomResourceSubresourceStatus: {
+}
+
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
+#CustomResourceSubresourceScale: {
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
+
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
+	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
+
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	// +optional
+	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
+}
+
+// ConversionReview describes a conversion request/response.
+#ConversionReview: {
+	metav1.#TypeMeta
+
+	// request describes the attributes for the conversion request.
+	// +optional
+	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
+
+	// response describes the attributes for the conversion response.
+	// +optional
+	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
+}
+
+// ConversionRequest describes the conversion request parameters.
+#ConversionRequest: {
+	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
+	// otherwise identical (parallel requests, etc).
+	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
+	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
+
+	// objects is the list of custom resource objects to be converted.
+	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
+}
+
+// ConversionResponse describes a conversion response.
+#ConversionResponse: {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding `request.uid`.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
+	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
+	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
+	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
+	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
+
+	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
+	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
+	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
+	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
+	// will be used to construct an error message for the end user.
+	result: metav1.#Status @go(Result) @protobuf(3,bytes)
+}

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,348 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation.
+// +enum
+#FieldValueErrorReason: string // #enumFieldValueErrorReason
+
+#enumFieldValueErrorReason:
+	#FieldValueRequired |
+	#FieldValueDuplicate |
+	#FieldValueInvalid |
+	#FieldValueForbidden
+
+// FieldValueRequired is used to report required values that are not
+// provided (e.g. empty strings, null values, or empty arrays).
+#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired"
+
+// FieldValueDuplicate is used to report collisions of values that must be
+// unique (e.g. unique IDs).
+#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate"
+
+// FieldValueInvalid is used to report malformed values (e.g. failed regex
+// match, too long, out of bounds).
+#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid"
+
+// FieldValueForbidden is used to report valid (as per formatting rules)
+// values which would be accepted under some conditions, but which are not
+// permitted by the current conditions (such as security policy).
+#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden"
+
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
+#JSONSchemaProps: {
+	id?:          string         @go(ID) @protobuf(1,bytes,opt)
+	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
+	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
+	description?: string         @go(Description) @protobuf(4,bytes,opt)
+	type?:        string         @go(Type) @protobuf(5,bytes,opt)
+
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	format?: string @go(Format) @protobuf(6,bytes,opt)
+	title?:  string @go(Title) @protobuf(7,bytes,opt)
+
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
+	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
+	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
+	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
+	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
+	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
+	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
+	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
+	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
+	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
+	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
+	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
+	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
+	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
+	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
+	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
+	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
+	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
+	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
+	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
+	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
+	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
+	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
+	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
+	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
+	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
+	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
+	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
+	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
+	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
+
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
+
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
+
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	//    - type: integer
+	//    - type: string
+	// 2) allOf:
+	//    - anyOf:
+	//      - type: integer
+	//      - type: string
+	//    - ... zero or more
+	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
+
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	//
+	// +optional
+	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
+
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic lists will be entirely replaced when updated. This extension
+	//      may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	//      Sets are lists that must not have multiple items with the same value. Each
+	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	//      array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	//      These lists are like maps in that their elements have a non-index key
+	//      used to identify them. Order is preserved upon merge. The map tag
+	//      must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	// +optional
+	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
+
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	//      These maps are actual maps (key-value pairs) and each fields are independent
+	//      from each other (they can each be manipulated by separate actors). This is
+	//      the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic maps will be entirely replaced when updated.
+	// +optional
+	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
+
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
+	// +patchMergeKey=rule
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=rule
+	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
+}
+
+// ValidationRules describes a list of validation rules written in the CEL expression language.
+#ValidationRules: [...#ValidationRule]
+
+// ValidationRule describes a validation rule written in the CEL expression language.
+#ValidationRule: {
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	//   - An array where the items schema is of an "unknown type"
+	//   - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	//	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	//	  "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	//     non-intersecting elements in `Y` are appended, retaining their partial order.
+	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	//     non-intersecting keys are appended, retaining their partial order.
+	//
+	// If `rule` makes use of the `oldSelf` variable it is implicitly a
+	// `transition rule`.
+	//
+	// By default, the `oldSelf` variable is the same type as `self`.
+	// When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
+	//  variable whose value() is the same type as `self`.
+	// See the documentation for the `optionalOldSelf` field for details.
+	//
+	// Transition rules by default are applied only on UPDATE requests and are
+	// skipped if an old value could not be found. You can opt a transition
+	// rule into unconditional evaluation by setting `optionalOldSelf` to true.
+	//
+	rule: string @go(Rule) @protobuf(1,bytes,opt)
+
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	// +optional
+	messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt)
+
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	// +optional
+	reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt)
+
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	// +optional
+	fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt)
+
+	// optionalOldSelf is used to opt a transition rule into evaluation
+	// even when the object is first created, or if the old object is
+	// missing the value.
+	//
+	// When enabled `oldSelf` will be a CEL optional whose value will be
+	// `None` if there is no old value, or when the object is initially created.
+	//
+	// You may check for presence of oldSelf using `oldSelf.hasValue()` and
+	// unwrap it after checking using `oldSelf.value()`. Check the CEL
+	// documentation for Optional types for more information:
+	// https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
+	//
+	// May not be set unless `oldSelf` is used in `rule`.
+	//
+	// +featureGate=CRDValidationRatcheting
+	// +optional
+	optionalOldSelf?: null | bool @go(OptionalOldSelf,*bool) @protobuf(6,bytes,opt)
+}
+
+// JSON represents any valid JSON value.
+// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+#JSON: _
+
+// JSONSchemaURL represents a schema url.
+#JSONSchemaURL: string
+
+// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
+// or an array of JSONSchemaProps. Mainly here for serialization purposes.
+#JSONSchemaPropsOrArray: _
+
+// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
+// Defaults to true for the boolean property.
+#JSONSchemaPropsOrBool: _
+
+// JSONSchemaDependencies represent a dependencies property.
+#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
+
+// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+#JSONSchemaPropsOrStringArray: _
+
+// JSONSchemaDefinitions contains the models explicitly defined in this spec.
+#JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
+
+// ExternalDocumentation allows referencing an external resource for extended documentation.
+#ExternalDocumentation: {
+	description?: string @go(Description) @protobuf(1,bytes,opt)
+	url?:         string @go(URL) @protobuf(2,bytes,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+#Scale: int32 // #enumScale
+
+#enumScale:
+	#Nano |
+	#Micro |
+	#Milli |
+	#Kilo |
+	#Mega |
+	#Giga |
+	#Tera |
+	#Peta |
+	#Exa
+
+#values_Scale: {
+	Nano:  #Nano
+	Micro: #Micro
+	Milli: #Milli
+	Kilo:  #Kilo
+	Mega:  #Mega
+	Giga:  #Giga
+	Tera:  #Tera
+	Peta:  #Peta
+	Exa:   #Exa
+}
+
+#Nano:  #Scale & -9
+#Micro: #Scale & -6
+#Milli: #Scale & -3
+#Kilo:  #Scale & 3
+#Mega:  #Scale & 6
+#Giga:  #Scale & 9
+#Tera:  #Scale & 12
+#Peta:  #Scale & 15
+#Exa:   #Scale & 18
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+_#infDecAmount: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+// It is also the maximum decimal digits that can be represented with an int64.
+_#maxInt64Factors: 18
+
+_#mostNegative: -9223372036854775808
+
+_#mostPositive: 9223372036854775807

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and AsInt64() accessors.
+//
+// The serialization format is:
+//
+// ```
+// <quantity>        ::= <signedNumber><suffix>
+//
+//	(Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+//
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//
+//	(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+//
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//
+//	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+//
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+// ```
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//
+// - No precision is lost
+// - No fractional digits will be emitted
+// - The exponent (or suffix) is as large as possible.
+//
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//
+// - 1.5 will be serialized as "1500m"
+// - 1.5Gi will be serialized as "1536Mi"
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+#Quantity: _
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+#CanonicalValue: _
+
+// Format lists the three possible formattings of a quantity.
+#Format: string // #enumFormat
+
+#enumFormat:
+	#DecimalExponent |
+	#BinarySI |
+	#DecimalSI
+
+#DecimalExponent: #Format & "DecimalExponent"
+#BinarySI:        #Format & "BinarySI"
+#DecimalSI:       #Format & "DecimalSI"
+
+// splitREString is used to separate a number from its suffix; as such,
+// this is overly permissive, but that's OK-- it will be checked later.
+_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+
+_#int64QuantityExpectedBytes: 18
+
+// QuantityValue makes it possible to use a Quantity as value for a command
+// line parameter.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+#QuantityValue: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+_#suffix: string
+
+// suffixer can interpret and construct suffixes.
+_#suffixer: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+#Duration: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	resource: string @go(Resource) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	version:  string @go(Version) @protobuf(2,bytes,opt)
+	resource: string @go(Resource) @protobuf(3,bytes,opt)
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupKind: {
+	group: string @go(Group) @protobuf(1,bytes,opt)
+	kind:  string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionKind: {
+	group:   string @go(Group) @protobuf(1,bytes,opt)
+	version: string @go(Version) @protobuf(2,bytes,opt)
+	kind:    string @go(Kind) @protobuf(3,bytes,opt)
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersion: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// TODO: move this, Object, List, and Type to a different package
+#ObjectMetaAccessor: _
+
+// Object lets you work with object metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+#Object: _
+
+// ListMetaAccessor retrieves the list interface from an object
+#ListMetaAccessor: _
+
+// Common lets you work with core metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Common: _
+
+// ListInterface lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#ListInterface: _
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Type: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00"
+
+// MicroTime is version of Time with microsecond level precision.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#MicroTime: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#GroupName: "meta.k8s.io"
+
+#WatchEventKind: "WatchEvent"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#Time: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+#Timestamp: {
+	// Represents seconds of UTC time since Unix epoch
+	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+	// 9999-12-31T23:59:59Z inclusive.
+	seconds: int64 @go(Seconds) @protobuf(1,varint,opt)
+
+	// Non-negative fractions of a second at nanosecond resolution. Negative
+	// second values with fractions must still have non-negative nanos values
+	// that count forward in time. Must be from 0 to 999,999,999
+	// inclusive. This field may be limited in precision depending on context.
+	nanos: int32 @go(Nanos) @protobuf(2,varint,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue

@@ -0,0 +1,30 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Event represents a single event to a watched resource.
+//
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+#WatchEvent: {
+	type: string @go(Type) @protobuf(1,bytes,opt)
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *Status is recommended; other types may make sense
+	//    depending on context.
+	object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt)
+}
+
+// InternalEvent makes watch.Event versioned
+// +protobuf=false
+#InternalEvent: watch.#Event

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// SimpleAllocator a wrapper around make([]byte)
+// conforms to the MemoryAllocator interface
+#SimpleAllocator: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// codec binds an encoder and decoder.
+_#codec: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
+#NoopEncoder: {
+	Decoder: #Decoder
+}
+
+_#noopEncoderIdentifier: #Identifier & "noop"
+
+// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
+#NoopDecoder: {
+	Encoder: #Encoder
+}
+
+_#base64Serializer: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+_#internalGroupVersionerIdentifier: "internal"
+_#disabledGroupVersionerIdentifier: "disabled"
+
+_#internalGroupVersioner: {
+}
+
+_#disabledGroupVersioner: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime defines conversions between generic types and structs to map query strings
+// to struct objects.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// UnstructuredConverter is an interface for converting between interface{}
+// and map[string]interface representation.
+#UnstructuredConverter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue

@@ -0,0 +1,39 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime includes helper functions for working with API objects
+// that follow the kubernetes API object conventions, which are:
+//
+// 0. Your API objects have a common metadata struct member, TypeMeta.
+//
+// 1. Your code refers to an internal set of API objects.
+//
+// 2. In a separate package, you have an external set of API objects.
+//
+// 3. The external set is considered to be versioned, and no breaking
+// changes are ever made to it (fields may be added but not changed
+// or removed).
+//
+// 4. As your api evolves, you'll make an additional versioned package
+// with every major change.
+//
+// 5. Versioned packages have conversion functions which convert to
+// and from the internal version.
+//
+// 6. You'll continue to support older versions according to your
+// deprecation policy, and you can easily provide a program/library
+// to update old versions into new versions because of 5.
+//
+// 7. All of your serializations and deserializations are handled in a
+// centralized place.
+//
+// Package runtime provides a conversion helper to make 5 easy, and the
+// Encode/Decode/DecodeInto trio to accomplish 7. You can also register
+// additional "codecs" which use a version of your choice. It's
+// recommended that you register your types with runtime in your
+// package's init function.
+//
+// As a bonus, a few common types useful from all api objects and versions
+// are provided in types.go.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+_#encodable: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// MultiObjectTyper returns the types of objects across multiple schemes in order.
+#MultiObjectTyper: [...#ObjectTyper]
+
+_#defaultFramer: {
+}
+
+// WithVersionEncoder serializes an object and ensures the GVK is set.
+#WithVersionEncoder: {
+	Version:     #GroupVersioner
+	Encoder:     #Encoder
+	ObjectTyper: #ObjectTyper
+}
+
+// WithoutVersionDecoder clears the group version kind of a deserialized object.
+#WithoutVersionDecoder: {
+	Decoder: #Decoder
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue

@@ -0,0 +1,165 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// APIVersionInternal may be used if you are registering a type that should not
+// be considered stable or serialized - it is a convention only and has no
+// special behavior in this package.
+#APIVersionInternal: "__internal"
+
+// GroupVersioner refines a set of possible conversion targets into a single option.
+#GroupVersioner: _
+
+// Identifier represents an identifier.
+// Identitier of two different objects should be equal if and only if for every
+// input the output they produce is exactly the same.
+#Identifier: string // #enumIdentifier
+
+#enumIdentifier:
+	_#noopEncoderIdentifier
+
+// Encoder writes objects to a serialized form
+#Encoder: _
+
+// MemoryAllocator is responsible for allocating memory.
+// By encapsulating memory allocation into its own interface, we can reuse the memory
+// across many operations in places we know it can significantly improve the performance.
+#MemoryAllocator: _
+
+// EncoderWithAllocator  serializes objects in a way that allows callers to manage any additional memory allocations.
+#EncoderWithAllocator: _
+
+// Decoder attempts to load an object from data.
+#Decoder: _
+
+// Serializer is the core interface for transforming objects into a serialized format and back.
+// Implementations may choose to perform conversion of the object, but no assumptions should be made.
+#Serializer: _
+
+// Codec is a Serializer that deals with the details of versioning objects. It offers the same
+// interface as Serializer, so this is a marker to consumers that care about the version of the objects
+// they receive.
+#Codec: #Serializer
+
+// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and
+// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing
+// and the desired version must be specified.
+#ParameterCodec: _
+
+// Framer is a factory for creating readers and writers that obey a particular framing pattern.
+#Framer: _
+
+// SerializerInfo contains information about a specific serialization format
+#SerializerInfo: {
+	// MediaType is the value that represents this serializer over the wire.
+	MediaType: string
+
+	// MediaTypeType is the first part of the MediaType ("application" in "application/json").
+	MediaTypeType: string
+
+	// MediaTypeSubType is the second part of the MediaType ("json" in "application/json").
+	MediaTypeSubType: string
+
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the individual object serializer for this media type.
+	Serializer: #Serializer
+
+	// PrettySerializer, if set, can serialize this object in a form biased towards
+	// readability.
+	PrettySerializer: #Serializer
+
+	// StrictSerializer, if set, deserializes this object strictly,
+	// erring on unknown fields.
+	StrictSerializer: #Serializer
+
+	// StreamSerializer, if set, describes the streaming serialization format
+	// for this media type.
+	StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo)
+}
+
+// StreamSerializerInfo contains information about a specific stream serialization format
+#StreamSerializerInfo: {
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the top level object serializer for this type when streaming
+	Serializer: #Serializer
+
+	// Framer is the factory for retrieving streams that separate objects on the wire
+	Framer: #Framer
+}
+
+// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers
+// for multiple supported media types. This would commonly be accepted by a server component
+// that performs HTTP content negotiation to accept multiple formats.
+#NegotiatedSerializer: _
+
+// ClientNegotiator handles turning an HTTP content type into the appropriate encoder.
+// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from
+// a NegotiatedSerializer.
+#ClientNegotiator: _
+
+// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers
+// that can read and write data at rest. This would commonly be used by client tools that must
+// read files, or server side storage interfaces that persist restful objects.
+#StorageSerializer: _
+
+// NestedObjectEncoder is an optional interface that objects may implement to be given
+// an opportunity to encode any nested Objects / RawExtensions during serialization.
+#NestedObjectEncoder: _
+
+// NestedObjectDecoder is an optional interface that objects may implement to be given
+// an opportunity to decode any nested Objects / RawExtensions during serialization.
+// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding
+// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields).
+// As such it is important for callers of DecodeNestedObjects to check to confirm whether
+// an error is a runtime.StrictDecodingError before short circuiting.
+// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError
+// is only returned when the rest of decoding has succeeded.
+#NestedObjectDecoder: _
+
+#ObjectDefaulter: _
+
+#ObjectVersioner: _
+
+// ObjectConvertor converts an object to a different version.
+#ObjectConvertor: _
+
+// ObjectTyper contains methods for extracting the APIVersion and Kind
+// of objects.
+#ObjectTyper: _
+
+// ObjectCreater contains methods for instantiating an object by kind and version.
+#ObjectCreater: _
+
+// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource
+#EquivalentResourceMapper: _
+
+// EquivalentResourceRegistry provides an EquivalentResourceMapper interface,
+// and allows registering known resource[/subresource] -> kind
+#EquivalentResourceRegistry: _
+
+// ResourceVersioner provides methods for setting and retrieving
+// the resource version from an API object.
+#ResourceVersioner: _
+
+// Namer provides methods for retrieving name and namespace of an API object.
+#Namer: _
+
+// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are
+// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows
+// serializers to set the kind, version, and group the object is represented as. An Object may choose
+// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized.
+#Object: _
+
+// CacheableObject allows an object to cache its different serializations
+// to avoid performing the same serialization multiple times.
+#CacheableObject: _
+
+// Unstructured objects store values as map[string]interface{}, with only values that can be serialized
+// to JSON allowed.
+#Unstructured: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// NegotiateError is returned when a ClientNegotiator is unable to locate
+// a serializer for the requested operation.
+#NegotiateError: {
+	ContentType: string
+	Stream:      bool
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Splice is the interface that wraps the Splice method.
+//
+// Splice moves data from given slice without copying the underlying data for
+// efficiency purpose. Therefore, the caller should make sure the underlying
+// data is not changed later.
+#Splice: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Pair of strings. We keed the name of fields and the doc
+#Pair: {
+	Name: string
+	Doc:  string
+}
+
+// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
+#KubeTypes: [...#Pair]

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue

@@ -0,0 +1,97 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
+// like this:
+//
+//	type MyAwesomeAPIObject struct {
+//	     runtime.TypeMeta    `json:",inline"`
+//	     ... // other fields
+//	}
+//
+// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
+//
+// TypeMeta is provided here for convenience. You may use it directly from this package or define
+// your own with the same fields.
+//
+// +k8s:deepcopy-gen=false
+// +protobuf=true
+// +k8s:openapi-gen=true
+#TypeMeta: {
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt)
+
+	// +optional
+	kind?: string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+#ContentTypeJSON:     "application/json"
+#ContentTypeYAML:     "application/yaml"
+#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf"
+
+// RawExtension is used to hold extensions in external versions.
+//
+// To use this, make a field which has RawExtension as its type in your external, versioned
+// struct, and Object in your internal struct. You also need to register your
+// various plugin types.
+//
+// // Internal package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.Object `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // External package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.RawExtension `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // On the wire, the JSON will look something like this:
+//
+//	{
+//		"kind":"MyAPIObject",
+//		"apiVersion":"v1",
+//		"myPlugin": {
+//			"kind":"PluginA",
+//			"aOption":"foo",
+//		},
+//	}
+//
+// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
+// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
+// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
+// package's DefaultScheme has conversion functions installed which will unpack the
+// JSON stored in RawExtension, turning it into the correct object type, and storing it
+// in the Object. (TODO: In the case where the object is of an unknown type, a
+// runtime.Unknown object will be created and stored.)
+//
+// +k8s:deepcopy-gen=true
+// +protobuf=true
+// +k8s:openapi-gen=true
+#RawExtension: _
+
+// Unknown allows api objects with unknown types to be passed-through. This can be used
+// to deal with the API objects from a plug-in. Unknown objects still have functioning
+// TypeMeta features-- kind, version, etc.
+// TODO: Make this object have easy access to field based accessors and settors for
+// metadata and field mutatation.
+//
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=true
+// +k8s:openapi-gen=true
+#Unknown: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+#ProtobufMarshaller: _
+
+#ProtobufReverseMarshaller: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+// Package types implements various generic types used throughout kubernetes.
+package types

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+#NamespacedName: {
+	Namespace: string
+	Name:      string
+}
+
+#Separator: 47 // '/'

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// NodeName is a type that holds a api.Node's Name identifier.
+// Being a type captures intent and helps make sure that the node name
+// is not confused with similar concepts (the hostname, the cloud provider id,
+// the cloud provider name etc)
+//
+// To clarify the various types:
+//
+//   - Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
+//     Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
+//
+//   - Hostname is the hostname of the local machine (from uname -n).
+//     However, some components allow the user to pass in a --hostname-override flag,
+//     which will override this in most places. In the absence of anything more meaningful,
+//     kubelet will use Hostname as the Node.Name when it creates the Node.
+//
+// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
+//
+//	For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
+//	Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
+//	to the cloudprovider how to do this mapping.
+//
+//	For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
+//	PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
+//	we are using a custom DHCP domain it won't be.
+#NodeName: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// Similarly to above, these are constants to support HTTP PATCH utilized by
+// both the client and server that didn't make sense for a whole package to be
+// dedicated to.
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#JSONPatchType |
+	#MergePatchType |
+	#StrategicMergePatchType |
+	#ApplyPatchType
+
+#JSONPatchType:           #PatchType & "application/json-patch+json"
+#MergePatchType:          #PatchType & "application/merge-patch+json"
+#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json"
+#ApplyPatchType:          #PatchType & "application/apply-patch+yaml"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// UID is a type that holds unique ID values, including UUIDs.  Because we
+// don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+// intent and helps make sure that UIDs and names do not get conflated.
+#UID: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr
+
+package intstr
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+//
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+#IntOrString: _
+
+// Type represents the stored type of IntOrString.
+#Type: int64 // #enumType
+
+#enumType:
+	#Int |
+	#String
+
+#values_Type: {
+	Int:    #Int
+	String: #String
+}
+
+#Int:    #Type & 0
+#String: #Type & 1

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+// Package watch contains a generic watchable interface, and a fake for
+// testing code that uses the watch interface.
+package watch

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Recorder records all events that are sent from the watch until it is closed.
+#Recorder: {
+	Interface: #Interface
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch
+// channel is full.
+#FullChannelBehavior: int // #enumFullChannelBehavior
+
+#enumFullChannelBehavior:
+	#WaitIfChannelFull |
+	#DropIfChannelFull
+
+#values_FullChannelBehavior: {
+	WaitIfChannelFull: #WaitIfChannelFull
+	DropIfChannelFull: #DropIfChannelFull
+}
+
+#WaitIfChannelFull: #FullChannelBehavior & 0
+#DropIfChannelFull: #FullChannelBehavior & 1
+
+_#incomingQueueLength: 25
+
+_#internalRunFunctionMarker: "internal-do-function"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written.
+#Decoder: _
+
+// Reporter hides the details of how an error is turned into a runtime.Object for
+// reporting on a watch stream since this package may not import a higher level report.
+#Reporter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+import "k8s.io/apimachinery/pkg/runtime"
+
+// Interface can be implemented by anything that knows how to watch and report changes.
+#Interface: _
+
+// EventType defines the possible types of events.
+#EventType: string // #enumEventType
+
+#enumEventType:
+	#Added |
+	#Modified |
+	#Deleted |
+	#Bookmark |
+	#Error
+
+#Added:    #EventType & "ADDED"
+#Modified: #EventType & "MODIFIED"
+#Deleted:  #EventType & "DELETED"
+#Bookmark: #EventType & "BOOKMARK"
+#Error:    #EventType & "ERROR"
+
+// Event represents a single event to a watched resource.
+// +k8s:deepcopy-gen=true
+#Event: {
+	Type: #EventType
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Bookmark: the object (instance of a type being watched) where
+	//    only ResourceVersion field is set. On successful restart of watch from a
+	//    bookmark resourceVersion, client is guaranteed to not get repeat event
+	//    nor miss any events.
+	//  * If Type is Error: *api.Status is recommended; other types may make sense
+	//    depending on context.
+	Object: runtime.#Object
+}
+
+// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
+#RaceFreeFakeWatcher: {
+	Stopped: bool
+}

docs/examples/cue.mod/module.cue

@@ -0,0 +1 @@
+module: "github.com/holos-run/holos/docs/examples"

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -0,0 +1,11 @@
+package v1
+
+#Namespace: {
+  apiVersion: "v1"
+  kind: "Namespace"
+}
+
+#ConfigMap: {
+  apiVersion: "v1"
+  kind: "ConfigMap"
+}

docs/examples/platforms/.gitignore

@@ -0,0 +1 @@
+platform.site.cue

docs/examples/platforms/constraints.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Constrain the output to one of the defined kinds.
+{} & #Output

docs/examples/platforms/platform.example.cue

@@ -0,0 +1,7 @@
+package holos
+
+// Copy this file to platform.site.cue and specify concrete values for your local site.
+_Platform: org: {
+	name: string | *"example"
+	domain: string | *"example.com"
+}

docs/examples/platforms/reference/projects/output.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Output schema
+{} & #KubernetesObjects

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -0,0 +1,7 @@
+package holos
+
+objects: [
+	#Namespace & {
+		metadata: name: "external-secrets"
+	}
+]

docs/examples/schema.cue

@@ -0,0 +1,102 @@
+package holos
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	"encoding/yaml"
+)
+
+_apiVersion: "holos.run/v1alpha1"
+
+// #Name defines the name: string key value pair used all over the place.
+#Name: name: string
+
+// #NamespaceMeta defines standard metadata for namespaces.
+// Refer to https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
+#NamespaceMeta: {
+	metadata: {
+		name: string
+		labels: "kubernetes.io/metadata.name": name
+	}
+	...
+}
+
+// Kubernetes API Objects
+#Namespace: corev1.#Namespace & #NamespaceMeta
+#ConfigMap: corev1.#ConfigMap
+
+// #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the _Platform data.
+#InputKeys: {
+	// cluster is usually the only key necessary when working with a component on the command line.
+	cluster: string @tag(cluster, type=string)
+	// stage is usually set by the platform or project.
+	stage: string @tag(stage, type=string)
+	// project is usually set by the platform or project.
+	project: string @tag(project, type=string)
+	// service is usually set by the component.
+	service: string @tag(service, type=string)
+}
+
+// #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
+#Platform: {
+	// org holds user defined values scoped organization wide.  A platform has one and only one organization.
+	org: {
+		name: string
+		domain: string
+	}
+	clusters: [ID=_]: {
+		name: string & ID
+		region?: string
+	}
+	stages: [ID=_]: {
+		name: string & ID
+		environments: [...#Name]
+	}
+	projects: [ID=_]: {
+		name: string & ID
+	}
+	services: [ID=_]: {
+		name: string & ID
+	}
+}
+// _PlatformData stores the values of the primary lookup table.
+_Platform: #Platform
+
+// #OutputTypeMeta is shared among all output types
+#OutputTypeMeta: {
+	// apiVersion is the output api version
+	apiVersion: _apiVersion
+	// kind is a discriminator of the type of output
+	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #ChartValues.kind
+	// out holds the text output
+	out: string | *""
+	// debug returns arbitrary debug output.
+	debug?: _
+}
+
+// #KubernetesObjectOutput is the output schema of a single component.
+#KubernetesObjects: {
+	#OutputTypeMeta
+	// kind KubernetesObjects provides a yaml text stream of kubernetes api objects in the out field.
+	kind: "KubernetesObjects"
+	// objects holds a list of the kubernetes api objects to configure.
+	objects: [...metav1.#TypeMeta] | *[]
+	// out holds the rendered yaml text stream of kubernetes api objects.
+	out: yaml.MarshalStream(objects)
+	// platform returns the platform data structure for visibility / troubleshooting.
+	platform: _Platform
+}
+
+// #ChartValues is the output schema of a holos component which produces values for a helm chart.
+#ChartValues: {
+	#OutputTypeMeta
+	kind: "ChartValues"
+}
+
+// #PlatformSpec is the output schema of a platform specification.
+#PlatformSpec: {
+	#OutputTypeMeta
+	kind: "PlatformSpec"
+}
+
+#Output: #PlatformSpec | #KubernetesObjects | #ChartValues

go.mod

@@ -1,3 +1,32 @@
 module github.com/holos-run/holos
 
 go 1.21.5
+
+require (
+	cuelang.org/go v0.7.0
+	github.com/lmittmann/tint v1.0.4
+	github.com/mattn/go-isatty v0.0.20
+	github.com/spf13/cobra v1.7.0
+)
+
+require (
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/emicklei/proto v1.10.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -0,0 +1,67 @@
+cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 h1:zkiIe8AxZ/kDjqQN+mDKc5BxoVJOqioSdqApjc+eB1I=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13/go.mod h1:XGKYSMtsJWfqQYPwq51ZygxAPqpEUj/9bdg16iDPTAA=
+cuelang.org/go v0.7.0 h1:gMztinxuKfJwMIxtboFsNc6s8AxwJGgsJV+3CuLffHI=
+cuelang.org/go v0.7.0/go.mod h1:ix+3dM/bSpdG9xg6qpCgnJnpeLtciZu+O/rDbywoMII=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
+github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
+github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lmittmann/tint v1.0.4 h1:LeYihpJ9hyGvE0w+K2okPTGUdVLfng1+nDNVR4vWISc=
+github.com/lmittmann/tint v1.0.4/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
+github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
+github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
+github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c h1:fPpdjePK1atuOg28PXfNSqgwf9I/qD1Hlo39JFwKBXk=
+github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/api/core/v1alpha1/api.go

@@ -0,0 +1,2 @@
+// Package v1alpha1 is the unstable version of the core api.
+package v1alpha1

pkg/cli/cli.go

@@ -0,0 +1,43 @@
+package cli
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/internal/builder"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+)
+
+// newCmd returns a new subcommand
+func newCmd(name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     name,
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	return cmd
+}
+
+// build is the internal implementation of the build cli command
+func build(cmd *cobra.Command, args []string) error {
+	build := builder.New(builder.Entrypoints(args))
+	return build.Run(cmd.Context())
+}
+
+// newBuildCmd returns the build subcommand for the root command
+func newBuildCmd(cfg *config.Config) *cobra.Command {
+	cmd := newCmd("build [directory...]")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "build kubernetes api objects from a directory"
+	cmd.RunE = build
+	return cmd
+}

pkg/cli/rootcmd.go

@@ -0,0 +1,47 @@
+package cli
+
+import (
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/spf13/cobra"
+	"log/slog"
+)
+
+// New returns a new root *cobra.Command for command line execution.
+func New(cfg *config.Config) *cobra.Command {
+	rootCmd := &cobra.Command{
+		Use:     "holos",
+		Short:   "holos manages a holistic integrated software development platform",
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true, // Don't complete the complete subcommand itself
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		PersistentPreRunE: func(c *cobra.Command, args []string) error {
+			if err := cfg.Finalize(); err != nil {
+				return err
+			}
+			log := cfg.Logger()
+			// Set the configured logger in the context.
+			c.SetContext(logger.NewContext(c.Context(), log))
+			// Set the default logger after flag parsing.
+			slog.SetDefault(log)
+			return nil
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			cfg.Logger().InfoContext(c.Context(), "hello")
+			return nil
+		},
+	}
+	rootCmd.SetVersionTemplate("{{.Version}}\n")
+	rootCmd.Flags().SortFlags = false
+	rootCmd.Flags().AddGoFlagSet(cfg.LogFlagSet())
+
+	// build subcommand
+	rootCmd.AddCommand(newBuildCmd(cfg))
+
+	return rootCmd
+}

pkg/cli/rootcmd_test.go

@@ -0,0 +1,126 @@
+package cli
+
+import (
+	"bytes"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/spf13/cobra"
+	"strings"
+	"testing"
+)
+
+func newCommand() (*cobra.Command, *bytes.Buffer) {
+	var b bytes.Buffer
+	cmd := New(config.New(config.Stderr(&b)))
+	return cmd, &b
+}
+
+func TestNewRoot(t *testing.T) {
+	cmd, _ := newCommand()
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+}
+
+type argsTestCase struct {
+	format string
+	level  string
+	drop   string
+}
+
+func (tc argsTestCase) args() []string {
+	return []string{"--log-format", tc.format, "--log-level", tc.level}
+}
+
+func TestValidArgs(t *testing.T) {
+	t.Parallel()
+	formats := []string{"text", "json"}
+	levels := []string{"debug", "info", "warn", "error"}
+	drops := []string{"version"}
+	for _, format := range formats {
+		for _, level := range levels {
+			for _, drop := range drops {
+				tc := argsTestCase{format, level, drop}
+				t.Run(strings.Join(tc.args(), " "), func(t *testing.T) {
+					cmd, _ := newCommand()
+					cmd.SetArgs(tc.args())
+					if err := cmd.Execute(); err != nil {
+						t.Errorf("unexpected error: %v", err)
+					}
+				})
+			}
+		}
+	}
+}
+
+func TestLogOutput(t *testing.T) {
+	// Lifecycle message is always displayed
+	cmd, b := newCommand()
+	cmd.SetArgs([]string{"--log-level=debug"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	stderr := b.String()
+	if !strings.Contains(stderr, "config lifecycle") {
+		t.Fatalf("lifecycle message missing: stderr: %v", stderr)
+	}
+}
+
+func TestLogDrop(t *testing.T) {
+	// Log attributes can be filtered out by the user
+	cmd, b := newCommand()
+	cmd.SetArgs([]string{"--log-level=debug", "--log-drop=version,another"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	stderr := b.String()
+	if strings.Contains(stderr, "version") {
+		t.Fatalf("want version dropped got: %v", stderr)
+	}
+}
+
+func TestInvalidArgs(t *testing.T) {
+	invalidArgs := [][]string{
+		{"--log-format=yaml"},
+		{"--log-level=something"},
+	}
+	for _, args := range invalidArgs {
+		var b bytes.Buffer
+		cmd := New(config.New(config.Stdout(&b)))
+		cmd.SetArgs(args)
+		err := cmd.Execute()
+		if err == nil {
+			t.Fatalf("expected error from args: %v", args)
+		}
+	}
+}
+
+func TestLoggerFromContext(t *testing.T) {
+	cmd, b := newCommand()
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	log := logger.FromContext(cmd.Context())
+	want := "612c48a3-30c9-44e3-b8b6-394191d99935"
+	log.Info(want)
+	have := b.String()
+	if !strings.Contains(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}
+
+func TestVersion(t *testing.T) {
+	var b bytes.Buffer
+	cmd := New(config.New(config.Stdout(&b)))
+	cmd.SetOut(&b)
+	cmd.SetArgs([]string{"--version"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	want := version.Version + "\n"
+	have := b.String()
+	if want != have {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}

pkg/config/config.go

@@ -0,0 +1,94 @@
+package config
+
+import (
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/logger"
+	"io"
+	"log/slog"
+	"os"
+)
+
+// An Option configures a Config
+type Option func(o *options)
+
+type options struct {
+	stdout io.Writer
+	stderr io.Writer
+}
+
+// Stdout redirects standard output to w
+func Stdout(w io.Writer) Option {
+	return func(o *options) { o.stdout = w }
+}
+
+// Stderr redirects standard error to w
+func Stderr(w io.Writer) Option {
+	return func(o *options) { o.stderr = w }
+}
+
+// New returns a new top level cli Config.
+func New(opts ...Option) *Config {
+	o := &options{
+		stdout: os.Stdout,
+		stderr: os.Stderr,
+	}
+	for _, f := range opts {
+		f(o)
+	}
+	return &Config{
+		logConfig: logger.NewConfig(),
+		options:   o,
+	}
+}
+
+// Config holds configuration for the whole program, used by main()
+type Config struct {
+	logConfig *logger.Config
+	logger    *slog.Logger
+	options   *options
+	finalized bool
+}
+
+// LogFlagSet returns the logging *flag.FlagSet
+func (c *Config) LogFlagSet() *flag.FlagSet {
+	return c.logConfig.FlagSet()
+}
+
+// Finalize validates the config and finalizes the startup lifecycle based on user configuration.
+func (c *Config) Finalize() error {
+	if c.finalized {
+		return fmt.Errorf("could not finalize: already finalized")
+	}
+	if err := c.Vet(); err != nil {
+		return err
+	}
+	l := c.Logger()
+	c.logger = l
+	l.Debug("config lifecycle", "state", "finalized")
+	c.finalized = true
+	return nil
+}
+
+// Vet validates the config
+func (c *Config) Vet() error {
+	return c.logConfig.Vet()
+}
+
+// Logger returns a *slog.Logger configured by the user
+func (c *Config) Logger() *slog.Logger {
+	if c.logger != nil {
+		return c.logger
+	}
+	return c.logConfig.NewLogger(c.options.stderr)
+}
+
+// NewTopLevelLogger returns a *slog.Logger with a handler that filters source
+// attributes. Useful as a top level error logger in main().
+func (c *Config) NewTopLevelLogger() *slog.Logger {
+	return c.logConfig.NewTopLevelLogger(c.options.stderr)
+}
+
+func (c *Config) Stderr() io.Writer {
+	return c.options.stderr
+}

pkg/config/config_test.go

@@ -0,0 +1,32 @@
+package config
+
+import (
+	"bytes"
+	"testing"
+)
+
+func newConfig() (*Config, *bytes.Buffer) {
+	var b bytes.Buffer
+	c := New(Stdout(&b))
+	return c, &b
+}
+
+func TestConfigFinalize(t *testing.T) {
+	cfg, _ := newConfig()
+	if err := cfg.Finalize(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !cfg.finalized {
+		t.Fatalf("not finalized")
+	}
+}
+
+func TestConfigFinalizeTwice(t *testing.T) {
+	cfg, _ := newConfig()
+	if err := cfg.Finalize(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if err := cfg.Finalize(); err == nil {
+		t.Fatalf("want error got nil")
+	}
+}

pkg/internal/builder/builder.go

@@ -0,0 +1,137 @@
+// Package builder is responsible for building fully rendered kubernetes api
+// objects from various input directories. A directory may contain a platform
+// spec or a component spec.
+package builder
+
+import (
+	"context"
+	"fmt"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"os"
+	"path/filepath"
+
+	"cuelang.org/go/cue/cuecontext"
+	"cuelang.org/go/cue/load"
+)
+
+// An Option configures a Builder
+type Option func(*config)
+
+type config struct {
+	args []string
+}
+
+type Builder struct {
+	cfg config
+}
+
+// New returns a new *Builder configured by opts Option.
+func New(opts ...Option) *Builder {
+	var cfg config
+	for _, f := range opts {
+		f(&cfg)
+	}
+	b := &Builder{cfg: cfg}
+	return b
+}
+
+// Entrypoints configures the leaf directories Builder builds.
+func Entrypoints(args []string) Option {
+	return func(cfg *config) { cfg.args = args }
+}
+
+type buildInfo struct {
+	APIVersion string `json:"apiVersion,omitempty"`
+	Kind       string `json:"kind,omitempty"`
+}
+
+type out struct {
+	Out string `json:"out,omitempty"`
+}
+
+func (b *Builder) Run(ctx context.Context) error {
+	cueCtx := cuecontext.New()
+
+	dir, err := b.findCueMod()
+	if err != nil {
+		return wrapper.Wrap(err)
+	}
+
+	cfg := load.Config{Dir: dir}
+
+	// Make args relative to the module directory
+	args := make([]string, len(b.cfg.args))
+	for idx, path := range b.cfg.args {
+		target, err := filepath.Abs(path)
+		if err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not find absolute path: %w", err))
+		}
+		relPath, err := filepath.Rel(dir, target)
+		if err != nil {
+			return wrapper.Wrap(fmt.Errorf("invalid argument, must be relative to cue.mod: %w", err))
+		}
+		args[idx] = "./" + relPath
+	}
+
+	instances := load.Instances(args, &cfg)
+
+	for _, instance := range instances {
+		var info buildInfo
+		if err := instance.Err; err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not load: %w", err))
+		}
+		value := cueCtx.BuildInstance(instance)
+		if err := value.Err(); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not build: %w", err))
+		}
+		if err := value.Validate(); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not validate: %w", err))
+		}
+
+		if err := value.Decode(&info); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+		}
+
+		switch kind := info.Kind; kind {
+		case "KubernetesObjects":
+			var out out
+			if err := value.Decode(&out); err != nil {
+				return wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+			}
+			fmt.Printf(out.Out)
+		default:
+			return wrapper.Wrap(fmt.Errorf("build kind not implemented: %v", kind))
+		}
+	}
+
+	return nil
+}
+
+// findCueMod returns the root module location containing the cue.mod file or
+// directory or an error if the builder arguments do not share a common root
+// module.
+func (b *Builder) findCueMod() (dir string, err error) {
+	for _, origPath := range b.cfg.args {
+		var path string
+		if path, err = filepath.Abs(origPath); err != nil {
+			return
+		}
+		for {
+			if _, err := os.Stat(filepath.Join(path, "cue.mod")); err == nil {
+				if dir != "" && dir != path {
+					return "", fmt.Errorf("multiple modules not supported: %v is not %v", dir, path)
+				}
+				dir = path
+				break
+			} else if !os.IsNotExist(err) {
+				return "", err
+			}
+			parentPath := filepath.Dir(path)
+			if parentPath == path {
+				return "", fmt.Errorf("no cue.mod from root to leaf: %v", origPath)
+			}
+			path = parentPath
+		}
+	}
+	return dir, nil
+}

pkg/logger/logger.go

@@ -0,0 +1,209 @@
+// Package logger provides logging configuration and helpers to pass a logger instance through the context.
+package logger
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/lmittmann/tint"
+	"github.com/mattn/go-isatty"
+	"io"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"time"
+)
+
+const ErrKey = "err"
+
+var validLogLevels = []string{"debug", "info", "warn", "error"}
+var validLogFormats = []string{"text", "json"}
+
+// stringSlice is a comma separated list of string values
+type stringSlice []string
+
+func (s *stringSlice) String() string {
+	return strings.Join((*s)[:], ",")
+}
+
+func (s *stringSlice) Set(value string) error {
+	*s = append(*s, strings.Split(value, ",")...)
+	return nil
+}
+
+// key is an unexported type for keys defined in this package to prevent
+// collisions with keys defined in other packages.
+type key int
+
+// https://cs.opensource.google/go/go/+/refs/tags/go1.21.1:src/context/context.go;l=140-158
+// loggerKey is the key for *slog.Logs values in Contexts. It us unexported;
+// clients use NewContext and FromContext instead of this key directly.
+var loggerKey key
+
+// NewContext returns a new Context that carries value logger. Use FromContext
+// to retrieve the value.
+func NewContext(ctx context.Context, logger *slog.Logger) context.Context {
+	return context.WithValue(ctx, loggerKey, logger)
+}
+
+// FromContext returns the *slog.Logs previously stored in ctx by NewContext.
+// slog.Default() is returned otherwise.
+func FromContext(ctx context.Context) *slog.Logger {
+	// https://go.dev/ref/spec#Type_assertions
+	if logger, ok := ctx.Value(loggerKey).(*slog.Logger); ok {
+		return logger
+	}
+	return slog.Default()
+}
+
+// Config specifies user configurable flag values to create a NewLogger
+type Config struct {
+	level     string
+	format    string
+	dropAttrs stringSlice
+	flagSet   *flag.FlagSet
+}
+
+// GetLogLevel returns a slog.Level configured by the user
+//
+// A non-zero length DEBUG env var takes precedence over config fields.
+func (c *Config) GetLogLevel() slog.Level {
+	if os.Getenv("DEBUG") != "" {
+		return slog.LevelDebug
+	}
+	switch strings.ToLower(c.level) {
+	case "debug":
+		return slog.LevelDebug
+	case "warn":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	default:
+		return slog.LevelInfo
+	}
+}
+
+func (c *Config) ReplaceAttr(groups []string, a slog.Attr) slog.Attr {
+	if slices.Contains(c.dropAttrs, a.Key) {
+		return slog.Attr{}
+	}
+	// Check if err
+	if a.Key == ErrKey {
+		if err, ok := a.Value.Any().(error); ok {
+			return tint.Err(err)
+		}
+		if err, ok := a.Value.Any().(string); ok {
+			return tint.Err(fmt.Errorf(err))
+		}
+	} else if a.Key == slog.SourceKey {
+		source := a.Value.Any().(*slog.Source)
+		source.File = filepath.Base(source.File)
+	}
+	return a
+}
+
+// NewTopLevelLogger returns a *slog.Logs configured by c *Config which writes
+// to w without source information. Useful as a top level logger where the
+// source is know and the error is wrapped with a location attribute.
+func (c *Config) NewTopLevelLogger(w io.Writer) *slog.Logger {
+	level := c.GetLogLevel()
+	var handler slog.Handler
+	if c.format == "text" {
+		noColor := true
+		if file, ok := w.(*os.File); ok {
+			noColor = !isatty.IsTerminal(file.Fd())
+		}
+		handler = tint.NewHandler(w, &tint.Options{
+			Level:       level,
+			TimeFormat:  time.Kitchen,
+			AddSource:   false,
+			ReplaceAttr: c.ReplaceAttr,
+			NoColor:     noColor,
+		})
+	} else {
+		handler = slog.NewJSONHandler(w, &slog.HandlerOptions{
+			Level:       level,
+			AddSource:   false,
+			ReplaceAttr: c.ReplaceAttr,
+		})
+	}
+
+	return slog.New(handler).With("version", version.Version)
+}
+
+// NewLogger returns a *slog.Logs configured by c *Config which writes to w
+func (c *Config) NewLogger(w io.Writer) *slog.Logger {
+	level := c.GetLogLevel()
+	var handler slog.Handler
+	if c.format == "text" {
+		noColor := true
+		if file, ok := w.(*os.File); ok {
+			noColor = !isatty.IsTerminal(file.Fd())
+		}
+		handler = tint.NewHandler(w, &tint.Options{
+			Level:       level,
+			TimeFormat:  time.Kitchen,
+			AddSource:   true,
+			ReplaceAttr: c.ReplaceAttr,
+			NoColor:     noColor,
+		})
+	} else {
+		handler = slog.NewJSONHandler(w, &slog.HandlerOptions{
+			Level:       level,
+			AddSource:   true,
+			ReplaceAttr: c.ReplaceAttr,
+		})
+	}
+
+	return slog.New(handler).With("version", version.Version)
+}
+
+// NewConfig returns a new logging Config struct
+func NewConfig() *Config {
+	f := flag.NewFlagSet("", flag.ContinueOnError)
+	c := &Config{flagSet: f}
+	f.StringVar(&c.level, "log-level", "info", fmt.Sprintf("Log Level (%s)", strings.Join(validLogLevels, "|")))
+	f.StringVar(&c.format, "log-format", "text", fmt.Sprintf("Log format (%s)", strings.Join(validLogFormats, "|")))
+	f.Var(&c.dropAttrs, "log-drop", "Log attributes to drop, e.g. \"user-agent,version\"")
+	return c
+}
+
+// FlagSet returns the go flag set to configure logging
+func (c *Config) FlagSet() *flag.FlagSet {
+	return c.flagSet
+}
+
+// Vet validates the config values
+func (c *Config) Vet() error {
+	if err := c.vetLevel(); err != nil {
+		return err
+	}
+	if err := c.vetFormat(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *Config) vetLevel() error {
+	for _, validLevel := range validLogLevels {
+		if c.level == validLevel {
+			return nil
+		}
+	}
+	err := fmt.Errorf("invalid log level: %s is not one of %s", c.level, strings.Join(validLogLevels, ", "))
+	return wrapper.Wrap(err)
+}
+
+func (c *Config) vetFormat() error {
+	for _, validFormat := range validLogFormats {
+		if c.format == validFormat {
+			return nil
+		}
+	}
+	err := fmt.Errorf("invalid log format: %s is not one of %s", c.format, strings.Join(validLogFormats, ", "))
+	return wrapper.Wrap(err)
+}

pkg/logger/logger_test.go

@@ -0,0 +1,13 @@
+package logger
+
+import (
+	"context"
+	"testing"
+)
+
+func TestLoggerFromContext(t *testing.T) {
+	log := FromContext(context.Background())
+	if log == nil {
+		t.Fatalf("want slog.Default() got nil")
+	}
+}

pkg/version/embedded/patch

@@ -1 +1 @@
-0
+1

pkg/wrapper/wrap.go

@@ -0,0 +1,84 @@
+// Package wrapper provides error wrapping with location information
+package wrapper
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"path/filepath"
+	"runtime"
+)
+
+// Source represents the Source file and line where an error was encountered
+type Source struct {
+	File string `json:"file"`
+	Line int    `json:"line"`
+}
+
+func (s *Source) Loc() string {
+	return fmt.Sprintf("%s:%d", filepath.Base(s.File), s.Line)
+}
+
+// ErrorAt wraps an error with the Source location the error was encountered at
+// for tracing from a top level error handler.
+type ErrorAt struct {
+	Err    error
+	Source Source
+}
+
+// Unwrap implements error wrapping.
+func (e *ErrorAt) Unwrap() error {
+	return e.Err
+}
+
+// Error returns the error string with Source location.
+func (e *ErrorAt) Error() string {
+	return e.Source.Loc() + ": " + e.Err.Error()
+}
+
+// Wrap wraps err in a ErrorAt or returns err if err is nil, already a
+// ErrorAt, or caller info is not available.
+func Wrap(err error) error {
+	// Nothing to do
+	if err == nil {
+		return nil
+	}
+
+	// Already a holos error no need to do anything.
+	var errAt *ErrorAt
+	if errors.As(err, &errAt) {
+		return err
+	}
+
+	// Try to wrap err with caller info
+	if _, file, line, ok := runtime.Caller(1); ok {
+		return &ErrorAt{
+			Err: err,
+			Source: Source{
+				File: file,
+				Line: line,
+			},
+		}
+	}
+
+	return err
+}
+
+// Log logs err with Source location if Err is a ErrorAt
+func Log(log *slog.Logger, ctx context.Context, level slog.Level, err error, msg string, args ...any) {
+	var errAt *ErrorAt
+	if ok := errors.As(err, &errAt); ok {
+		args = append(args,
+			slog.String("err", errAt.Unwrap().Error()),
+			slog.String("loc", errAt.Source.Loc()),
+		)
+	} else {
+		if _, file, line, ok := runtime.Caller(1); ok {
+			source := Source{file, line}
+			args = append(args, slog.String("loc", source.Loc()))
+		}
+		args = append(args, slog.String("err", err.Error()))
+	}
+	log.Log(ctx, level, msg, args...)
+}

pkg/wrapper/wrap_test.go

@@ -0,0 +1,87 @@
+package wrapper
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strings"
+	"testing"
+)
+
+type record struct {
+	Source Source `json:"source"`
+	Err    string `json:"err"`
+	Loc    string `json:"loc"`
+	Msg    string `json:"msg"`
+}
+
+func TestLog(t *testing.T) {
+	testCases := []error{
+		Wrap(fmt.Errorf("when wrapped")),
+		fmt.Errorf("when not wrapped"),
+	}
+
+	for _, err := range testCases {
+		t.Run(err.Error(), func(t *testing.T) {
+			var b bytes.Buffer
+			log := slog.New(slog.NewJSONHandler(&b, &slog.HandlerOptions{AddSource: true}))
+			Log(log, context.Background(), slog.LevelError, err, "handled")
+			var rec record
+			if err := json.Unmarshal(b.Bytes(), &rec); err != nil {
+				t.Fatalf("want json have error: %v", err)
+			}
+
+			have := rec.Loc
+			want := "wrap_test.go:"
+			if !strings.HasPrefix(have, want) {
+				t.Fatalf("want: %v have: %v", want, have)
+			}
+
+			have = rec.Msg
+			want = "handled"
+			if !strings.HasSuffix(have, want) {
+				t.Fatalf("want: %v have: %v", want, have)
+			}
+		})
+	}
+}
+
+func TestLogNotWrapped(t *testing.T) {
+	want := "wrap_test.go:"
+	err := fmt.Errorf("boom")
+	var b bytes.Buffer
+	log := slog.New(slog.NewJSONHandler(&b, &slog.HandlerOptions{AddSource: true}))
+	Log(log, context.Background(), slog.LevelError, err, "handled")
+	var rec record
+	if err := json.Unmarshal(b.Bytes(), &rec); err != nil {
+		t.Fatalf("want json have error: %v", err)
+	}
+
+	have := rec.Loc
+	if !strings.HasPrefix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+
+	have = rec.Msg
+	want = "handled"
+	if !strings.HasSuffix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}
+
+func TestUnwrap(t *testing.T) {
+	err := Wrap(fmt.Errorf("boom"))
+	want := "wrap_test.go:"
+	have := err.Error()
+
+	if !strings.HasPrefix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+
+	want = "boom"
+	if !strings.HasSuffix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}

scripts/test

@@ -0,0 +1,3 @@
+#! /bin/bash
+set -xeuo pipefail
+go test -coverpkg=./... -coverprofile=coverage.out ./...