Vendor tint and adjust colors to solarized dark

Makes the colors look nicer with solarized dark.  We probably need to
make solarized an option and have them default to look nice with basic
ansi colors.

.github/workflows/lint.yaml

@@ -0,0 +1,27 @@
+# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
+name: Lint
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: [self-hosted, k8s]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest

.github/workflows/test.yaml

@@ -0,0 +1,27 @@
+name: Unit Tests
+
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: [self-hosted, k8s]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Test
+        run: ./scripts/test

.gitignore

@@ -1,6 +1,7 @@
-bin
-/vendor
-/.idea
+bin/
+vendor/
+.idea/
 coverage.out
-
 dist/
+*.hold/
+/deploy/

Makefile

@@ -71,11 +71,14 @@ clean: ## Clean executables.
 
 .PHONY: test
 test: ## Run tests.
-	go test ./...
+	scripts/test
+
+.PHONY: lint
+lint: ## Run linters.
+	golangci-lint run
 
 .PHONY: coverage
-coverage:  ## Test coverage profile.
-	go test -coverprofile=coverage.out ./...
+coverage: test  ## Test coverage profile.
 	go tool cover   -html=coverage.out
 
 .PHONY: snapshot

cmd/holos/main.go

@@ -1,10 +1,28 @@
 package main
 
 import (
-  "fmt"
-  "github.com/holos-run/holos/pkg/version"
+	"context"
+	"errors"
+	"github.com/holos-run/holos/pkg/cli"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"log/slog"
+	"os"
 )
 
 func main() {
-	fmt.Println(version.Version)
+	cfg := config.New()
+	slog.SetDefault(cfg.Logger())
+	ctx := context.Background()
+	if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
+		log := cfg.NewTopLevelLogger()
+		var errAt *wrapper.ErrorAt
+		const msg = "could not execute"
+		if ok := errors.As(err, &errAt); ok {
+			log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
+		} else {
+			log.ErrorContext(ctx, msg, "err", err)
+		}
+		os.Exit(1)
+	}
 }

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start?: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
+// Topology Aware Hints for a Service. This may be set to "Auto" or
+// "Disabled". Any other value is treated as "Disabled". This annotation has
+// been deprecated in favor of the "service.kubernetes.io/topology-mode"
+// annotation.
+#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
+
+// AnnotationTopologyMode can be used to enable or disable Topology Aware
+// Routing for a Service. Well known values are "Auto" and "Disabled".
+// Implementations may choose to develop new topology approaches, exposing
+// them with domain-prefixed values. For example, "example.com/lowest-rtt"
+// could be a valid implementation-specific value for this annotation. These
+// heuristics will often populate topology hints on EndpointSlices, but that
+// is not a requirement.
+#AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1

docs/examples/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#GroupName: ""

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,59 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#LabelHostname: "kubernetes.io/hostname"
+
+// Label value is the network location of kube-apiserver stored as <ip:port>
+// Stored in APIServer Identity lease objects to view what address is used for peer proxy
+#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address"
+#LabelTopologyZone:              "topology.kubernetes.io/zone"
+#LabelTopologyRegion:            "topology.kubernetes.io/region"
+
+// These label have been deprecated since 1.17, but will be supported for
+// the foreseeable future, to accommodate things like long-lived PVs that
+// use them.  New users should prefer the "topology.kubernetes.io/*"
+// equivalents.
+#LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
+#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
+
+// Retained for compat when vendored.  Do not use these consts in new code.
+#LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
+#LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
+#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
+#LabelZoneRegionStable:        "topology.kubernetes.io/region"
+#LabelInstanceType:            "beta.kubernetes.io/instance-type"
+#LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
+#LabelOSStable:                "kubernetes.io/os"
+#LabelArchStable:              "kubernetes.io/arch"
+
+// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
+// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
+#LabelWindowsBuild: "node.kubernetes.io/windows-build"
+
+// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
+#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
+
+// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
+#LabelNamespaceSuffixNode: "node.kubernetes.io"
+
+// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
+#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
+
+// IsHeadlessService is added by Controller to an Endpoint denoting if its parent
+// Service is Headless. The existence of this label can be used further by other
+// controllers and kube-proxy to check if the Endpoint objects should be replicated when
+// using Headless Services
+#IsHeadlessService: "service.kubernetes.io/headless"
+
+// LabelNodeExcludeBalancers specifies that the node should not be considered as a target
+// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
+// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
+// any backends on excluded nodes are not reachable by those external load-balancers.
+// Implementations of this exclusion may vary based on provider.
+#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
+
+// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
+#LabelMetadataName: "kubernetes.io/metadata.name"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,38 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// TaintNodeNotReady will be added when node is not ready
+// and removed when node becomes ready.
+#TaintNodeNotReady: "node.kubernetes.io/not-ready"
+
+// TaintNodeUnreachable will be added when node becomes unreachable
+// (corresponding to NodeReady status ConditionUnknown)
+// and removed when node becomes reachable (NodeReady status ConditionTrue).
+#TaintNodeUnreachable: "node.kubernetes.io/unreachable"
+
+// TaintNodeUnschedulable will be added when node becomes unschedulable
+// and removed when node becomes schedulable.
+#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
+
+// TaintNodeMemoryPressure will be added when node has memory pressure
+// and removed when node has enough memory.
+#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
+
+// TaintNodeDiskPressure will be added when node has disk pressure
+// and removed when node has enough disk.
+#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
+
+// TaintNodeNetworkUnavailable will be added when node's network is unavailable
+// and removed when network becomes ready.
+#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
+
+// TaintNodePIDPressure will be added when node has pid pressure
+// and removed when node has enough pid.
+#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"
+
+// TaintNodeOutOfService can be added when node is out of service in case of
+// a non-graceful shutdown
+#TaintNodeOutOfService: "node.kubernetes.io/out-of-service"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+// Package v1 is the v1 version of the API.
+package v1

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+#GroupName: "apiextensions.k8s.io"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConversionStrategyType describes different conversion types.
+#ConversionStrategyType: string // #enumConversionStrategyType
+
+#enumConversionStrategyType:
+	#NoneConverter |
+	#WebhookConverter
+
+// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
+// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
+// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
+#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
+
+// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
+#NoneConverter: #ConversionStrategyType & "None"
+
+// WebhookConverter is a converter that calls to an external webhook to convert the CR.
+#WebhookConverter: #ConversionStrategyType & "Webhook"
+
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
+#CustomResourceDefinitionSpec: {
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	group: string @go(Group) @protobuf(1,bytes,opt)
+
+	// names specify the resource and kind names for the custom resource.
+	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
+
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
+
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
+
+	// conversion defines conversion settings for the CRD.
+	// +optional
+	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
+
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	// +optional
+	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
+}
+
+// CustomResourceConversion describes how to convert different versions of a CR.
+#CustomResourceConversion: {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
+
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
+	// +optional
+	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
+}
+
+// WebhookConversion describes how to call a conversion webhook
+#WebhookConversion: {
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// +optional
+	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
+
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
+#WebhookClientConfig: {
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// namespace is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// name is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// path is an optional URL path at which the webhook will be contacted.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// CustomResourceDefinitionVersion describes a version for CRD.
+#CustomResourceDefinitionVersion: {
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	served: bool @go(Served) @protobuf(2,varint,opt)
+
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	storage: bool @go(Storage) @protobuf(3,varint,opt)
+
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	// +optional
+	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
+
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	// +optional
+	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
+
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	// +optional
+	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
+
+	// subresources specify what subresources this version of the defined custom resource have.
+	// +optional
+	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
+
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
+	// +optional
+	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
+}
+
+// CustomResourceColumnDefinition specifies a column for server side printing.
+#CustomResourceColumnDefinition: {
+	// name is a human readable name for the column.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	type: string @go(Type) @protobuf(2,bytes,opt)
+
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	// +optional
+	format?: string @go(Format) @protobuf(3,bytes,opt)
+
+	// description is a human readable description of this column.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	// +optional
+	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
+
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
+}
+
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
+#CustomResourceDefinitionNames: {
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	plural: string @go(Plural) @protobuf(1,bytes,opt)
+
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	// +optional
+	singular?: string @go(Singular) @protobuf(2,bytes,opt)
+
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
+	// +optional
+	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
+
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	kind: string @go(Kind) @protobuf(4,bytes,opt)
+
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	// +optional
+	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
+
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
+	// +optional
+	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
+}
+
+// ResourceScope is an enum defining the different scopes available to a custom resource
+#ResourceScope: string // #enumResourceScope
+
+#enumResourceScope:
+	#ClusterScoped |
+	#NamespaceScoped
+
+#ClusterScoped:   #ResourceScope & "Cluster"
+#NamespaceScoped: #ResourceScope & "Namespaced"
+
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+#ConditionTrue:    #ConditionStatus & "True"
+#ConditionFalse:   #ConditionStatus & "False"
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
+#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
+
+#enumCustomResourceDefinitionConditionType:
+	#Established |
+	#NamesAccepted |
+	#NonStructuralSchema |
+	#Terminating |
+	#KubernetesAPIApprovalPolicyConformant
+
+// Established means that the resource has become active. A resource is established when all names are
+// accepted without a conflict for the first time. A resource stays established until deleted, even during
+// a later NamesAccepted due to changed names. Note that not all names can be changed.
+#Established: #CustomResourceDefinitionConditionType & "Established"
+
+// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
+// the group and are therefore accepted.
+#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
+
+// NonStructuralSchema means that one or more OpenAPI schema is not structural.
+//
+// A schema is structural if it specifies types for all values, with the only exceptions of those with
+// - x-kubernetes-int-or-string: true — for fields which can be integer or string
+// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
+// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
+// specified under allOf, anyOf, oneOf or not.
+//
+// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
+// available for non-structural CRDs:
+// - pruning
+// - defaulting
+// - read-only
+// - OpenAPI publishing
+// - webhook conversion
+#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
+
+// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
+#Terminating: #CustomResourceDefinitionConditionType & "Terminating"
+
+// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
+// outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
+// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
+// See https://github.com/kubernetes/enhancements/pull/1111 for more details.
+#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
+
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
+#CustomResourceDefinitionCondition: {
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
+
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
+
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
+#CustomResourceDefinitionStatus: {
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	conditions?: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
+
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	// +optional
+	acceptedNames?: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
+
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	// +optional
+	storedVersions?: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
+
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+#CustomResourceDefinition: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec describes how the user wants the resources to appear
+	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status indicates the actual state of the CustomResourceDefinition
+	// +optional
+	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
+#CustomResourceDefinitionList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items list individual CustomResourceDefinition objects
+	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
+}
+
+// CustomResourceValidation is a list of validation methods for CustomResources.
+#CustomResourceValidation: {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+	// +optional
+	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
+}
+
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
+#CustomResourceSubresources: {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	// +optional
+	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
+
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	// +optional
+	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
+}
+
+// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
+// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
+// * exposes a /status subresource for the custom resource
+// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
+// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
+#CustomResourceSubresourceStatus: {
+}
+
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
+#CustomResourceSubresourceScale: {
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
+
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
+	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
+
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	// +optional
+	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
+}
+
+// ConversionReview describes a conversion request/response.
+#ConversionReview: {
+	metav1.#TypeMeta
+
+	// request describes the attributes for the conversion request.
+	// +optional
+	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
+
+	// response describes the attributes for the conversion response.
+	// +optional
+	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
+}
+
+// ConversionRequest describes the conversion request parameters.
+#ConversionRequest: {
+	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
+	// otherwise identical (parallel requests, etc).
+	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
+	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
+
+	// objects is the list of custom resource objects to be converted.
+	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
+}
+
+// ConversionResponse describes a conversion response.
+#ConversionResponse: {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding `request.uid`.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
+	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
+	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
+	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
+	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
+
+	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
+	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
+	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
+	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
+	// will be used to construct an error message for the end user.
+	result: metav1.#Status @go(Result) @protobuf(3,bytes)
+}

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,348 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation.
+// +enum
+#FieldValueErrorReason: string // #enumFieldValueErrorReason
+
+#enumFieldValueErrorReason:
+	#FieldValueRequired |
+	#FieldValueDuplicate |
+	#FieldValueInvalid |
+	#FieldValueForbidden
+
+// FieldValueRequired is used to report required values that are not
+// provided (e.g. empty strings, null values, or empty arrays).
+#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired"
+
+// FieldValueDuplicate is used to report collisions of values that must be
+// unique (e.g. unique IDs).
+#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate"
+
+// FieldValueInvalid is used to report malformed values (e.g. failed regex
+// match, too long, out of bounds).
+#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid"
+
+// FieldValueForbidden is used to report valid (as per formatting rules)
+// values which would be accepted under some conditions, but which are not
+// permitted by the current conditions (such as security policy).
+#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden"
+
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
+#JSONSchemaProps: {
+	id?:          string         @go(ID) @protobuf(1,bytes,opt)
+	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
+	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
+	description?: string         @go(Description) @protobuf(4,bytes,opt)
+	type?:        string         @go(Type) @protobuf(5,bytes,opt)
+
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	format?: string @go(Format) @protobuf(6,bytes,opt)
+	title?:  string @go(Title) @protobuf(7,bytes,opt)
+
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
+	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
+	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
+	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
+	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
+	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
+	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
+	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
+	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
+	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
+	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
+	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
+	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
+	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
+	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
+	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
+	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
+	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
+	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
+	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
+	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
+	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
+	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
+	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
+	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
+	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
+	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
+	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
+	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
+	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
+
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
+
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
+
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	//    - type: integer
+	//    - type: string
+	// 2) allOf:
+	//    - anyOf:
+	//      - type: integer
+	//      - type: string
+	//    - ... zero or more
+	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
+
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	//
+	// +optional
+	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
+
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic lists will be entirely replaced when updated. This extension
+	//      may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	//      Sets are lists that must not have multiple items with the same value. Each
+	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	//      array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	//      These lists are like maps in that their elements have a non-index key
+	//      used to identify them. Order is preserved upon merge. The map tag
+	//      must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	// +optional
+	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
+
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	//      These maps are actual maps (key-value pairs) and each fields are independent
+	//      from each other (they can each be manipulated by separate actors). This is
+	//      the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic maps will be entirely replaced when updated.
+	// +optional
+	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
+
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
+	// +patchMergeKey=rule
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=rule
+	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
+}
+
+// ValidationRules describes a list of validation rules written in the CEL expression language.
+#ValidationRules: [...#ValidationRule]
+
+// ValidationRule describes a validation rule written in the CEL expression language.
+#ValidationRule: {
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	//   - An array where the items schema is of an "unknown type"
+	//   - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	//	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	//	  "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	//     non-intersecting elements in `Y` are appended, retaining their partial order.
+	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	//     non-intersecting keys are appended, retaining their partial order.
+	//
+	// If `rule` makes use of the `oldSelf` variable it is implicitly a
+	// `transition rule`.
+	//
+	// By default, the `oldSelf` variable is the same type as `self`.
+	// When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
+	//  variable whose value() is the same type as `self`.
+	// See the documentation for the `optionalOldSelf` field for details.
+	//
+	// Transition rules by default are applied only on UPDATE requests and are
+	// skipped if an old value could not be found. You can opt a transition
+	// rule into unconditional evaluation by setting `optionalOldSelf` to true.
+	//
+	rule: string @go(Rule) @protobuf(1,bytes,opt)
+
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	// +optional
+	messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt)
+
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	// +optional
+	reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt)
+
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	// +optional
+	fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt)
+
+	// optionalOldSelf is used to opt a transition rule into evaluation
+	// even when the object is first created, or if the old object is
+	// missing the value.
+	//
+	// When enabled `oldSelf` will be a CEL optional whose value will be
+	// `None` if there is no old value, or when the object is initially created.
+	//
+	// You may check for presence of oldSelf using `oldSelf.hasValue()` and
+	// unwrap it after checking using `oldSelf.value()`. Check the CEL
+	// documentation for Optional types for more information:
+	// https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
+	//
+	// May not be set unless `oldSelf` is used in `rule`.
+	//
+	// +featureGate=CRDValidationRatcheting
+	// +optional
+	optionalOldSelf?: null | bool @go(OptionalOldSelf,*bool) @protobuf(6,bytes,opt)
+}
+
+// JSON represents any valid JSON value.
+// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+#JSON: _
+
+// JSONSchemaURL represents a schema url.
+#JSONSchemaURL: string
+
+// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
+// or an array of JSONSchemaProps. Mainly here for serialization purposes.
+#JSONSchemaPropsOrArray: _
+
+// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
+// Defaults to true for the boolean property.
+#JSONSchemaPropsOrBool: _
+
+// JSONSchemaDependencies represent a dependencies property.
+#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
+
+// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+#JSONSchemaPropsOrStringArray: _
+
+// JSONSchemaDefinitions contains the models explicitly defined in this spec.
+#JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
+
+// ExternalDocumentation allows referencing an external resource for extended documentation.
+#ExternalDocumentation: {
+	description?: string @go(Description) @protobuf(1,bytes,opt)
+	url?:         string @go(URL) @protobuf(2,bytes,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+#Scale: int32 // #enumScale
+
+#enumScale:
+	#Nano |
+	#Micro |
+	#Milli |
+	#Kilo |
+	#Mega |
+	#Giga |
+	#Tera |
+	#Peta |
+	#Exa
+
+#values_Scale: {
+	Nano:  #Nano
+	Micro: #Micro
+	Milli: #Milli
+	Kilo:  #Kilo
+	Mega:  #Mega
+	Giga:  #Giga
+	Tera:  #Tera
+	Peta:  #Peta
+	Exa:   #Exa
+}
+
+#Nano:  #Scale & -9
+#Micro: #Scale & -6
+#Milli: #Scale & -3
+#Kilo:  #Scale & 3
+#Mega:  #Scale & 6
+#Giga:  #Scale & 9
+#Tera:  #Scale & 12
+#Peta:  #Scale & 15
+#Exa:   #Scale & 18
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+_#infDecAmount: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+// It is also the maximum decimal digits that can be represented with an int64.
+_#maxInt64Factors: 18
+
+_#mostNegative: -9223372036854775808
+
+_#mostPositive: 9223372036854775807

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and AsInt64() accessors.
+//
+// The serialization format is:
+//
+// ```
+// <quantity>        ::= <signedNumber><suffix>
+//
+//	(Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+//
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//
+//	(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+//
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//
+//	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+//
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+// ```
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//
+// - No precision is lost
+// - No fractional digits will be emitted
+// - The exponent (or suffix) is as large as possible.
+//
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//
+// - 1.5 will be serialized as "1500m"
+// - 1.5Gi will be serialized as "1536Mi"
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+#Quantity: _
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+#CanonicalValue: _
+
+// Format lists the three possible formattings of a quantity.
+#Format: string // #enumFormat
+
+#enumFormat:
+	#DecimalExponent |
+	#BinarySI |
+	#DecimalSI
+
+#DecimalExponent: #Format & "DecimalExponent"
+#BinarySI:        #Format & "BinarySI"
+#DecimalSI:       #Format & "DecimalSI"
+
+// splitREString is used to separate a number from its suffix; as such,
+// this is overly permissive, but that's OK-- it will be checked later.
+_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+
+_#int64QuantityExpectedBytes: 18
+
+// QuantityValue makes it possible to use a Quantity as value for a command
+// line parameter.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+#QuantityValue: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+_#suffix: string
+
+// suffixer can interpret and construct suffixes.
+_#suffixer: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+#Duration: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	resource: string @go(Resource) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	version:  string @go(Version) @protobuf(2,bytes,opt)
+	resource: string @go(Resource) @protobuf(3,bytes,opt)
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupKind: {
+	group: string @go(Group) @protobuf(1,bytes,opt)
+	kind:  string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionKind: {
+	group:   string @go(Group) @protobuf(1,bytes,opt)
+	version: string @go(Version) @protobuf(2,bytes,opt)
+	kind:    string @go(Kind) @protobuf(3,bytes,opt)
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersion: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// TODO: move this, Object, List, and Type to a different package
+#ObjectMetaAccessor: _
+
+// Object lets you work with object metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+#Object: _
+
+// ListMetaAccessor retrieves the list interface from an object
+#ListMetaAccessor: _
+
+// Common lets you work with core metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Common: _
+
+// ListInterface lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#ListInterface: _
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Type: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00"
+
+// MicroTime is version of Time with microsecond level precision.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#MicroTime: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#GroupName: "meta.k8s.io"
+
+#WatchEventKind: "WatchEvent"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#Time: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+#Timestamp: {
+	// Represents seconds of UTC time since Unix epoch
+	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+	// 9999-12-31T23:59:59Z inclusive.
+	seconds: int64 @go(Seconds) @protobuf(1,varint,opt)
+
+	// Non-negative fractions of a second at nanosecond resolution. Negative
+	// second values with fractions must still have non-negative nanos values
+	// that count forward in time. Must be from 0 to 999,999,999
+	// inclusive. This field may be limited in precision depending on context.
+	nanos: int32 @go(Nanos) @protobuf(2,varint,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue

@@ -0,0 +1,30 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Event represents a single event to a watched resource.
+//
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+#WatchEvent: {
+	type: string @go(Type) @protobuf(1,bytes,opt)
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *Status is recommended; other types may make sense
+	//    depending on context.
+	object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt)
+}
+
+// InternalEvent makes watch.Event versioned
+// +protobuf=false
+#InternalEvent: watch.#Event

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// SimpleAllocator a wrapper around make([]byte)
+// conforms to the MemoryAllocator interface
+#SimpleAllocator: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// codec binds an encoder and decoder.
+_#codec: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
+#NoopEncoder: {
+	Decoder: #Decoder
+}
+
+_#noopEncoderIdentifier: #Identifier & "noop"
+
+// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
+#NoopDecoder: {
+	Encoder: #Encoder
+}
+
+_#base64Serializer: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+_#internalGroupVersionerIdentifier: "internal"
+_#disabledGroupVersionerIdentifier: "disabled"
+
+_#internalGroupVersioner: {
+}
+
+_#disabledGroupVersioner: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime defines conversions between generic types and structs to map query strings
+// to struct objects.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// UnstructuredConverter is an interface for converting between interface{}
+// and map[string]interface representation.
+#UnstructuredConverter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue

@@ -0,0 +1,39 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime includes helper functions for working with API objects
+// that follow the kubernetes API object conventions, which are:
+//
+// 0. Your API objects have a common metadata struct member, TypeMeta.
+//
+// 1. Your code refers to an internal set of API objects.
+//
+// 2. In a separate package, you have an external set of API objects.
+//
+// 3. The external set is considered to be versioned, and no breaking
+// changes are ever made to it (fields may be added but not changed
+// or removed).
+//
+// 4. As your api evolves, you'll make an additional versioned package
+// with every major change.
+//
+// 5. Versioned packages have conversion functions which convert to
+// and from the internal version.
+//
+// 6. You'll continue to support older versions according to your
+// deprecation policy, and you can easily provide a program/library
+// to update old versions into new versions because of 5.
+//
+// 7. All of your serializations and deserializations are handled in a
+// centralized place.
+//
+// Package runtime provides a conversion helper to make 5 easy, and the
+// Encode/Decode/DecodeInto trio to accomplish 7. You can also register
+// additional "codecs" which use a version of your choice. It's
+// recommended that you register your types with runtime in your
+// package's init function.
+//
+// As a bonus, a few common types useful from all api objects and versions
+// are provided in types.go.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+_#encodable: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// MultiObjectTyper returns the types of objects across multiple schemes in order.
+#MultiObjectTyper: [...#ObjectTyper]
+
+_#defaultFramer: {
+}
+
+// WithVersionEncoder serializes an object and ensures the GVK is set.
+#WithVersionEncoder: {
+	Version:     #GroupVersioner
+	Encoder:     #Encoder
+	ObjectTyper: #ObjectTyper
+}
+
+// WithoutVersionDecoder clears the group version kind of a deserialized object.
+#WithoutVersionDecoder: {
+	Decoder: #Decoder
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue

@@ -0,0 +1,165 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// APIVersionInternal may be used if you are registering a type that should not
+// be considered stable or serialized - it is a convention only and has no
+// special behavior in this package.
+#APIVersionInternal: "__internal"
+
+// GroupVersioner refines a set of possible conversion targets into a single option.
+#GroupVersioner: _
+
+// Identifier represents an identifier.
+// Identitier of two different objects should be equal if and only if for every
+// input the output they produce is exactly the same.
+#Identifier: string // #enumIdentifier
+
+#enumIdentifier:
+	_#noopEncoderIdentifier
+
+// Encoder writes objects to a serialized form
+#Encoder: _
+
+// MemoryAllocator is responsible for allocating memory.
+// By encapsulating memory allocation into its own interface, we can reuse the memory
+// across many operations in places we know it can significantly improve the performance.
+#MemoryAllocator: _
+
+// EncoderWithAllocator  serializes objects in a way that allows callers to manage any additional memory allocations.
+#EncoderWithAllocator: _
+
+// Decoder attempts to load an object from data.
+#Decoder: _
+
+// Serializer is the core interface for transforming objects into a serialized format and back.
+// Implementations may choose to perform conversion of the object, but no assumptions should be made.
+#Serializer: _
+
+// Codec is a Serializer that deals with the details of versioning objects. It offers the same
+// interface as Serializer, so this is a marker to consumers that care about the version of the objects
+// they receive.
+#Codec: #Serializer
+
+// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and
+// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing
+// and the desired version must be specified.
+#ParameterCodec: _
+
+// Framer is a factory for creating readers and writers that obey a particular framing pattern.
+#Framer: _
+
+// SerializerInfo contains information about a specific serialization format
+#SerializerInfo: {
+	// MediaType is the value that represents this serializer over the wire.
+	MediaType: string
+
+	// MediaTypeType is the first part of the MediaType ("application" in "application/json").
+	MediaTypeType: string
+
+	// MediaTypeSubType is the second part of the MediaType ("json" in "application/json").
+	MediaTypeSubType: string
+
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the individual object serializer for this media type.
+	Serializer: #Serializer
+
+	// PrettySerializer, if set, can serialize this object in a form biased towards
+	// readability.
+	PrettySerializer: #Serializer
+
+	// StrictSerializer, if set, deserializes this object strictly,
+	// erring on unknown fields.
+	StrictSerializer: #Serializer
+
+	// StreamSerializer, if set, describes the streaming serialization format
+	// for this media type.
+	StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo)
+}
+
+// StreamSerializerInfo contains information about a specific stream serialization format
+#StreamSerializerInfo: {
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the top level object serializer for this type when streaming
+	Serializer: #Serializer
+
+	// Framer is the factory for retrieving streams that separate objects on the wire
+	Framer: #Framer
+}
+
+// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers
+// for multiple supported media types. This would commonly be accepted by a server component
+// that performs HTTP content negotiation to accept multiple formats.
+#NegotiatedSerializer: _
+
+// ClientNegotiator handles turning an HTTP content type into the appropriate encoder.
+// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from
+// a NegotiatedSerializer.
+#ClientNegotiator: _
+
+// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers
+// that can read and write data at rest. This would commonly be used by client tools that must
+// read files, or server side storage interfaces that persist restful objects.
+#StorageSerializer: _
+
+// NestedObjectEncoder is an optional interface that objects may implement to be given
+// an opportunity to encode any nested Objects / RawExtensions during serialization.
+#NestedObjectEncoder: _
+
+// NestedObjectDecoder is an optional interface that objects may implement to be given
+// an opportunity to decode any nested Objects / RawExtensions during serialization.
+// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding
+// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields).
+// As such it is important for callers of DecodeNestedObjects to check to confirm whether
+// an error is a runtime.StrictDecodingError before short circuiting.
+// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError
+// is only returned when the rest of decoding has succeeded.
+#NestedObjectDecoder: _
+
+#ObjectDefaulter: _
+
+#ObjectVersioner: _
+
+// ObjectConvertor converts an object to a different version.
+#ObjectConvertor: _
+
+// ObjectTyper contains methods for extracting the APIVersion and Kind
+// of objects.
+#ObjectTyper: _
+
+// ObjectCreater contains methods for instantiating an object by kind and version.
+#ObjectCreater: _
+
+// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource
+#EquivalentResourceMapper: _
+
+// EquivalentResourceRegistry provides an EquivalentResourceMapper interface,
+// and allows registering known resource[/subresource] -> kind
+#EquivalentResourceRegistry: _
+
+// ResourceVersioner provides methods for setting and retrieving
+// the resource version from an API object.
+#ResourceVersioner: _
+
+// Namer provides methods for retrieving name and namespace of an API object.
+#Namer: _
+
+// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are
+// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows
+// serializers to set the kind, version, and group the object is represented as. An Object may choose
+// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized.
+#Object: _
+
+// CacheableObject allows an object to cache its different serializations
+// to avoid performing the same serialization multiple times.
+#CacheableObject: _
+
+// Unstructured objects store values as map[string]interface{}, with only values that can be serialized
+// to JSON allowed.
+#Unstructured: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// NegotiateError is returned when a ClientNegotiator is unable to locate
+// a serializer for the requested operation.
+#NegotiateError: {
+	ContentType: string
+	Stream:      bool
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Splice is the interface that wraps the Splice method.
+//
+// Splice moves data from given slice without copying the underlying data for
+// efficiency purpose. Therefore, the caller should make sure the underlying
+// data is not changed later.
+#Splice: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Pair of strings. We keed the name of fields and the doc
+#Pair: {
+	Name: string
+	Doc:  string
+}
+
+// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
+#KubeTypes: [...#Pair]

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue

@@ -0,0 +1,97 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
+// like this:
+//
+//	type MyAwesomeAPIObject struct {
+//	     runtime.TypeMeta    `json:",inline"`
+//	     ... // other fields
+//	}
+//
+// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
+//
+// TypeMeta is provided here for convenience. You may use it directly from this package or define
+// your own with the same fields.
+//
+// +k8s:deepcopy-gen=false
+// +protobuf=true
+// +k8s:openapi-gen=true
+#TypeMeta: {
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt)
+
+	// +optional
+	kind?: string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+#ContentTypeJSON:     "application/json"
+#ContentTypeYAML:     "application/yaml"
+#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf"
+
+// RawExtension is used to hold extensions in external versions.
+//
+// To use this, make a field which has RawExtension as its type in your external, versioned
+// struct, and Object in your internal struct. You also need to register your
+// various plugin types.
+//
+// // Internal package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.Object `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // External package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.RawExtension `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // On the wire, the JSON will look something like this:
+//
+//	{
+//		"kind":"MyAPIObject",
+//		"apiVersion":"v1",
+//		"myPlugin": {
+//			"kind":"PluginA",
+//			"aOption":"foo",
+//		},
+//	}
+//
+// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
+// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
+// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
+// package's DefaultScheme has conversion functions installed which will unpack the
+// JSON stored in RawExtension, turning it into the correct object type, and storing it
+// in the Object. (TODO: In the case where the object is of an unknown type, a
+// runtime.Unknown object will be created and stored.)
+//
+// +k8s:deepcopy-gen=true
+// +protobuf=true
+// +k8s:openapi-gen=true
+#RawExtension: _
+
+// Unknown allows api objects with unknown types to be passed-through. This can be used
+// to deal with the API objects from a plug-in. Unknown objects still have functioning
+// TypeMeta features-- kind, version, etc.
+// TODO: Make this object have easy access to field based accessors and settors for
+// metadata and field mutatation.
+//
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=true
+// +k8s:openapi-gen=true
+#Unknown: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+#ProtobufMarshaller: _
+
+#ProtobufReverseMarshaller: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+// Package types implements various generic types used throughout kubernetes.
+package types

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+#NamespacedName: {
+	Namespace: string
+	Name:      string
+}
+
+#Separator: 47 // '/'

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// NodeName is a type that holds a api.Node's Name identifier.
+// Being a type captures intent and helps make sure that the node name
+// is not confused with similar concepts (the hostname, the cloud provider id,
+// the cloud provider name etc)
+//
+// To clarify the various types:
+//
+//   - Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
+//     Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
+//
+//   - Hostname is the hostname of the local machine (from uname -n).
+//     However, some components allow the user to pass in a --hostname-override flag,
+//     which will override this in most places. In the absence of anything more meaningful,
+//     kubelet will use Hostname as the Node.Name when it creates the Node.
+//
+// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
+//
+//	For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
+//	Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
+//	to the cloudprovider how to do this mapping.
+//
+//	For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
+//	PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
+//	we are using a custom DHCP domain it won't be.
+#NodeName: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// Similarly to above, these are constants to support HTTP PATCH utilized by
+// both the client and server that didn't make sense for a whole package to be
+// dedicated to.
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#JSONPatchType |
+	#MergePatchType |
+	#StrategicMergePatchType |
+	#ApplyPatchType
+
+#JSONPatchType:           #PatchType & "application/json-patch+json"
+#MergePatchType:          #PatchType & "application/merge-patch+json"
+#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json"
+#ApplyPatchType:          #PatchType & "application/apply-patch+yaml"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// UID is a type that holds unique ID values, including UUIDs.  Because we
+// don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+// intent and helps make sure that UIDs and names do not get conflated.
+#UID: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr
+
+package intstr
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+//
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+#IntOrString: _
+
+// Type represents the stored type of IntOrString.
+#Type: int64 // #enumType
+
+#enumType:
+	#Int |
+	#String
+
+#values_Type: {
+	Int:    #Int
+	String: #String
+}
+
+#Int:    #Type & 0
+#String: #Type & 1

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+// Package watch contains a generic watchable interface, and a fake for
+// testing code that uses the watch interface.
+package watch

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Recorder records all events that are sent from the watch until it is closed.
+#Recorder: {
+	Interface: #Interface
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch
+// channel is full.
+#FullChannelBehavior: int // #enumFullChannelBehavior
+
+#enumFullChannelBehavior:
+	#WaitIfChannelFull |
+	#DropIfChannelFull
+
+#values_FullChannelBehavior: {
+	WaitIfChannelFull: #WaitIfChannelFull
+	DropIfChannelFull: #DropIfChannelFull
+}
+
+#WaitIfChannelFull: #FullChannelBehavior & 0
+#DropIfChannelFull: #FullChannelBehavior & 1
+
+_#incomingQueueLength: 25
+
+_#internalRunFunctionMarker: "internal-do-function"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written.
+#Decoder: _
+
+// Reporter hides the details of how an error is turned into a runtime.Object for
+// reporting on a watch stream since this package may not import a higher level report.
+#Reporter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+import "k8s.io/apimachinery/pkg/runtime"
+
+// Interface can be implemented by anything that knows how to watch and report changes.
+#Interface: _
+
+// EventType defines the possible types of events.
+#EventType: string // #enumEventType
+
+#enumEventType:
+	#Added |
+	#Modified |
+	#Deleted |
+	#Bookmark |
+	#Error
+
+#Added:    #EventType & "ADDED"
+#Modified: #EventType & "MODIFIED"
+#Deleted:  #EventType & "DELETED"
+#Bookmark: #EventType & "BOOKMARK"
+#Error:    #EventType & "ERROR"
+
+// Event represents a single event to a watched resource.
+// +k8s:deepcopy-gen=true
+#Event: {
+	Type: #EventType
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Bookmark: the object (instance of a type being watched) where
+	//    only ResourceVersion field is set. On successful restart of watch from a
+	//    bookmark resourceVersion, client is guaranteed to not get repeat event
+	//    nor miss any events.
+	//  * If Type is Error: *api.Status is recommended; other types may make sense
+	//    depending on context.
+	Object: runtime.#Object
+}
+
+// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
+#RaceFreeFakeWatcher: {
+	Stopped: bool
+}

docs/examples/cue.mod/module.cue

@@ -0,0 +1 @@
+module: "github.com/holos-run/holos/docs/examples"

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -0,0 +1,11 @@
+package v1
+
+#Namespace: {
+  apiVersion: "v1"
+  kind: "Namespace"
+}
+
+#ConfigMap: {
+  apiVersion: "v1"
+  kind: "ConfigMap"
+}

docs/examples/platforms/.gitignore

@@ -0,0 +1 @@
+platform.site.cue

docs/examples/platforms/constraints.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Constrain the output to one of the defined kinds.
+{} & #Output

docs/examples/platforms/platform.example.cue

@@ -0,0 +1,7 @@
+package holos
+
+// Copy this file to platform.site.cue and specify concrete values for your local site.
+_Platform: org: {
+	name: string | *"example"
+	domain: string | *"example.com"
+}

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -0,0 +1,9 @@
+package holos
+
+// e.g. prod-secrets-namespaces
+metadata: name: "\(#InputKeys.stage)-\(#InputKeys.project)-namespaces"
+objects: [
+	#Namespace & {
+		metadata: name: "external-secrets"
+	}
+]

docs/examples/platforms/reference/projects/secrets/output.cue

@@ -0,0 +1,9 @@
+package holos
+
+// Output schema
+{} & #KubernetesObjects
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}

docs/examples/schema.cue

@@ -0,0 +1,106 @@
+package holos
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	"encoding/yaml"
+)
+
+_apiVersion: "holos.run/v1alpha1"
+
+// #Name defines the name: string key value pair used all over the place.
+#Name: name: string
+
+// #NamespaceMeta defines standard metadata for namespaces.
+// Refer to https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
+#NamespaceMeta: {
+	metadata: {
+		name: string
+		labels: "kubernetes.io/metadata.name": name
+	}
+	...
+}
+
+// Kubernetes API Objects
+#Namespace: corev1.#Namespace & #NamespaceMeta
+#ConfigMap: corev1.#ConfigMap
+
+// #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the _Platform data.
+#InputKeys: {
+	// cluster is usually the only key necessary when working with a component on the command line.
+	cluster: string @tag(cluster, type=string)
+	// stage is usually set by the platform or project.
+	stage: *"prod" | string @tag(stage, type=string)
+	// project is usually set by the platform or project.
+	project: string @tag(project, type=string)
+	// service is usually set by the component.
+	service: string @tag(service, type=string)
+}
+
+// #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
+#Platform: {
+	// org holds user defined values scoped organization wide.  A platform has one and only one organization.
+	org: {
+		name: string
+		domain: string
+	}
+	clusters: [ID=_]: {
+		name: string & ID
+		region?: string
+	}
+	stages: [ID=_]: {
+		name: string & ID
+		environments: [...#Name]
+	}
+	projects: [ID=_]: {
+		name: string & ID
+	}
+	services: [ID=_]: {
+		name: string & ID
+	}
+}
+// _PlatformData stores the values of the primary lookup table.
+_Platform: #Platform
+
+// #OutputTypeMeta is shared among all output types
+#OutputTypeMeta: {
+	// apiVersion is the output api version
+	apiVersion: _apiVersion
+	// kind is a discriminator of the type of output
+	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #ChartValues.kind
+	// name holds a unique name suitable for a filename
+	metadata: name: string
+	// contentType is the standard MIME type indicating the content type of the content field
+	contentType: *"application/yaml" | "application/json"
+	// content holds the content text output
+	content: string | *""
+	// debug returns arbitrary debug output.
+	debug?: _
+}
+
+// #KubernetesObjectOutput is the output schema of a single component.
+#KubernetesObjects: {
+	#OutputTypeMeta
+	// kind KubernetesObjects provides a yaml text stream of kubernetes api objects in the out field.
+	kind: "KubernetesObjects"
+	// objects holds a list of the kubernetes api objects to configure.
+	objects: [...metav1.#TypeMeta] | *[]
+	// out holds the rendered yaml text stream of kubernetes api objects.
+	content: yaml.MarshalStream(objects)
+	// platform returns the platform data structure for visibility / troubleshooting.
+	platform: _Platform
+}
+
+// #ChartValues is the output schema of a holos component which produces values for a helm chart.
+#ChartValues: {
+	#OutputTypeMeta
+	kind: "ChartValues"
+}
+
+// #PlatformSpec is the output schema of a platform specification.
+#PlatformSpec: {
+	#OutputTypeMeta
+	kind: "PlatformSpec"
+}
+
+#Output: #PlatformSpec | #KubernetesObjects | #ChartValues

go.mod

@@ -1,3 +1,31 @@
 module github.com/holos-run/holos
 
 go 1.21.5
+
+require (
+	cuelang.org/go v0.7.0
+	github.com/mattn/go-isatty v0.0.20
+	github.com/spf13/cobra v1.7.0
+)
+
+require (
+	cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 // indirect
+	github.com/cockroachdb/apd/v3 v3.2.1 // indirect
+	github.com/emicklei/proto v1.10.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -0,0 +1,65 @@
+cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 h1:zkiIe8AxZ/kDjqQN+mDKc5BxoVJOqioSdqApjc+eB1I=
+cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13/go.mod h1:XGKYSMtsJWfqQYPwq51ZygxAPqpEUj/9bdg16iDPTAA=
+cuelang.org/go v0.7.0 h1:gMztinxuKfJwMIxtboFsNc6s8AxwJGgsJV+3CuLffHI=
+cuelang.org/go v0.7.0/go.mod h1:ix+3dM/bSpdG9xg6qpCgnJnpeLtciZu+O/rDbywoMII=
+github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
+github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
+github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
+github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=
+github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
+github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
+github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
+github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c h1:fPpdjePK1atuOg28PXfNSqgwf9I/qD1Hlo39JFwKBXk=
+github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/api/core/v1alpha1/api.go

@@ -0,0 +1,2 @@
+// Package v1alpha1 is the unstable version of the core api.
+package v1alpha1

pkg/cli/build.go

@@ -0,0 +1,37 @@
+package cli
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/internal/builder"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"strings"
+)
+
+// build is the internal implementation of the build cli command
+func build(cmd *cobra.Command, args []string) error {
+	build := builder.New(builder.Entrypoints(args))
+	results, err := build.Run(cmd.Context())
+	if err != nil {
+		return err
+	}
+	outs := make([]string, 0, len(results))
+	for _, result := range results {
+		outs = append(outs, result.Content)
+	}
+	out := strings.Join(outs, "---\n")
+	if _, err := fmt.Fprintln(cmd.OutOrStdout(), out); err != nil {
+		return wrapper.Wrap(err)
+	}
+	return nil
+}
+
+// newBuildCmd returns the build subcommand for the root command
+func newBuildCmd(cfg *config.Config) *cobra.Command {
+	cmd := newCmd("build [directory...]")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "build kubernetes api objects from a directory"
+	cmd.RunE = build
+	return cmd
+}

pkg/cli/render.go

@@ -0,0 +1,46 @@
+package cli
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/internal/builder"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+)
+
+func makeRenderRunFunc(cfg *config.Config) runFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		if cfg.ClusterName() == "" {
+			return wrapper.Wrap(fmt.Errorf("missing cluster name"))
+		}
+
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx)
+		build := builder.New(builder.Entrypoints(args))
+		results, err := build.Run(cmd.Context())
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+		for _, result := range results {
+			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
+			if err := result.Save(ctx, path); err != nil {
+				return wrapper.Wrap(err)
+			}
+			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "save", "path", path, "name", result.Name())
+		}
+		return nil
+	}
+}
+
+// newRenderCmd returns the render subcommand for the root command
+func newRenderCmd(cfg *config.Config) *cobra.Command {
+	cmd := newCmd("render [directory...]")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "write kubernetes api objects to the filesystem"
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.WriteFlagSet())
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.RunE = makeRenderRunFunc(cfg)
+	return cmd
+}

pkg/cli/root.go

@@ -0,0 +1,70 @@
+package cli
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"log/slog"
+)
+
+type runFunc func(c *cobra.Command, args []string) error
+
+// New returns a new root *cobra.Command for command line execution.
+func New(cfg *config.Config) *cobra.Command {
+	rootCmd := &cobra.Command{
+		Use:     "holos",
+		Short:   "holos manages a holistic integrated software development platform",
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true, // Don't complete the complete subcommand itself
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+		PersistentPreRunE: func(c *cobra.Command, args []string) error {
+			if err := cfg.Finalize(); err != nil {
+				return err
+			}
+			log := cfg.Logger()
+			// Set the configured logger in the context.
+			c.SetContext(logger.NewContext(c.Context(), log))
+			// Set the default logger after flag parsing.
+			slog.SetDefault(log)
+			return nil
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			return c.Usage()
+		},
+	}
+	rootCmd.SetVersionTemplate("{{.Version}}\n")
+	rootCmd.SetOut(cfg.Stdout())
+	rootCmd.PersistentFlags().SortFlags = false
+	rootCmd.PersistentFlags().AddGoFlagSet(cfg.LogFlagSet())
+
+	// subcommands
+	rootCmd.AddCommand(newBuildCmd(cfg))
+	rootCmd.AddCommand(newRenderCmd(cfg))
+
+	return rootCmd
+}
+
+// newCmd returns a new subcommand
+func newCmd(name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     name,
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	return cmd
+}

pkg/cli/root_test.go

@@ -0,0 +1,128 @@
+package cli
+
+import (
+	"bytes"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/spf13/cobra"
+	"strings"
+	"testing"
+)
+
+func newCommand() (*cobra.Command, *bytes.Buffer) {
+	var b1, b2 bytes.Buffer
+	// discard stdout for now, it's a bunch of usage messages.
+	cmd := New(config.New(config.Stdout(&b1), config.Stderr(&b2)))
+	return cmd, &b2
+}
+
+func TestNewRoot(t *testing.T) {
+	cmd, _ := newCommand()
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+}
+
+type argsTestCase struct {
+	format string
+	level  string
+	drop   string
+}
+
+func (tc argsTestCase) args() []string {
+	return []string{"--log-format", tc.format, "--log-level", tc.level}
+}
+
+func TestValidArgs(t *testing.T) {
+	t.Parallel()
+	formats := []string{"text", "json"}
+	levels := []string{"debug", "info", "warn", "error"}
+	drops := []string{"version"}
+	for _, format := range formats {
+		for _, level := range levels {
+			for _, drop := range drops {
+				tc := argsTestCase{format, level, drop}
+				t.Run(strings.Join(tc.args(), " "), func(t *testing.T) {
+					cmd, _ := newCommand()
+					cmd.SetArgs(tc.args())
+					if err := cmd.Execute(); err != nil {
+						t.Errorf("unexpected error: %v", err)
+					}
+				})
+			}
+		}
+	}
+}
+
+func TestLogOutput(t *testing.T) {
+	// Lifecycle message is always displayed
+	cmd, b := newCommand()
+	cmd.SetArgs([]string{"--log-level=debug"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	have := strings.TrimSpace(b.String())
+	want := "finalized config from flags"
+	if !strings.Contains(have, want) {
+		t.Fatalf("have does not contain want\n\thave: %#v\n\twant: %#v", have, want)
+	}
+}
+
+func TestLogDrop(t *testing.T) {
+	// Log attributes can be filtered out by the user
+	cmd, b := newCommand()
+	cmd.SetArgs([]string{"--log-level=debug", "--log-drop=version,another"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	stderr := b.String()
+	if strings.Contains(stderr, "version") {
+		t.Fatalf("want version dropped got: %v", stderr)
+	}
+}
+
+func TestInvalidArgs(t *testing.T) {
+	invalidArgs := [][]string{
+		{"--log-format=yaml"},
+		{"--log-level=something"},
+	}
+	for _, args := range invalidArgs {
+		var b bytes.Buffer
+		cmd := New(config.New(config.Stdout(&b)))
+		cmd.SetArgs(args)
+		err := cmd.Execute()
+		if err == nil {
+			t.Fatalf("expected error from args: %v", args)
+		}
+	}
+}
+
+func TestLoggerFromContext(t *testing.T) {
+	cmd, b := newCommand()
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	log := logger.FromContext(cmd.Context())
+	want := "612c48a3-30c9-44e3-b8b6-394191d99935"
+	log.Info(want)
+	have := b.String()
+	if !strings.Contains(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}
+
+func TestVersion(t *testing.T) {
+	var b bytes.Buffer
+	cmd := New(config.New(config.Stdout(&b)))
+	cmd.SetOut(&b)
+	cmd.SetArgs([]string{"--version"})
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("could not execute: %v", err)
+	}
+	want := version.Version + "\n"
+	have := b.String()
+	if want != have {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}

pkg/config/config.go

@@ -0,0 +1,141 @@
+package config
+
+import (
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/logger"
+	"io"
+	"log/slog"
+	"os"
+)
+
+// An Option configures a Config
+type Option func(o *options)
+
+type options struct {
+	stdout io.Writer
+	stderr io.Writer
+}
+
+// Stdout redirects standard output to w
+func Stdout(w io.Writer) Option {
+	return func(o *options) { o.stdout = w }
+}
+
+// Stderr redirects standard error to w
+func Stderr(w io.Writer) Option {
+	return func(o *options) { o.stderr = w }
+}
+
+// New returns a new top level cli Config.
+func New(opts ...Option) *Config {
+	cfgOptions := &options{
+		stdout: os.Stdout,
+		stderr: os.Stderr,
+	}
+	for _, option := range opts {
+		option(cfgOptions)
+	}
+	writeFlagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	clusterFlagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	cfg := &Config{
+		logConfig:      logger.NewConfig(),
+		writeTo:        getenv("HOLOS_WRITE_TO", "deploy"),
+		clusterName:    getenv("HOLOS_CLUSTER_NAME", ""),
+		writeFlagSet:   writeFlagSet,
+		clusterFlagSet: clusterFlagSet,
+		options:        cfgOptions,
+	}
+	writeFlagSet.StringVar(&cfg.writeTo, "write-to", cfg.writeTo, "write to directory")
+	clusterFlagSet.StringVar(&cfg.clusterName, "cluster-name", cfg.clusterName, "cluster name")
+	return cfg
+}
+
+// Config holds configuration for the whole program, used by main()
+type Config struct {
+	logConfig      *logger.Config
+	writeTo        string
+	clusterName    string
+	logger         *slog.Logger
+	options        *options
+	finalized      bool
+	writeFlagSet   *flag.FlagSet
+	clusterFlagSet *flag.FlagSet
+}
+
+// LogFlagSet returns the logging *flag.FlagSet
+func (c *Config) LogFlagSet() *flag.FlagSet {
+	return c.logConfig.FlagSet()
+}
+
+// WriteFlagSet returns a *flag.FlagSet wired to c *Config.  Useful for commands that write files.
+func (c *Config) WriteFlagSet() *flag.FlagSet {
+	return c.writeFlagSet
+}
+
+// ClusterFlagSet returns a *flag.FlagSet wired to c *Config.  Useful for commands scoped to one cluster.
+func (c *Config) ClusterFlagSet() *flag.FlagSet {
+	return c.clusterFlagSet
+}
+
+// Finalize validates the config and finalizes the startup lifecycle based on user configuration.
+func (c *Config) Finalize() error {
+	if c.finalized {
+		return fmt.Errorf("could not finalize: already finalized")
+	}
+	if err := c.Vet(); err != nil {
+		return err
+	}
+	l := c.Logger()
+	c.logger = l
+	l.Debug("finalized config from flags", "state", "finalized")
+	c.finalized = true
+	return nil
+}
+
+// Vet validates the config
+func (c *Config) Vet() error {
+	return c.logConfig.Vet()
+}
+
+// Logger returns a *slog.Logger configured by the user
+func (c *Config) Logger() *slog.Logger {
+	if c.logger != nil {
+		return c.logger
+	}
+	return c.logConfig.NewLogger(c.options.stderr)
+}
+
+// NewTopLevelLogger returns a *slog.Logger with a handler that filters source
+// attributes. Useful as a top level error logger in main().
+func (c *Config) NewTopLevelLogger() *slog.Logger {
+	return c.logConfig.NewTopLevelLogger(c.options.stderr)
+}
+
+// Stderr should be used instead of os.Stderr to capture output for tests.
+func (c *Config) Stderr() io.Writer {
+	return c.options.stderr
+}
+
+// Stdout should be used instead of os.Stdout to capture output for tests.
+func (c *Config) Stdout() io.Writer {
+	return c.options.stdout
+}
+
+// WriteTo returns the write to path configured by flags.
+func (c *Config) WriteTo() string {
+	return c.writeTo
+}
+
+// ClusterName returns the configured cluster name
+func (c *Config) ClusterName() string {
+	return c.clusterName
+}
+
+// getenv is equivalent to os.Getenv() with a default value
+func getenv(key, defaultValue string) string {
+	if value, exists := os.LookupEnv(key); exists {
+		return value
+	}
+	return defaultValue
+}

pkg/config/config_test.go

@@ -0,0 +1,43 @@
+package config
+
+import (
+	"bytes"
+	"testing"
+)
+
+// newConfig returns a new *Config with stderr wired to a bytes.Buffer.
+func newConfig() (cfg *Config, stderr *bytes.Buffer) {
+	var b bytes.Buffer
+	return New(Stderr(&b)), &b
+}
+
+func TestConfigFinalize(t *testing.T) {
+	cfg, _ := newConfig()
+	if err := cfg.Finalize(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !cfg.finalized {
+		t.Fatalf("not finalized")
+	}
+}
+
+func TestConfigFinalizeTwice(t *testing.T) {
+	cfg, stderr := newConfig()
+	if err := cfg.Finalize(); err != nil {
+		t.Fatalf("want: %#v have: %#v", nil, err)
+	}
+	if err := cfg.Finalize(); err == nil {
+		t.Fatalf("want: error have: %#v", err)
+	} else {
+		want := "could not finalize: already finalized"
+		have := err.Error()
+		if want != have {
+			t.Fatalf("want: %#v have: %#v", want, have)
+		}
+	}
+	want := ""
+	have := stderr.String()
+	if want != have {
+		t.Fatalf("want: %#v have: %#v", want, have)
+	}
+}

pkg/internal/builder/builder.go

@@ -0,0 +1,179 @@
+// Package builder is responsible for building fully rendered kubernetes api
+// objects from various input directories. A directory may contain a platform
+// spec or a component spec.
+package builder
+
+import (
+	"context"
+	"fmt"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"os"
+	"path/filepath"
+
+	"cuelang.org/go/cue/cuecontext"
+	"cuelang.org/go/cue/load"
+)
+
+// An Option configures a Builder
+type Option func(*config)
+
+type config struct {
+	args []string
+}
+
+type Builder struct {
+	cfg config
+}
+
+// New returns a new *Builder configured by opts Option.
+func New(opts ...Option) *Builder {
+	var cfg config
+	for _, f := range opts {
+		f(&cfg)
+	}
+	b := &Builder{cfg: cfg}
+	return b
+}
+
+// Entrypoints configures the leaf directories Builder builds.
+func Entrypoints(args []string) Option {
+	return func(cfg *config) { cfg.args = args }
+}
+
+type buildInfo struct {
+	APIVersion string `json:"apiVersion,omitempty"`
+	Kind       string `json:"kind,omitempty"`
+}
+
+// Metadata represents the standard metadata fields of the cue output
+type Metadata struct {
+	Name string `json:"name,omitempty"`
+}
+
+// Result is the build result for display or writing.
+type Result struct {
+	Metadata Metadata `json:"metadata,omitempty"`
+	Content  string   `json:"content,omitempty"`
+}
+
+// Name returns the metadata name of the result. Equivalent to the
+// OrderedComponent name specified in platform.yaml in the holos prototype.
+func (r *Result) Name() string {
+	return r.Metadata.Name
+}
+
+func (r *Result) Filename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "components", r.Name(), r.Name()+".gen.yaml")
+}
+
+// Save writes the content to the filesystem for git ops.
+func (r *Result) Save(ctx context.Context, path string) error {
+	if r.Name() == "" {
+		return wrapper.Wrap(fmt.Errorf("missing name from cue result"))
+	}
+	log := logger.FromContext(ctx)
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
+		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
+		return wrapper.Wrap(err)
+	}
+	if err := os.WriteFile(path, []byte(r.Content), os.FileMode(0644)); err != nil {
+		log.WarnContext(ctx, "could not write", "path", path, "err", err)
+		return wrapper.Wrap(err)
+	}
+	log.DebugContext(ctx, "wrote "+path, "action", "mkdir", "path", path, "status", "ok")
+	return nil
+}
+
+func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
+	log := logger.FromContext(ctx)
+	cueCtx := cuecontext.New()
+	results := make([]*Result, 0, len(b.cfg.args))
+
+	dir, err := b.findCueMod()
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+
+	cfg := load.Config{Dir: dir}
+
+	// Make args relative to the module directory
+	args := make([]string, len(b.cfg.args))
+	for idx, path := range b.cfg.args {
+		target, err := filepath.Abs(path)
+		if err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("could not find absolute path: %w", err))
+		}
+		relPath, err := filepath.Rel(dir, target)
+		if err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("invalid argument, must be relative to cue.mod: %w", err))
+		}
+		relPath = "./" + relPath
+		args[idx] = relPath
+		equiv := fmt.Sprintf("cue export --out yaml %v", relPath)
+		log.Debug(equiv)
+	}
+
+	instances := load.Instances(args, &cfg)
+
+	for _, instance := range instances {
+		var info buildInfo
+		var result Result
+		results = append(results, &result)
+		if err := instance.Err; err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("could not load: %w", err))
+		}
+		value := cueCtx.BuildInstance(instance)
+		if err := value.Err(); err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("could not build: %w", err))
+		}
+		if err := value.Validate(); err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("could not validate: %w", err))
+		}
+
+		if err := value.Decode(&info); err != nil {
+			return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+		}
+
+		switch kind := info.Kind; kind {
+		case "KubernetesObjects":
+			if err := value.Decode(&result); err != nil {
+				return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+			}
+		default:
+			return nil, wrapper.Wrap(fmt.Errorf("build kind not implemented: %v", kind))
+		}
+	}
+
+	return results, nil
+}
+
+// findCueMod returns the root module location containing the cue.mod file or
+// directory or an error if the builder arguments do not share a common root
+// module.
+func (b *Builder) findCueMod() (dir string, err error) {
+	for _, origPath := range b.cfg.args {
+		var path string
+		if path, err = filepath.Abs(origPath); err != nil {
+			return
+		}
+		for {
+			if _, err := os.Stat(filepath.Join(path, "cue.mod")); err == nil {
+				if dir != "" && dir != path {
+					return "", fmt.Errorf("multiple modules not supported: %v is not %v", dir, path)
+				}
+				dir = path
+				break
+			} else if !os.IsNotExist(err) {
+				return "", err
+			}
+			parentPath := filepath.Dir(path)
+			if parentPath == path {
+				return "", fmt.Errorf("no cue.mod from root to leaf: %v", origPath)
+			}
+			path = parentPath
+		}
+	}
+	return dir, nil
+}

pkg/logger/logger.go

@@ -0,0 +1,217 @@
+// Package logger provides logging configuration and helpers to pass a logger instance through the context.
+package logger
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/tint"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/mattn/go-isatty"
+	"io"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"time"
+)
+
+const ErrKey = "err"
+
+var validLogLevels = []string{"debug", "info", "warn", "error"}
+var validLogFormats = []string{"text", "json"}
+
+// stringSlice is a comma separated list of string values
+type stringSlice []string
+
+func (s *stringSlice) String() string {
+	return strings.Join((*s)[:], ",")
+}
+
+func (s *stringSlice) Set(value string) error {
+	*s = append(*s, strings.Split(value, ",")...)
+	return nil
+}
+
+// key is an unexported type for keys defined in this package to prevent
+// collisions with keys defined in other packages.
+type key int
+
+// https://cs.opensource.google/go/go/+/refs/tags/go1.21.1:src/context/context.go;l=140-158
+// loggerKey is the key for *slog.Logs values in Contexts. It us unexported;
+// clients use NewContext and FromContext instead of this key directly.
+var loggerKey key
+
+// NewContext returns a new Context that carries value logger. Use FromContext
+// to retrieve the value.
+func NewContext(ctx context.Context, logger *slog.Logger) context.Context {
+	return context.WithValue(ctx, loggerKey, logger)
+}
+
+// FromContext returns the *slog.Logs previously stored in ctx by NewContext.
+// slog.Default() is returned otherwise.
+func FromContext(ctx context.Context) *slog.Logger {
+	// https://go.dev/ref/spec#Type_assertions
+	if logger, ok := ctx.Value(loggerKey).(*slog.Logger); ok {
+		return logger
+	}
+	return slog.Default()
+}
+
+// Config specifies user configurable flag values to create a NewLogger
+type Config struct {
+	level     string
+	format    string
+	dropAttrs stringSlice
+	flagSet   *flag.FlagSet
+}
+
+// GetLogLevel returns a slog.Level configured by the user
+//
+// A non-zero length DEBUG env var takes precedence over config fields.
+func (c *Config) GetLogLevel() slog.Level {
+	if os.Getenv("DEBUG") != "" {
+		return slog.LevelDebug
+	}
+	switch strings.ToLower(c.level) {
+	case "debug":
+		return slog.LevelDebug
+	case "warn":
+		return slog.LevelWarn
+	case "error":
+		return slog.LevelError
+	default:
+		return slog.LevelInfo
+	}
+}
+
+func (c *Config) ReplaceAttr(groups []string, a slog.Attr) slog.Attr {
+	if slices.Contains(c.dropAttrs, a.Key) {
+		return slog.Attr{}
+	}
+	// Check if err
+	if a.Key == ErrKey {
+		if err, ok := a.Value.Any().(error); ok {
+			return tint.Err(err)
+		}
+		if err, ok := a.Value.Any().(string); ok {
+			return tint.Err(fmt.Errorf(err))
+		}
+	} else if a.Key == slog.SourceKey {
+		source := a.Value.Any().(*slog.Source)
+		source.File = filepath.Base(source.File)
+	}
+	return a
+}
+
+// NewTopLevelLogger returns a *slog.Logs configured by c *Config which writes
+// to w without source information. Useful as a top level logger where the
+// source is know and the error is wrapped with a location attribute.
+func (c *Config) NewTopLevelLogger(w io.Writer) *slog.Logger {
+	level := c.GetLogLevel()
+	var handler slog.Handler
+	if c.format == "text" {
+		noColor := true
+		if file, ok := w.(*os.File); ok {
+			noColor = !isatty.IsTerminal(file.Fd())
+		}
+		handler = tint.NewHandler(w, &tint.Options{
+			Level:       level,
+			TimeFormat:  time.Kitchen,
+			AddSource:   false,
+			ReplaceAttr: c.ReplaceAttr,
+			NoColor:     noColor,
+		})
+	} else {
+		handler = slog.NewJSONHandler(w, &slog.HandlerOptions{
+			Level:       level,
+			AddSource:   false,
+			ReplaceAttr: c.ReplaceAttr,
+		})
+	}
+
+	return slog.New(handler).With("version", version.Version)
+}
+
+// NewLogger returns a *slog.Logs configured by c *Config which writes to w
+func (c *Config) NewLogger(w io.Writer) *slog.Logger {
+	level := c.GetLogLevel()
+	var handler slog.Handler
+	if c.format == "text" {
+		noColor := true
+		if file, ok := w.(*os.File); ok {
+			noColor = !isatty.IsTerminal(file.Fd())
+		}
+		handler = tint.NewHandler(w, &tint.Options{
+			Level:       level,
+			TimeFormat:  time.Kitchen,
+			AddSource:   true,
+			ReplaceAttr: c.ReplaceAttr,
+			NoColor:     noColor,
+		})
+	} else {
+		handler = slog.NewJSONHandler(w, &slog.HandlerOptions{
+			Level:       level,
+			AddSource:   true,
+			ReplaceAttr: c.ReplaceAttr,
+		})
+	}
+
+	return slog.New(handler).With("version", version.Version)
+}
+
+// NewConfig returns a new logging Config struct
+func NewConfig() *Config {
+	f := flag.NewFlagSet("", flag.ContinueOnError)
+	c := &Config{flagSet: f}
+	f.StringVar(&c.level, "log-level", getenv("HOLOS_LOG_LEVEL", "info"), fmt.Sprintf("log level (%s)", strings.Join(validLogLevels, "|")))
+	f.StringVar(&c.format, "log-format", getenv("HOLOS_LOG_FORMAT", "text"), fmt.Sprintf("log format (%s)", strings.Join(validLogFormats, "|")))
+	f.Var(&c.dropAttrs, "log-drop", "log attributes to drop (example \"user-agent,version\")")
+	return c
+}
+
+// FlagSet returns the go flag set to configure logging
+func (c *Config) FlagSet() *flag.FlagSet {
+	return c.flagSet
+}
+
+// Vet validates the config values
+func (c *Config) Vet() error {
+	if err := c.vetLevel(); err != nil {
+		return err
+	}
+	if err := c.vetFormat(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *Config) vetLevel() error {
+	for _, validLevel := range validLogLevels {
+		if c.level == validLevel {
+			return nil
+		}
+	}
+	err := fmt.Errorf("invalid log level: %s is not one of %s", c.level, strings.Join(validLogLevels, ", "))
+	return wrapper.Wrap(err)
+}
+
+func (c *Config) vetFormat() error {
+	for _, validFormat := range validLogFormats {
+		if c.format == validFormat {
+			return nil
+		}
+	}
+	err := fmt.Errorf("invalid log format: %s is not one of %s", c.format, strings.Join(validLogFormats, ", "))
+	return wrapper.Wrap(err)
+}
+
+// getenv is equivalent to os.Getenv() with a default value
+func getenv(key, defaultValue string) string {
+	if value, exists := os.LookupEnv(key); exists {
+		return value
+	}
+	return defaultValue
+}

pkg/logger/logger_test.go

@@ -0,0 +1,13 @@
+package logger
+
+import (
+	"context"
+	"testing"
+)
+
+func TestLoggerFromContext(t *testing.T) {
+	log := FromContext(context.Background())
+	if log == nil {
+		t.Fatalf("want slog.Default() got nil")
+	}
+}

pkg/tint/buffer.go

@@ -0,0 +1,46 @@
+package tint
+
+import "sync"
+
+type buffer []byte
+
+var bufPool = sync.Pool{
+	New: func() any {
+		b := make(buffer, 0, 1024)
+		return (*buffer)(&b)
+	},
+}
+
+func newBuffer() *buffer {
+	return bufPool.Get().(*buffer)
+}
+
+func (b *buffer) Free() {
+	// To reduce peak allocation, return only smaller buffers to the pool.
+	const maxBufferSize = 16 << 10
+	if cap(*b) <= maxBufferSize {
+		*b = (*b)[:0]
+		bufPool.Put(b)
+	}
+}
+func (b *buffer) Write(bytes []byte) (int, error) {
+	*b = append(*b, bytes...)
+	return len(bytes), nil
+}
+
+func (b *buffer) WriteByte(char byte) error {
+	*b = append(*b, char)
+	return nil
+}
+
+func (b *buffer) WriteString(str string) (int, error) {
+	*b = append(*b, str...)
+	return len(str), nil
+}
+
+func (b *buffer) WriteStringIf(ok bool, str string) (int, error) {
+	if !ok {
+		return 0, nil
+	}
+	return b.WriteString(str)
+}

pkg/tint/doc.go

@@ -0,0 +1,2 @@
+// Package tint copied from https://github.com/lmittmann/tint/tree/v1.0.4 to adjust the colors
+package tint

pkg/tint/handler.go

@@ -0,0 +1,452 @@
+/*
+Package tint implements a zero-dependency [slog.Handler] that writes tinted
+(colorized) logs. The output format is inspired by the [zerolog.ConsoleWriter]
+and [slog.TextHandler].
+
+The output format can be customized using [Options], which is a drop-in
+replacement for [slog.HandlerOptions].
+
+# Customize Attributes
+
+Options.ReplaceAttr can be used to alter or drop attributes. If set, it is
+called on each non-group attribute before it is logged.
+See [slog.HandlerOptions] for details.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(w, &tint.Options{
+			ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
+				if a.Key == slog.TimeKey && len(groups) == 0 {
+					return slog.Attr{}
+				}
+				return a
+			},
+		}),
+	)
+
+# Automatically Enable Colors
+
+Colors are enabled by default and can be disabled using the Options.NoColor
+attribute. To automatically enable colors based on the terminal capabilities,
+use e.g. the [go-isatty] package.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(w, &tint.Options{
+			NoColor: !isatty.IsTerminal(w.Fd()),
+		}),
+	)
+
+# Windows Support
+
+Color support on Windows can be added by using e.g. the [go-colorable] package.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(colorable.NewColorable(w), nil),
+	)
+
+[zerolog.ConsoleWriter]: https://pkg.go.dev/github.com/rs/zerolog#ConsoleWriter
+[go-isatty]: https://pkg.go.dev/github.com/mattn/go-isatty
+[go-colorable]: https://pkg.go.dev/github.com/mattn/go-colorable
+*/
+package tint
+
+import (
+	"context"
+	"encoding"
+	"fmt"
+	"io"
+	"log/slog"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"sync"
+	"time"
+	"unicode"
+)
+
+// ANSI modes
+const (
+	ansiReset          = "\033[0m"
+	ansiFaint          = "\033[2m"
+	ansiResetFaint     = "\033[22m"
+	ansiBrightRed      = "\033[91m"
+	ansiBrightGreen    = "\033[92m"
+	ansiBrightYellow   = "\033[93m"
+	ansiBrightRedFaint = "\033[91;2m"
+	// Following colors look good with solarized dark
+	ansiRed          = "\033[31m"
+	ansiGreen        = "\033[32m"
+	ansiYellow       = "\033[33m"
+	ansiBlue         = "\033[34m"
+	ansiMagenta      = "\033[35m"
+	ansiCyan         = "\033[36m"
+	ansiLightGray    = "\033[37m"
+	ansiLightRed     = "\033[91m"
+	ansiLightMagenta = "\033[95m"
+)
+
+const errKey = "err"
+
+var (
+	defaultLevel      = slog.LevelInfo
+	defaultTimeFormat = time.StampMilli
+)
+
+// Options for a slog.Handler that writes tinted logs. A zero Options consists
+// entirely of default values.
+//
+// Options can be used as a drop-in replacement for [slog.HandlerOptions].
+type Options struct {
+	// Enable source code location (Default: false)
+	AddSource bool
+
+	// Minimum level to log (Default: slog.LevelInfo)
+	Level slog.Leveler
+
+	// ReplaceAttr is called to rewrite each non-group attribute before it is logged.
+	// See https://pkg.go.dev/log/slog#HandlerOptions for details.
+	ReplaceAttr func(groups []string, attr slog.Attr) slog.Attr
+
+	// Time format (Default: time.StampMilli)
+	TimeFormat string
+
+	// Disable color (Default: false)
+	NoColor bool
+}
+
+// NewHandler creates a [slog.Handler] that writes tinted logs to Writer w,
+// using the default options. If opts is nil, the default options are used.
+func NewHandler(w io.Writer, opts *Options) slog.Handler {
+	h := &handler{
+		w:          w,
+		level:      defaultLevel,
+		timeFormat: defaultTimeFormat,
+	}
+	if opts == nil {
+		return h
+	}
+
+	h.addSource = opts.AddSource
+	if opts.Level != nil {
+		h.level = opts.Level
+	}
+	h.replaceAttr = opts.ReplaceAttr
+	if opts.TimeFormat != "" {
+		h.timeFormat = opts.TimeFormat
+	}
+	h.noColor = opts.NoColor
+	return h
+}
+
+// handler implements a [slog.Handler].
+type handler struct {
+	attrsPrefix string
+	groupPrefix string
+	groups      []string
+
+	mu sync.Mutex
+	w  io.Writer
+
+	addSource   bool
+	level       slog.Leveler
+	replaceAttr func([]string, slog.Attr) slog.Attr
+	timeFormat  string
+	noColor     bool
+}
+
+func (h *handler) clone() *handler {
+	return &handler{
+		attrsPrefix: h.attrsPrefix,
+		groupPrefix: h.groupPrefix,
+		groups:      h.groups,
+		w:           h.w,
+		addSource:   h.addSource,
+		level:       h.level,
+		replaceAttr: h.replaceAttr,
+		timeFormat:  h.timeFormat,
+		noColor:     h.noColor,
+	}
+}
+
+func (h *handler) Enabled(_ context.Context, level slog.Level) bool {
+	return level >= h.level.Level()
+}
+
+func (h *handler) Handle(_ context.Context, r slog.Record) error {
+	// get a buffer from the sync pool
+	buf := newBuffer()
+	defer buf.Free()
+
+	rep := h.replaceAttr
+
+	// write time
+	if !r.Time.IsZero() {
+		val := r.Time.Round(0) // strip monotonic to match Attr behavior
+		if rep == nil {
+			h.appendTime(buf, r.Time)
+			_ = buf.WriteByte(' ')
+		} else if a := rep(nil /* groups */, slog.Time(slog.TimeKey, val)); a.Key != "" {
+			if a.Value.Kind() == slog.KindTime {
+				h.appendTime(buf, a.Value.Time())
+			} else {
+				h.appendValue(buf, a.Value, false)
+			}
+			_ = buf.WriteByte(' ')
+		}
+	}
+
+	// write level
+	if rep == nil {
+		h.appendLevel(buf, r.Level)
+		_ = buf.WriteByte(' ')
+	} else if a := rep(nil /* groups */, slog.Any(slog.LevelKey, r.Level)); a.Key != "" {
+		h.appendValue(buf, a.Value, false)
+		_ = buf.WriteByte(' ')
+	}
+
+	// write source
+	if h.addSource {
+		fs := runtime.CallersFrames([]uintptr{r.PC})
+		f, _ := fs.Next()
+		if f.File != "" {
+			src := &slog.Source{
+				Function: f.Function,
+				File:     f.File,
+				Line:     f.Line,
+			}
+
+			if rep == nil {
+				h.appendSource(buf, src)
+				_ = buf.WriteByte(' ')
+			} else if a := rep(nil /* groups */, slog.Any(slog.SourceKey, src)); a.Key != "" {
+				h.appendValue(buf, a.Value, false)
+				_ = buf.WriteByte(' ')
+			}
+		}
+	}
+
+	// write message
+	if rep == nil {
+		_, _ = buf.WriteStringIf(!h.noColor, ansiLightGray)
+		_, _ = buf.WriteString(r.Message)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+		_ = buf.WriteByte(' ')
+	} else if a := rep(nil /* groups */, slog.String(slog.MessageKey, r.Message)); a.Key != "" {
+		_, _ = buf.WriteStringIf(!h.noColor, ansiLightGray)
+		h.appendValue(buf, a.Value, false)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+		_ = buf.WriteByte(' ')
+	}
+
+	// write handler attributes
+	if len(h.attrsPrefix) > 0 {
+		_, _ = buf.WriteString(h.attrsPrefix)
+	}
+
+	// write attributes
+	r.Attrs(func(attr slog.Attr) bool {
+		h.appendAttr(buf, attr, h.groupPrefix, h.groups)
+		return true
+	})
+
+	if len(*buf) == 0 {
+		return nil
+	}
+	(*buf)[len(*buf)-1] = '\n' // replace last space with newline
+
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	_, err := h.w.Write(*buf)
+	return err
+}
+
+func (h *handler) WithAttrs(attrs []slog.Attr) slog.Handler {
+	if len(attrs) == 0 {
+		return h
+	}
+	h2 := h.clone()
+
+	buf := newBuffer()
+	defer buf.Free()
+
+	// write attributes to buffer
+	for _, attr := range attrs {
+		h.appendAttr(buf, attr, h.groupPrefix, h.groups)
+	}
+	h2.attrsPrefix = h.attrsPrefix + string(*buf)
+	return h2
+}
+
+func (h *handler) WithGroup(name string) slog.Handler {
+	if name == "" {
+		return h
+	}
+	h2 := h.clone()
+	h2.groupPrefix += name + "."
+	h2.groups = append(h2.groups, name)
+	return h2
+}
+
+func (h *handler) appendTime(buf *buffer, t time.Time) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiFaint)
+	*buf = t.AppendFormat(*buf, h.timeFormat)
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendLevel(buf *buffer, level slog.Level) {
+	switch {
+	case level < slog.LevelInfo:
+		_, _ = buf.WriteString("DBG")
+		appendLevelDelta(buf, level-slog.LevelDebug)
+	case level < slog.LevelWarn:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiBlue)
+		_, _ = buf.WriteString("INF")
+		appendLevelDelta(buf, level-slog.LevelInfo)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	case level < slog.LevelError:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiYellow)
+		_, _ = buf.WriteString("WRN")
+		appendLevelDelta(buf, level-slog.LevelWarn)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	default:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiRed)
+		_, _ = buf.WriteString("ERR")
+		appendLevelDelta(buf, level-slog.LevelError)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	}
+}
+
+func appendLevelDelta(buf *buffer, delta slog.Level) {
+	if delta == 0 {
+		return
+	} else if delta > 0 {
+		_ = buf.WriteByte('+')
+	}
+	*buf = strconv.AppendInt(*buf, int64(delta), 10)
+}
+
+func (h *handler) appendSource(buf *buffer, src *slog.Source) {
+	dir, file := filepath.Split(src.File)
+
+	_, _ = buf.WriteStringIf(!h.noColor, ansiLightMagenta)
+	_, _ = buf.WriteString(filepath.Join(filepath.Base(dir), file))
+	_ = buf.WriteByte(':')
+	_, _ = buf.WriteString(strconv.Itoa(src.Line))
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendAttr(buf *buffer, attr slog.Attr, groupsPrefix string, groups []string) {
+	attr.Value = attr.Value.Resolve()
+	if rep := h.replaceAttr; rep != nil && attr.Value.Kind() != slog.KindGroup {
+		attr = rep(groups, attr)
+		attr.Value = attr.Value.Resolve()
+	}
+
+	if attr.Equal(slog.Attr{}) {
+		return
+	}
+
+	if attr.Value.Kind() == slog.KindGroup {
+		if attr.Key != "" {
+			groupsPrefix += attr.Key + "."
+			groups = append(groups, attr.Key)
+		}
+		for _, groupAttr := range attr.Value.Group() {
+			h.appendAttr(buf, groupAttr, groupsPrefix, groups)
+		}
+	} else if err, ok := attr.Value.Any().(tintError); ok {
+		// append tintError
+		h.appendTintError(buf, err, groupsPrefix)
+		_ = buf.WriteByte(' ')
+	} else {
+		h.appendKey(buf, attr.Key, groupsPrefix)
+		h.appendValue(buf, attr.Value, true)
+		_ = buf.WriteByte(' ')
+	}
+}
+
+func (h *handler) appendKey(buf *buffer, key, groups string) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiFaint)
+	appendString(buf, groups+key, true)
+	_ = buf.WriteByte('=')
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendValue(buf *buffer, v slog.Value, quote bool) {
+	switch v.Kind() {
+	case slog.KindString:
+		appendString(buf, v.String(), quote)
+	case slog.KindInt64:
+		*buf = strconv.AppendInt(*buf, v.Int64(), 10)
+	case slog.KindUint64:
+		*buf = strconv.AppendUint(*buf, v.Uint64(), 10)
+	case slog.KindFloat64:
+		*buf = strconv.AppendFloat(*buf, v.Float64(), 'g', -1, 64)
+	case slog.KindBool:
+		*buf = strconv.AppendBool(*buf, v.Bool())
+	case slog.KindDuration:
+		appendString(buf, v.Duration().String(), quote)
+	case slog.KindTime:
+		appendString(buf, v.Time().String(), quote)
+	case slog.KindAny:
+		switch cv := v.Any().(type) {
+		case slog.Level:
+			h.appendLevel(buf, cv)
+		case encoding.TextMarshaler:
+			data, err := cv.MarshalText()
+			if err != nil {
+				break
+			}
+			appendString(buf, string(data), quote)
+		case *slog.Source:
+			h.appendSource(buf, cv)
+		default:
+			appendString(buf, fmt.Sprintf("%+v", v.Any()), quote)
+		}
+	}
+}
+
+func (h *handler) appendTintError(buf *buffer, err error, groupsPrefix string) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiLightRed)
+	appendString(buf, groupsPrefix+errKey, true)
+	_ = buf.WriteByte('=')
+	_, _ = buf.WriteStringIf(!h.noColor, ansiRed)
+	appendString(buf, err.Error(), true)
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func appendString(buf *buffer, s string, quote bool) {
+	if quote && needsQuoting(s) {
+		*buf = strconv.AppendQuote(*buf, s)
+	} else {
+		_, _ = buf.WriteString(s)
+	}
+}
+
+func needsQuoting(s string) bool {
+	if len(s) == 0 {
+		return true
+	}
+	for _, r := range s {
+		if unicode.IsSpace(r) || r == '"' || r == '=' || !unicode.IsPrint(r) {
+			return true
+		}
+	}
+	return false
+}
+
+type tintError struct{ error }
+
+// Err returns a tinted (colorized) [slog.Attr] that will be written in red color
+// by the [tint.Handler]. When used with any other [slog.Handler], it behaves as
+//
+//	slog.Any("err", err)
+func Err(err error) slog.Attr {
+	if err != nil {
+		err = tintError{err}
+	}
+	return slog.Any(errKey, err)
+}

pkg/version/embedded/patch

@@ -1 +1 @@
-0
+3

pkg/wrapper/wrap.go

@@ -0,0 +1,86 @@
+// Package wrapper provides error wrapping with location information
+package wrapper
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"path/filepath"
+	"runtime"
+)
+
+// Source represents the Source file and line where an error was encountered
+type Source struct {
+	File string `json:"file"`
+	Line int    `json:"line"`
+}
+
+func (s *Source) Loc() string {
+	return fmt.Sprintf("%s:%d", filepath.Base(s.File), s.Line)
+}
+
+// ErrorAt wraps an error with the Source location the error was encountered at
+// for tracing from a top level error handler.
+type ErrorAt struct {
+	Err    error
+	Source Source
+}
+
+// Unwrap implements error wrapping.
+func (e *ErrorAt) Unwrap() error {
+	return e.Err
+}
+
+// Error returns the error string with Source location.
+func (e *ErrorAt) Error() string {
+	return e.Source.Loc() + ": " + e.Err.Error()
+}
+
+// Wrap wraps err in a ErrorAt or returns err if err is nil, already a
+// ErrorAt, or caller info is not available.
+//
+// XXX: Refactor to wrap.Err(error, ...slog.Attr).  Often want to add attributes for the top level logger.
+func Wrap(err error) error {
+	// Nothing to do
+	if err == nil {
+		return nil
+	}
+
+	// Already a holos error no need to do anything.
+	var errAt *ErrorAt
+	if errors.As(err, &errAt) {
+		return err
+	}
+
+	// Try to wrap err with caller info
+	if _, file, line, ok := runtime.Caller(1); ok {
+		return &ErrorAt{
+			Err: err,
+			Source: Source{
+				File: file,
+				Line: line,
+			},
+		}
+	}
+
+	return err
+}
+
+// Log logs err with Source location if Err is a ErrorAt
+func Log(log *slog.Logger, ctx context.Context, level slog.Level, err error, msg string, args ...any) {
+	var errAt *ErrorAt
+	if ok := errors.As(err, &errAt); ok {
+		args = append(args,
+			slog.String("err", errAt.Unwrap().Error()),
+			slog.String("loc", errAt.Source.Loc()),
+		)
+	} else {
+		if _, file, line, ok := runtime.Caller(1); ok {
+			source := Source{file, line}
+			args = append(args, slog.String("loc", source.Loc()))
+		}
+		args = append(args, slog.String("err", err.Error()))
+	}
+	log.Log(ctx, level, msg, args...)
+}

pkg/wrapper/wrap_test.go

@@ -0,0 +1,87 @@
+package wrapper
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strings"
+	"testing"
+)
+
+type record struct {
+	Source Source `json:"source"`
+	Err    string `json:"err"`
+	Loc    string `json:"loc"`
+	Msg    string `json:"msg"`
+}
+
+func TestLog(t *testing.T) {
+	testCases := []error{
+		Wrap(fmt.Errorf("when wrapped")),
+		fmt.Errorf("when not wrapped"),
+	}
+
+	for _, err := range testCases {
+		t.Run(err.Error(), func(t *testing.T) {
+			var b bytes.Buffer
+			log := slog.New(slog.NewJSONHandler(&b, &slog.HandlerOptions{AddSource: true}))
+			Log(log, context.Background(), slog.LevelError, err, "handled")
+			var rec record
+			if err := json.Unmarshal(b.Bytes(), &rec); err != nil {
+				t.Fatalf("want json have error: %v", err)
+			}
+
+			have := rec.Loc
+			want := "wrap_test.go:"
+			if !strings.HasPrefix(have, want) {
+				t.Fatalf("want: %v have: %v", want, have)
+			}
+
+			have = rec.Msg
+			want = "handled"
+			if !strings.HasSuffix(have, want) {
+				t.Fatalf("want: %v have: %v", want, have)
+			}
+		})
+	}
+}
+
+func TestLogNotWrapped(t *testing.T) {
+	want := "wrap_test.go:"
+	err := fmt.Errorf("boom")
+	var b bytes.Buffer
+	log := slog.New(slog.NewJSONHandler(&b, &slog.HandlerOptions{AddSource: true}))
+	Log(log, context.Background(), slog.LevelError, err, "handled")
+	var rec record
+	if err := json.Unmarshal(b.Bytes(), &rec); err != nil {
+		t.Fatalf("want json have error: %v", err)
+	}
+
+	have := rec.Loc
+	if !strings.HasPrefix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+
+	have = rec.Msg
+	want = "handled"
+	if !strings.HasSuffix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}
+
+func TestUnwrap(t *testing.T) {
+	err := Wrap(fmt.Errorf("boom"))
+	want := "wrap_test.go:"
+	have := err.Error()
+
+	if !strings.HasPrefix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+
+	want = "boom"
+	if !strings.HasSuffix(have, want) {
+		t.Fatalf("want: %v have: %v", want, have)
+	}
+}

scripts/msgs

@@ -0,0 +1,2 @@
+#! /bin/bash
+exec jq -r '"\(.source.file):\(.source.line)\t" + .msg'

scripts/test

@@ -0,0 +1,3 @@
+#! /bin/bash
+set -xeuo pipefail
+go test -coverpkg=./... -coverprofile=coverage.out ./...