Add holos build --cluster-name flag

Without this patch the build command doesn't fill in the cue cluster
name tag, resulting in incorrect output compared to the render command.

With this patch the correct output is generated.  Note the `mountPath`
field is correct:

```
❯ holos build ~/workspace/holos-run/holos/docs/examples/platforms/reference/projects/secrets/components/validate
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: default
  namespace: default
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: k2
          role: default
          serviceAccountRef:
            name: default
      path: kv/k8s
      server: https://vault.core.ois.run
      version: v2
```

.github/workflows/lint.yaml

@@ -0,0 +1,27 @@
+# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
+name: Lint
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: [self-hosted, k8s]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest

.github/workflows/test.yaml

@@ -0,0 +1,27 @@
+name: Unit Tests
+
+on:
+  push:
+    branches:
+      - main
+      - test
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: [self-hosted, k8s]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Test
+        run: ./scripts/test

.gitignore

@@ -1,6 +1,7 @@
-bin
-/vendor
-/.idea
+bin/
+vendor/
+.idea/
 coverage.out
-
 dist/
+*.hold/
+/deploy/

Makefile

@@ -71,11 +71,14 @@ clean: ## Clean executables.
 
 .PHONY: test
 test: ## Run tests.
-	go test ./...
+	scripts/test
+
+.PHONY: lint
+lint: ## Run linters.
+	golangci-lint run
 
 .PHONY: coverage
-coverage:  ## Test coverage profile.
-	go test -coverprofile=coverage.out ./...
+coverage: test  ## Test coverage profile.
 	go tool cover   -html=coverage.out
 
 .PHONY: snapshot

cmd/holos/main.go

@@ -1,10 +1,28 @@
 package main
 
 import (
-  "fmt"
-  "github.com/holos-run/holos/pkg/version"
+	"context"
+	"errors"
+	"github.com/holos-run/holos/pkg/cli"
+	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"log/slog"
+	"os"
 )
 
 func main() {
-	fmt.Println(version.Version)
+	cfg := config.New()
+	slog.SetDefault(cfg.Logger())
+	ctx := context.Background()
+	if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
+		log := cfg.NewTopLevelLogger()
+		var errAt *wrapper.ErrorAt
+		const msg = "could not execute"
+		if ok := errors.As(err, &errAt); ok {
+			log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
+		} else {
+			log.ErrorContext(ctx, msg, "err", err)
+		}
+		os.Exit(1)
+	}
 }

docs/examples/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,378 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ClusterExternalSecret is the Schema for the
+// clusterexternalsecrets API.
+#ClusterExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ClusterExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ClusterExternalSecretSpec defines the desired state of
+	// ClusterExternalSecret.
+	spec!: #ClusterExternalSecretSpec
+}
+
+// ClusterExternalSecretSpec defines the desired state of
+// ClusterExternalSecret.
+#ClusterExternalSecretSpec: {
+	// The metadata of the external secrets to be created
+	externalSecretMetadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// The name of the external secrets to be created defaults to the
+	// name of the ClusterExternalSecret
+	externalSecretName?: string
+
+	// The spec for the ExternalSecrets to be created
+	externalSecretSpec: {
+		// Data defines the connection between the Kubernetes Secret keys
+		// and the Provider data
+		data?: [...{
+			// RemoteRef points to the remote secret and defines
+			// which secret (version/property/..) to fetch.
+			remoteRef: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// SecretKey defines the key in which the controller stores
+			// the value. This is the key in the Kind=Secret
+			secretKey: string
+
+			// SourceRef allows you to override the source
+			// from which the value will pulled from.
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				//
+				//
+				// Deprecated: The generatorRef is not implemented in .data[].
+				// this will be removed with v1.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// DataFrom is used to fetch all properties from a specific
+		// Provider data
+		// If multiple entries are specified, the Secret keys are merged
+		// in the specified order
+		dataFrom?: [...{
+			// Used to extract multiple key/value pairs from one secret
+			// Note: Extract does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			extract?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// Used to find secrets based on tags or regular expressions
+			// Note: Find does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			find?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+				name?: {
+					// Finds secrets base
+					regexp?: string
+				}
+
+				// A root path to start the find operations.
+				path?: string
+
+				// Find secrets based on tags.
+				tags?: {
+					[string]: string
+				}
+			}
+
+			// Used to rewrite secret Keys after getting them from the secret
+			// Provider
+			// Multiple Rewrite operations can be provided. They are applied
+			// in a layered order (first to last)
+			rewrite?: [...{
+				// Used to rewrite with regular expressions.
+				// The resulting key will be the output of a regexp.ReplaceAll
+				// operation.
+				regexp?: {
+					// Used to define the regular expression of a re.Compiler.
+					source: string
+
+					// Used to define the target pattern of a ReplaceAll operation.
+					target: string
+				}
+				transform?: {
+					// Used to define the template to apply on the secret name.
+					// `.value ` will specify the secret name in the template.
+					template: string
+				}
+			}]
+
+			// SourceRef points to a store or generator
+			// which contains secret values ready to use.
+			// Use this in combination with Extract or Find pull values out of
+			// a specific SecretStore.
+			// When sourceRef points to a generator Extract or Find is not
+			// supported.
+			// The generator returns a static map of values
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// RefreshInterval is the amount of time before the values are
+		// read again from the SecretStore provider
+		// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+		// May be set to zero to fetch and create it once. Defaults to 1h.
+		refreshInterval?: string | *"1h"
+
+		// SecretStoreRef defines which SecretStore to fetch the
+		// ExternalSecret data.
+		secretStoreRef?: {
+			// Kind of the SecretStore resource (SecretStore or
+			// ClusterSecretStore)
+			// Defaults to `SecretStore`
+			kind?: string
+
+			// Name of the SecretStore resource
+			name: string
+		}
+
+		// ExternalSecretTarget defines the Kubernetes Secret to be
+		// created
+		// There can be only one target per ExternalSecret.
+		target?: {
+			// CreationPolicy defines rules on how to create the resulting
+			// Secret
+			// Defaults to 'Owner'
+			creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+			// DeletionPolicy defines rules on how to delete the resulting
+			// Secret
+			// Defaults to 'Retain'
+			deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+			// Immutable defines if the final secret will be immutable
+			immutable?: bool
+
+			// Name defines the name of the Secret resource to be managed
+			// This field is immutable
+			// Defaults to the .metadata.name of the ExternalSecret resource
+			name?: string
+
+			// Template defines a blueprint for the created Secret resource.
+			template?: {
+				data?: {
+					[string]: string
+				}
+
+				// EngineVersion specifies the template engine version
+				// that should be used to compile/execute the
+				// template specified in .data and .templateFrom[].
+				engineVersion?: "v1" | "v2" | *"v2"
+				mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+				// ExternalSecretTemplateMetadata defines metadata fields for the
+				// Secret blueprint.
+				metadata?: {
+					annotations?: {
+						[string]: string
+					}
+					labels?: {
+						[string]: string
+					}
+				}
+				templateFrom?: [...{
+					configMap?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					literal?: string
+					secret?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					target?: "Data" | "Annotations" | "Labels" | *"Data"
+				}]
+				type?: string
+			}
+		} | *{
+			creationPolicy: "Owner"
+			deletionPolicy: "Retain"
+		}
+	}
+
+	// The labels to select by to find the Namespaces to create the
+	// ExternalSecrets in.
+	namespaceSelector?: {
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn,
+			// the values array must be non-empty. If the operator is Exists
+			// or DoesNotExist,
+			// the values array must be empty. This array is replaced during a
+			// strategic
+			// merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels
+		// map is equivalent to an element of matchExpressions, whose key
+		// field is "key", the
+		// operator is "In", and the values array contains only "value".
+		// The requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Choose namespaces by name. This field is ORed with anything
+	// that NamespaceSelector ends up choosing.
+	namespaces?: [...string]
+
+	// The time in which the controller should reconcile its objects
+	// and recheck namespaces for labels.
+	refreshTime?: string
+}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,168 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// ExternalSecretDataRemoteRef defines Provider data location.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+		secretKey: string
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to define a conversion Strategy
+		conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+		// Key is the key used in the Provider, mandatory
+		key: string
+
+		// Used to select a specific property of the Provider value (if a
+		// map), if supported
+		property?: string
+
+		// Used to select a specific version of the Provider value, if
+		// supported
+		version?: string
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Merge" | "None" | *"Owner"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v1"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...struct.MaxFields(1) & {
+				configMap?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+				secret?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+			}]
+			type?: string
+		}
+	}
+}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// RemoteRef points to the remote secret and defines
+		// which secret (version/property/..) to fetch.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// SecretKey defines the key in which the controller stores
+		// the value. This is the key in the Kind=Secret
+		secretKey: string
+
+		// SourceRef allows you to override the source
+		// from which the value will pulled from.
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			//
+			//
+			// Deprecated: The generatorRef is not implemented in .data[].
+			// this will be removed with v1.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to extract multiple key/value pairs from one secret
+		// Note: Extract does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		extract?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// Used to find secrets based on tags or regular expressions
+		// Note: Find does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		find?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+			name?: {
+				// Finds secrets base
+				regexp?: string
+			}
+
+			// A root path to start the find operations.
+			path?: string
+
+			// Find secrets based on tags.
+			tags?: {
+				[string]: string
+			}
+		}
+
+		// Used to rewrite secret Keys after getting them from the secret
+		// Provider
+		// Multiple Rewrite operations can be provided. They are applied
+		// in a layered order (first to last)
+		rewrite?: [...{
+			// Used to rewrite with regular expressions.
+			// The resulting key will be the output of a regexp.ReplaceAll
+			// operation.
+			regexp?: {
+				// Used to define the regular expression of a re.Compiler.
+				source: string
+
+				// Used to define the target pattern of a ReplaceAll operation.
+				target: string
+			}
+			transform?: {
+				// Used to define the template to apply on the secret name.
+				// `.value ` will specify the secret name in the template.
+				template: string
+			}
+		}]
+
+		// SourceRef points to a store or generator
+		// which contains secret values ready to use.
+		// Use this in combination with Extract or Find pull values out of
+		// a specific SecretStore.
+		// When sourceRef points to a generator Extract or Find is not
+		// supported.
+		// The generator returns a static map of values
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef?: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target?: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+		// DeletionPolicy defines rules on how to delete the resulting
+		// Secret
+		// Defaults to 'Retain'
+		deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v2"
+			mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...{
+				configMap?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				literal?: string
+				secret?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				target?: "Data" | "Annotations" | "Labels" | *"Data"
+			}]
+			type?: string
+		}
+	} | *{
+		creationPolicy: "Owner"
+		deletionPolicy: "Retain"
+	}
+}

docs/examples/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,171 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#PushSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PushSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PushSecretSpec configures the behavior of the PushSecret.
+	spec!: #PushSecretSpec
+}
+
+// PushSecretSpec configures the behavior of the PushSecret.
+#PushSecretSpec: {
+	// Secret Data that should be pushed to providers
+	data?: [...{
+		// Match a given Secret Key to be pushed to the provider.
+		match: {
+			// Remote Refs to push to providers.
+			remoteRef: {
+				// Name of the property in the resulting secret
+				property?: string
+
+				// Name of the resulting provider secret.
+				remoteKey: string
+			}
+
+			// Secret Key to be pushed
+			secretKey?: string
+		}
+
+		// Metadata is metadata attached to the secret.
+		// The structure of metadata is provider specific, please look it
+		// up in the provider documentation.
+		metadata?: _
+	}]
+
+	// Deletion Policy to handle Secrets in the provider. Possible
+	// Values: "Delete/None". Defaults to "None".
+	deletionPolicy?: "Delete" | "None" | *"None"
+
+	// The Interval to which External Secrets will try to push a
+	// secret definition
+	refreshInterval?: string
+	secretStoreRefs: [...{
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string | *"SecretStore"
+
+		// Optionally, sync to secret stores with label selector
+		labelSelector?: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn,
+				// the values array must be non-empty. If the operator is Exists
+				// or DoesNotExist,
+				// the values array must be empty. This array is replaced during a
+				// strategic
+				// merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels
+			// map is equivalent to an element of matchExpressions, whose key
+			// field is "key", the
+			// operator is "In", and the values array contains only "value".
+			// The requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+
+		// Optionally, sync to the SecretStore of the given name
+		name?: string
+	}]
+	selector: {
+		secret: {
+			// Name of the Secret. The Secret must exist in the same namespace
+			// as the PushSecret manifest.
+			name: string
+		}
+	}
+
+	// Template defines a blueprint for the created Secret resource.
+	template?: {
+		data?: {
+			[string]: string
+		}
+
+		// EngineVersion specifies the template engine version
+		// that should be used to compile/execute the
+		// template specified in .data and .templateFrom[].
+		engineVersion?: "v1" | "v2" | *"v2"
+		mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+		// ExternalSecretTemplateMetadata defines metadata fields for the
+		// Secret blueprint.
+		metadata?: {
+			annotations?: {
+				[string]: string
+			}
+			labels?: {
+				[string]: string
+			}
+		}
+		templateFrom?: [...{
+			configMap?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			literal?: string
+			secret?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			target?: "Data" | "Annotations" | "Labels" | *"Data"
+		}]
+		type?: string
+	}
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/acraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,167 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ACRAccessToken returns a Azure Container Registry token
+// that can be used for pushing/pulling images.
+// Note: by default it will return an ACR Refresh Token with full
+// access
+// (depending on the identity).
+// This can be scoped down to the repository level using
+// .spec.scope.
+// In case scope is defined it will return an ACR Access Token.
+//
+//
+// See docs:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+#ACRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ACRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ACRAccessTokenSpec defines how to generate the access token
+	// e.g. how to authenticate and which registry to use.
+	// see:
+	// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+	spec!: #ACRAccessTokenSpec
+}
+
+// ACRAccessTokenSpec defines how to generate the access token
+// e.g. how to authenticate and which registry to use.
+// see:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+#ACRAccessTokenSpec: {
+	auth: {
+		managedIdentity?: {
+			// If multiple Managed Identity is assigned to the pod, you can
+			// select the one to be used
+			identityId?: string
+		}
+		servicePrincipal?: {
+			// Configuration used to authenticate with Azure using static
+			// credentials stored in a Kind=Secret.
+			secretRef: {
+				// The Azure clientId of the service principle used for
+				// authentication.
+				clientId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure ClientSecret of the service principle used for
+				// authentication.
+				clientSecret?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+		}
+		workloadIdentity?: {
+			// ServiceAccountRef specified the service account
+			// that should be used when authenticating with WorkloadIdentity.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// EnvironmentType specifies the Azure cloud environment endpoints
+	// to use for
+	// connecting and authenticating with Azure. By default it points
+	// to the public cloud AAD endpoint.
+	// The following endpoints are available, also see here:
+	// https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	environmentType?: "PublicCloud" | "USGovernmentCloud" | "ChinaCloud" | "GermanCloud" | *"PublicCloud"
+
+	// the domain name of the ACR registry
+	// e.g. foobarexample.azurecr.io
+	registry: string
+
+	// Define the scope for the access token, e.g. pull/push access
+	// for a repository.
+	// if not provided it will return a refresh token that has full
+	// scope.
+	// Note: you need to pin it down to the repository level, there is
+	// no wildcard available.
+	//
+	//
+	// examples:
+	// repository:my-repository:pull,push
+	// repository:my-repository:pull
+	//
+	//
+	// see docs for details:
+	// https://docs.docker.com/registry/spec/auth/scope/
+	scope?: string
+
+	// TenantID configures the Azure Tenant to send requests to.
+	// Required for ServicePrincipal auth type.
+	tenantId?: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/ecrauthorizationtoken/v1alpha1/types_gen.cue

@@ -0,0 +1,142 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to
+// retrieve an
+// authorization token.
+// The authorization token is valid for 12 hours.
+// The authorizationToken returned is a base64 encoded string that
+// can be decoded
+// and used in a docker login command to authenticate to a
+// registry.
+// For more information, see Registry authentication
+// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth)
+// in the Amazon Elastic Container Registry User Guide.
+#ECRAuthorizationToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ECRAuthorizationToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #ECRAuthorizationTokenSpec
+}
+#ECRAuthorizationTokenSpec: {
+	// Auth defines how to authenticate with AWS
+	auth?: {
+		jwt?: {
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// AWSAuthSecretRef holds secret references for AWS credentials
+		// both AccessKeyID and SecretAccessKey must be defined in order
+		// to properly authenticate.
+		secretRef?: {
+			// The AccessKeyID is used for authentication
+			accessKeyIDSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SessionToken used for authentication
+			// This must be defined if AccessKeyID and SecretAccessKey are
+			// temporary credentials
+			// see:
+			// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+			sessionTokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// Region specifies the region to operate in.
+	region: string
+
+	// You can assume a role before making calls to the
+	// desired AWS service.
+	role?: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/fake/v1alpha1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Fake generator is used for testing. It lets you define
+// a static set of credentials that is always returned.
+#Fake: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Fake"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// FakeSpec contains the static data.
+	spec!: #FakeSpec
+}
+
+// FakeSpec contains the static data.
+#FakeSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Data defines the static data returned
+	// by this generator.
+	data?: {
+		[string]: string
+	}
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/gcraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GCRAccessToken generates an GCP access token
+// that can be used to authenticate with GCR.
+#GCRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GCRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GCRAccessTokenSpec
+}
+#GCRAccessTokenSpec: {
+	// Auth defines the means for authenticating with GCP
+	auth: {
+		secretRef?: {
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+		workloadIdentity?: {
+			clusterLocation:   string
+			clusterName:       string
+			clusterProjectID?: string
+
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// ProjectID defines which project to use to authenticate with
+	projectID: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/password/v1alpha1/types_gen.cue

@@ -0,0 +1,77 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Password generates a random password based on the
+// configuration parameters in spec.
+// You can specify the length, characterset and other attributes.
+#Password: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Password"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PasswordSpec controls the behavior of the password generator.
+	spec!: #PasswordSpec
+}
+
+// PasswordSpec controls the behavior of the password generator.
+#PasswordSpec: {
+	// set AllowRepeat to true to allow repeating characters.
+	allowRepeat: bool | *false
+
+	// Digits specifies the number of digits in the generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	digits?: int
+
+	// Length of the password to be generated.
+	// Defaults to 24
+	length: int | *24
+
+	// Set NoUpper to disable uppercase characters
+	noUpper: bool | *false
+
+	// SymbolCharacters specifies the special characters that should
+	// be used
+	// in the generated password.
+	symbolCharacters?: string
+
+	// Symbols specifies the number of symbol characters in the
+	// generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	symbols?: int
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/vaultdynamicsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,609 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#VaultDynamicSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "VaultDynamicSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #VaultDynamicSecretSpec
+}
+#VaultDynamicSecretSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Vault API method to use (GET/POST/other)
+	method?: string
+
+	// Parameters to pass to Vault write (for non-GET methods)
+	parameters?: _
+
+	// Vault path to obtain the dynamic secret from
+	path: string
+
+	// Vault provider common spec
+	provider: {
+		// Auth configures how secret-manager authenticates with the Vault
+		// server.
+		auth: {
+			// AppRole authenticates with Vault using the App Role auth
+			// mechanism,
+			// with the role and secret stored in a Kubernetes Secret
+			// resource.
+			appRole?: {
+				// Path where the App Role authentication backend is mounted
+				// in Vault, e.g: "approle"
+				path: string | *"approle"
+
+				// RoleID configured in the App Role authentication backend when
+				// setting
+				// up the authentication backend in Vault.
+				roleId?: string
+
+				// Reference to a key in a Secret that contains the App Role ID
+				// used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role id.
+				roleRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Reference to a key in a Secret that contains the App Role
+				// secret used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role secret.
+				secretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Cert authenticates with TLS Certificates by passing client
+			// certificate, private key and ca certificate
+			// Cert authentication method
+			cert?: {
+				// ClientCert is a certificate to authenticate using the Cert
+				// Vault
+				// authentication method
+				clientCert?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// SecretRef to a key in a Secret resource containing client
+				// private key to
+				// authenticate with Vault using the Cert authentication method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Iam authenticates with vault by passing a special AWS request
+			// signed with AWS IAM credentials
+			// AWS IAM authentication method
+			iam?: {
+				// AWS External ID set on assumed IAM roles
+				externalID?: string
+				jwt?: {
+					// A reference to a ServiceAccount resource.
+					serviceAccountRef?: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+				path?: string
+
+				// AWS region
+				region?: string
+
+				// This is the AWS role to be assumed before talking to vault
+				role?: string
+
+				// Specify credentials in a Secret object
+				secretRef?: {
+					// The AccessKeyID is used for authentication
+					accessKeyIDSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SecretAccessKey is used for authentication
+					secretAccessKeySecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SessionToken used for authentication
+					// This must be defined if AccessKeyID and SecretAccessKey are
+					// temporary credentials
+					// see:
+					// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+					sessionTokenSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault
+				// IAM auth method to mitigate against different types of replay
+				// attacks. More details here:
+				// https://developer.hashicorp.com/vault/docs/auth/aws
+				vaultAwsIamServerID?: string
+
+				// Vault Role. In vault, a role describes an identity with a set
+				// of permissions, groups, or policies you want to attach a user
+				// of the secrets engine
+				vaultRole: string
+			}
+
+			// Jwt authenticates with Vault by passing role and JWT token
+			// using the
+			// JWT/OIDC authentication method
+			jwt?: {
+				// Optional ServiceAccountToken specifies the Kubernetes service
+				// account for which to request
+				// a token for with the `TokenRequest` API.
+				kubernetesServiceAccountToken?: {
+					// Optional audiences field that will be used to request a
+					// temporary Kubernetes service
+					// account token for the service account referenced by
+					// `serviceAccountRef`.
+					// Defaults to a single audience `vault` it not specified.
+					// Deprecated: use serviceAccountRef.Audiences instead
+					audiences?: [...string]
+
+					// Optional expiration time in seconds that will be used to
+					// request a temporary
+					// Kubernetes service account token for the service account
+					// referenced by
+					// `serviceAccountRef`.
+					// Deprecated: this will be removed in the future.
+					// Defaults to 10 minutes.
+					expirationSeconds?: int
+
+					// Service account field containing the name of a kubernetes
+					// ServiceAccount.
+					serviceAccountRef: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the JWT authentication backend is mounted
+				// in Vault, e.g: "jwt"
+				path: string | *"jwt"
+
+				// Role is a JWT role to authenticate using the JWT/OIDC Vault
+				// authentication method
+				role?: string
+
+				// Optional SecretRef that refers to a key in a Secret resource
+				// containing JWT token to
+				// authenticate with Vault using the JWT/OIDC authentication
+				// method.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Kubernetes authenticates with Vault by passing the
+			// ServiceAccount
+			// token stored in the named Secret resource to the Vault server.
+			kubernetes?: {
+				// Path where the Kubernetes authentication backend is mounted in
+				// Vault, e.g:
+				// "kubernetes"
+				mountPath: string | *"kubernetes"
+
+				// A required field containing the Vault Role to assume. A Role
+				// binds a
+				// Kubernetes ServiceAccount with a set of Vault policies.
+				role: string
+
+				// Optional secret field containing a Kubernetes ServiceAccount
+				// JWT used
+				// for authenticating with Vault. If a name is specified without a
+				// key,
+				// `token` is the default. If one is not specified, the one bound
+				// to
+				// the controller will be used.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Optional service account field containing the name of a
+				// kubernetes ServiceAccount.
+				// If the service account is specified, the service account secret
+				// token JWT will be used
+				// for authenticating with Vault. If the service account selector
+				// is not supplied,
+				// the secretRef will be used instead.
+				serviceAccountRef?: {
+					// Audience specifies the `aud` claim for the service account
+					// token
+					// If the service account uses a well-known annotation for e.g.
+					// IRSA or GCP Workload Identity
+					// then this audiences will be appended to the list
+					audiences?: [...string]
+
+					// The name of the ServiceAccount resource being referred to.
+					name: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Ldap authenticates with Vault by passing username/password pair
+			// using
+			// the LDAP authentication method
+			ldap?: {
+				// Path where the LDAP authentication backend is mounted
+				// in Vault, e.g: "ldap"
+				path: string | *"ldap"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the LDAP
+				// user used to authenticate with Vault using the LDAP
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a LDAP user name used to authenticate using the
+				// LDAP Vault
+				// authentication method
+				username: string
+			}
+
+			// TokenSecretRef authenticates with Vault by presenting a token.
+			tokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// UserPass authenticates with Vault by passing username/password
+			// pair
+			userPass?: {
+				// Path where the UserPassword authentication backend is mounted
+				// in Vault, e.g: "user"
+				path: string | *"user"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the
+				// user used to authenticate with Vault using the UserPass
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a user name used to authenticate using the UserPass
+				// Vault
+				// authentication method
+				username: string
+			}
+		}
+
+		// PEM encoded CA bundle used to validate Vault server
+		// certificate. Only used
+		// if the Server URL is using HTTPS protocol. This parameter is
+		// ignored for
+		// plain HTTP protocol connection. If not set the system root
+		// certificates
+		// are used to validate the TLS connection.
+		caBundle?: string
+
+		// The provider for the CA bundle to use to validate Vault server
+		// certificate.
+		caProvider?: {
+			// The key where the CA certificate can be found in the Secret or
+			// ConfigMap.
+			key?: string
+
+			// The name of the object located at the provider type.
+			name: string
+
+			// The namespace the Provider type is in.
+			// Can only be defined when used in a ClusterSecretStore.
+			namespace?: string
+
+			// The type of provider to use such as "Secret", or "ConfigMap".
+			type: "Secret" | "ConfigMap"
+		}
+
+		// ForwardInconsistent tells Vault to forward read-after-write
+		// requests to the Vault
+		// leader instead of simply retrying within a loop. This can
+		// increase performance if
+		// the option is enabled serverside.
+		// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+		forwardInconsistent?: bool
+
+		// Name of the vault namespace. Namespaces is a set of features
+		// within Vault Enterprise that allows
+		// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+		// More about namespaces can be found here
+		// https://www.vaultproject.io/docs/enterprise/namespaces
+		namespace?: string
+
+		// Path is the mount path of the Vault KV backend endpoint, e.g:
+		// "secret". The v2 KV secret engine version specific "/data" path
+		// suffix
+		// for fetching secrets from Vault is optional and will be
+		// appended
+		// if not present in specified path.
+		path?: string
+
+		// ReadYourWrites ensures isolated read-after-write semantics by
+		// providing discovered cluster replication states in each
+		// request.
+		// More information about eventual consistency in Vault can be
+		// found here
+		// https://www.vaultproject.io/docs/enterprise/consistency
+		readYourWrites?: bool
+
+		// Server is the connection address for the Vault server, e.g:
+		// "https://vault.example.com:8200".
+		server: string
+
+		// The configuration used for client side related TLS
+		// communication, when the Vault server
+		// requires mutual authentication. Only used if the Server URL is
+		// using HTTPS protocol.
+		// This parameter is ignored for plain HTTP protocol connection.
+		// It's worth noting this configuration is different from the "TLS
+		// certificates auth method",
+		// which is available under the `auth.cert` section.
+		tls?: {
+			// CertSecretRef is a certificate added to the transport layer
+			// when communicating with the Vault server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.crt'.
+			certSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// KeySecretRef to a key in a Secret resource containing client
+			// private key
+			// added to the transport layer when communicating with the Vault
+			// server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.key'.
+			keySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// Version is the Vault KV secret engine version. This can be
+		// either "v1" or
+		// "v2". Version defaults to "v2".
+		version?: "v1" | "v2" | *"v2"
+	}
+
+	// Result type defines which data is returned from the generator.
+	// By default it is the "data" section of the Vault API response.
+	// When using e.g. /auth/token/create the "data" section is empty
+	// but
+	// the "auth" section contains the generated token.
+	// Please refer to the vault docs regarding the result data
+	// structure.
+	resultType?: "Data" | "Auth" | *"Data"
+}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta1/types_gen.cue

@@ -0,0 +1,692 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta1
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: string
+
+			// Interval at which to check the v1beta2.Source for updates.
+			// Defaults to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1beta2.Source the chart is
+			// available at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	// Note: this field is provisional to the v2beta2 API, and not
+	// actively used by v2beta1 HelmReleases.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt-in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release. This interval
+	// is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '10'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: string
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'. When set,
+		// must be a valid Data Key, consisting of alphanumeric
+		// characters, '-', '_' or '.'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta2/types_gen.cue

@@ -0,0 +1,697 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta2
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: strings.MaxRunes(2048) & strings.MinRunes(1)
+
+			// Interval at which to check the v1.Source for updates. Defaults
+			// to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1.Source the chart is available
+			// at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '5'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+			// use Patches instead.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			// Deprecated: use Patches instead.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// Filters is a list of tests to run or exclude from running.
+		filters?: [...{
+			// Exclude specifies whether the named test should be excluded.
+			exclude?: bool
+
+			// Name is the name of the test.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta2/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy.
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy.
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta1/types_gen.cue

@@ -0,0 +1,94 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: [...string]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta2/types_gen.cue

@@ -0,0 +1,105 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import (
+	"strings"
+	"list"
+)
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: list.MaxItems(25) & [...string] | *["^.*\\.sig$"]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imageupdateautomation/v1beta1/types_gen.cue

@@ -0,0 +1,170 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageUpdateAutomation is the Schema for the
+// imageupdateautomations API
+#ImageUpdateAutomation: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageUpdateAutomation"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageUpdateAutomationSpec defines the desired state of
+	// ImageUpdateAutomation
+	spec!: #ImageUpdateAutomationSpec
+}
+
+// ImageUpdateAutomationSpec defines the desired state of
+// ImageUpdateAutomation
+#ImageUpdateAutomationSpec: {
+	// GitSpec contains all the git-specific definitions. This is
+	// technically optional, but in practice mandatory until there
+	// are other kinds of source allowed.
+	git?: {
+		checkout?: {
+			// Reference gives a branch, tag or commit to clone from the Git
+			// repository.
+			ref: {
+				// Branch to check out, defaults to 'master' if no other field is
+				// defined.
+				branch?: string
+
+				// Commit SHA to check out, takes precedence over all reference
+				// fields.
+				// This can be combined with Branch to shallow clone the branch,
+				// in which the commit is expected to exist.
+				commit?: string
+
+				// Name of the reference to check out; takes precedence over
+				// Branch, Tag and SemVer.
+				// It must be a valid Git reference:
+				// https://git-scm.com/docs/git-check-ref-format#_description
+				// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+				// "refs/pull/420/head", "refs/merge-requests/1/head"
+				name?: string
+
+				// SemVer tag expression to check out, takes precedence over Tag.
+				semver?: string
+
+				// Tag to check out, takes precedence over Branch.
+				tag?: string
+			}
+		}
+
+		// Commit specifies how to commit to the git repository.
+		commit: {
+			// Author gives the email and optionally the name to use as the
+			// author of commits.
+			author: {
+				// Email gives the email to provide when making a commit.
+				email: string
+
+				// Name gives the name to provide when making a commit.
+				name?: string
+			}
+
+			// MessageTemplate provides a template for the commit message,
+			// into which will be interpolated the details of the change
+			// made.
+			messageTemplate?: string
+			signingKey?: {
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+		}
+
+		// Push specifies how and where to push commits made by the
+		// automation. If missing, commits are pushed (back) to
+		// `.spec.checkout.branch` or its default.
+		push?: {
+			// Branch specifies that commits should be pushed to the branch
+			// named. The branch is created using `.spec.checkout.branch` as
+			// the starting point, if it doesn't already exist.
+			branch?: string
+
+			// Options specifies the push options that are sent to the Git
+			// server when performing a push operation. For details, see:
+			// https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt
+			options?: {
+				[string]: string
+			}
+
+			// Refspec specifies the Git Refspec to use for a push operation.
+			// If both Branch and Refspec are provided, then the commit is
+			// pushed to the branch and also using the specified refspec. For
+			// more details about Git Refspecs, see:
+			// https://git-scm.com/book/en/v2/Git-Internals-The-Refspec
+			refspec?: string
+		}
+	}
+
+	// Interval gives an lower bound for how often the automation run
+	// should be attempted.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// SourceRef refers to the resource giving access details to a git
+	// repository.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "GitRepository" | *"GitRepository"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// Suspend tells the controller to not run this automation, until
+	// it is unset (or set to false). Defaults to false.
+	suspend?: bool
+
+	// Update gives the specification for how to update the files in
+	// the repository. This can be left empty, to use the default
+	// value.
+	update?: {
+		// Path to the directory containing the manifests to be updated.
+		// Defaults to 'None', which translates to the root path of the
+		// GitRepositoryRef.
+		path?: string
+
+		// Strategy names the strategy to be used.
+		strategy: "Setters" | *"Setters"
+	} | *{
+		strategy: "Setters"
+	}
+}

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

docs/examples/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start?: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotationKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfilesAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotationKey represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// DeprecatedAnnotationTopologyAwareHints can be used to enable or disable
+// Topology Aware Hints for a Service. This may be set to "Auto" or
+// "Disabled". Any other value is treated as "Disabled". This annotation has
+// been deprecated in favor of the "service.kubernetes.io/topology-mode"
+// annotation.
+#DeprecatedAnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"
+
+// AnnotationTopologyMode can be used to enable or disable Topology Aware
+// Routing for a Service. Well known values are "Auto" and "Disabled".
+// Implementations may choose to develop new topology approaches, exposing
+// them with domain-prefixed values. For example, "example.com/lowest-rtt"
+// could be a valid implementation-specific value for this annotation. These
+// heuristics will often populate topology hints on EndpointSlices, but that
+// is not a requirement.
+#AnnotationTopologyMode: "service.kubernetes.io/topology-mode"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1

docs/examples/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#GroupName: ""

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,59 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#LabelHostname: "kubernetes.io/hostname"
+
+// Label value is the network location of kube-apiserver stored as <ip:port>
+// Stored in APIServer Identity lease objects to view what address is used for peer proxy
+#AnnotationPeerAdvertiseAddress: "kubernetes.io/peer-advertise-address"
+#LabelTopologyZone:              "topology.kubernetes.io/zone"
+#LabelTopologyRegion:            "topology.kubernetes.io/region"
+
+// These label have been deprecated since 1.17, but will be supported for
+// the foreseeable future, to accommodate things like long-lived PVs that
+// use them.  New users should prefer the "topology.kubernetes.io/*"
+// equivalents.
+#LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
+#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
+
+// Retained for compat when vendored.  Do not use these consts in new code.
+#LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
+#LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
+#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
+#LabelZoneRegionStable:        "topology.kubernetes.io/region"
+#LabelInstanceType:            "beta.kubernetes.io/instance-type"
+#LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
+#LabelOSStable:                "kubernetes.io/os"
+#LabelArchStable:              "kubernetes.io/arch"
+
+// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
+// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
+#LabelWindowsBuild: "node.kubernetes.io/windows-build"
+
+// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
+#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
+
+// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
+#LabelNamespaceSuffixNode: "node.kubernetes.io"
+
+// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
+#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
+
+// IsHeadlessService is added by Controller to an Endpoint denoting if its parent
+// Service is Headless. The existence of this label can be used further by other
+// controllers and kube-proxy to check if the Endpoint objects should be replicated when
+// using Headless Services
+#IsHeadlessService: "service.kubernetes.io/headless"
+
+// LabelNodeExcludeBalancers specifies that the node should not be considered as a target
+// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
+// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
+// any backends on excluded nodes are not reachable by those external load-balancers.
+// Implementations of this exclusion may vary based on provider.
+#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
+
+// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
+#LabelMetadataName: "kubernetes.io/metadata.name"

docs/examples/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,38 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// TaintNodeNotReady will be added when node is not ready
+// and removed when node becomes ready.
+#TaintNodeNotReady: "node.kubernetes.io/not-ready"
+
+// TaintNodeUnreachable will be added when node becomes unreachable
+// (corresponding to NodeReady status ConditionUnknown)
+// and removed when node becomes reachable (NodeReady status ConditionTrue).
+#TaintNodeUnreachable: "node.kubernetes.io/unreachable"
+
+// TaintNodeUnschedulable will be added when node becomes unschedulable
+// and removed when node becomes schedulable.
+#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
+
+// TaintNodeMemoryPressure will be added when node has memory pressure
+// and removed when node has enough memory.
+#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
+
+// TaintNodeDiskPressure will be added when node has disk pressure
+// and removed when node has enough disk.
+#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
+
+// TaintNodeNetworkUnavailable will be added when node's network is unavailable
+// and removed when network becomes ready.
+#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
+
+// TaintNodePIDPressure will be added when node has pid pressure
+// and removed when node has enough pid.
+#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"
+
+// TaintNodeOutOfService can be added when node is out of service in case of
+// a non-graceful shutdown
+#TaintNodeOutOfService: "node.kubernetes.io/out-of-service"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+// Package v1 is the v1 version of the API.
+package v1

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+#GroupName: "apiextensions.k8s.io"

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConversionStrategyType describes different conversion types.
+#ConversionStrategyType: string // #enumConversionStrategyType
+
+#enumConversionStrategyType:
+	#NoneConverter |
+	#WebhookConverter
+
+// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
+// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
+// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
+#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
+
+// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
+#NoneConverter: #ConversionStrategyType & "None"
+
+// WebhookConverter is a converter that calls to an external webhook to convert the CR.
+#WebhookConverter: #ConversionStrategyType & "Webhook"
+
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
+#CustomResourceDefinitionSpec: {
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	group: string @go(Group) @protobuf(1,bytes,opt)
+
+	// names specify the resource and kind names for the custom resource.
+	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
+
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
+
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
+
+	// conversion defines conversion settings for the CRD.
+	// +optional
+	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
+
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
+	// +optional
+	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
+}
+
+// CustomResourceConversion describes how to convert different versions of a CR.
+#CustomResourceConversion: {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
+
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `"Webhook"`.
+	// +optional
+	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
+}
+
+// WebhookConversion describes how to call a conversion webhook
+#WebhookConversion: {
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// +optional
+	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
+
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
+#WebhookClientConfig: {
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// namespace is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// name is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// path is an optional URL path at which the webhook will be contacted.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// CustomResourceDefinitionVersion describes a version for CRD.
+#CustomResourceDefinitionVersion: {
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	served: bool @go(Served) @protobuf(2,varint,opt)
+
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	storage: bool @go(Storage) @protobuf(3,varint,opt)
+
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	// +optional
+	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
+
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	// +optional
+	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
+
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	// +optional
+	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
+
+	// subresources specify what subresources this version of the defined custom resource have.
+	// +optional
+	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
+
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
+	// +optional
+	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
+}
+
+// CustomResourceColumnDefinition specifies a column for server side printing.
+#CustomResourceColumnDefinition: {
+	// name is a human readable name for the column.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	type: string @go(Type) @protobuf(2,bytes,opt)
+
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	// +optional
+	format?: string @go(Format) @protobuf(3,bytes,opt)
+
+	// description is a human readable description of this column.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	// +optional
+	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
+
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
+}
+
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
+#CustomResourceDefinitionNames: {
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	plural: string @go(Plural) @protobuf(1,bytes,opt)
+
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	// +optional
+	singular?: string @go(Singular) @protobuf(2,bytes,opt)
+
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
+	// +optional
+	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
+
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	kind: string @go(Kind) @protobuf(4,bytes,opt)
+
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	// +optional
+	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
+
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
+	// +optional
+	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
+}
+
+// ResourceScope is an enum defining the different scopes available to a custom resource
+#ResourceScope: string // #enumResourceScope
+
+#enumResourceScope:
+	#ClusterScoped |
+	#NamespaceScoped
+
+#ClusterScoped:   #ResourceScope & "Cluster"
+#NamespaceScoped: #ResourceScope & "Namespaced"
+
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+#ConditionTrue:    #ConditionStatus & "True"
+#ConditionFalse:   #ConditionStatus & "False"
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
+#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
+
+#enumCustomResourceDefinitionConditionType:
+	#Established |
+	#NamesAccepted |
+	#NonStructuralSchema |
+	#Terminating |
+	#KubernetesAPIApprovalPolicyConformant
+
+// Established means that the resource has become active. A resource is established when all names are
+// accepted without a conflict for the first time. A resource stays established until deleted, even during
+// a later NamesAccepted due to changed names. Note that not all names can be changed.
+#Established: #CustomResourceDefinitionConditionType & "Established"
+
+// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
+// the group and are therefore accepted.
+#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
+
+// NonStructuralSchema means that one or more OpenAPI schema is not structural.
+//
+// A schema is structural if it specifies types for all values, with the only exceptions of those with
+// - x-kubernetes-int-or-string: true — for fields which can be integer or string
+// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
+// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
+// specified under allOf, anyOf, oneOf or not.
+//
+// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
+// available for non-structural CRDs:
+// - pruning
+// - defaulting
+// - read-only
+// - OpenAPI publishing
+// - webhook conversion
+#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
+
+// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
+#Terminating: #CustomResourceDefinitionConditionType & "Terminating"
+
+// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
+// outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
+// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
+// See https://github.com/kubernetes/enhancements/pull/1111 for more details.
+#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
+
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
+#CustomResourceDefinitionCondition: {
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
+
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
+
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
+#CustomResourceDefinitionStatus: {
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	conditions?: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
+
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	// +optional
+	acceptedNames?: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
+
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	// +optional
+	storedVersions?: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
+
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+#CustomResourceDefinition: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec describes how the user wants the resources to appear
+	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status indicates the actual state of the CustomResourceDefinition
+	// +optional
+	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
+#CustomResourceDefinitionList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items list individual CustomResourceDefinition objects
+	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
+}
+
+// CustomResourceValidation is a list of validation methods for CustomResources.
+#CustomResourceValidation: {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+	// +optional
+	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
+}
+
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
+#CustomResourceSubresources: {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	// +optional
+	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
+
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	// +optional
+	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
+}
+
+// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
+// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
+// * exposes a /status subresource for the custom resource
+// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
+// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
+#CustomResourceSubresourceStatus: {
+}
+
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
+#CustomResourceSubresourceScale: {
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
+
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
+	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
+
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	// +optional
+	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
+}
+
+// ConversionReview describes a conversion request/response.
+#ConversionReview: {
+	metav1.#TypeMeta
+
+	// request describes the attributes for the conversion request.
+	// +optional
+	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
+
+	// response describes the attributes for the conversion response.
+	// +optional
+	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
+}
+
+// ConversionRequest describes the conversion request parameters.
+#ConversionRequest: {
+	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
+	// otherwise identical (parallel requests, etc).
+	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
+	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
+
+	// objects is the list of custom resource objects to be converted.
+	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
+}
+
+// ConversionResponse describes a conversion response.
+#ConversionResponse: {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding `request.uid`.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
+	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
+	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
+	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
+	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
+
+	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
+	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
+	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
+	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
+	// will be used to construct an error message for the end user.
+	result: metav1.#Status @go(Result) @protobuf(3,bytes)
+}

docs/examples/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,348 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+// FieldValueErrorReason is a machine-readable value providing more detail about why a field failed the validation.
+// +enum
+#FieldValueErrorReason: string // #enumFieldValueErrorReason
+
+#enumFieldValueErrorReason:
+	#FieldValueRequired |
+	#FieldValueDuplicate |
+	#FieldValueInvalid |
+	#FieldValueForbidden
+
+// FieldValueRequired is used to report required values that are not
+// provided (e.g. empty strings, null values, or empty arrays).
+#FieldValueRequired: #FieldValueErrorReason & "FieldValueRequired"
+
+// FieldValueDuplicate is used to report collisions of values that must be
+// unique (e.g. unique IDs).
+#FieldValueDuplicate: #FieldValueErrorReason & "FieldValueDuplicate"
+
+// FieldValueInvalid is used to report malformed values (e.g. failed regex
+// match, too long, out of bounds).
+#FieldValueInvalid: #FieldValueErrorReason & "FieldValueInvalid"
+
+// FieldValueForbidden is used to report valid (as per formatting rules)
+// values which would be accepted under some conditions, but which are not
+// permitted by the current conditions (such as security policy).
+#FieldValueForbidden: #FieldValueErrorReason & "FieldValueForbidden"
+
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
+#JSONSchemaProps: {
+	id?:          string         @go(ID) @protobuf(1,bytes,opt)
+	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
+	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
+	description?: string         @go(Description) @protobuf(4,bytes,opt)
+	type?:        string         @go(Type) @protobuf(5,bytes,opt)
+
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	format?: string @go(Format) @protobuf(6,bytes,opt)
+	title?:  string @go(Title) @protobuf(7,bytes,opt)
+
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
+	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
+	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
+	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
+	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
+	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
+	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
+	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
+	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
+	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
+	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
+	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
+	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
+	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
+	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
+	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
+	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
+	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
+	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
+	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
+	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
+	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
+	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
+	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
+	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
+	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
+	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
+	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
+	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
+	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
+
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
+
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
+
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	//    - type: integer
+	//    - type: string
+	// 2) allOf:
+	//    - anyOf:
+	//      - type: integer
+	//      - type: string
+	//    - ... zero or more
+	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
+
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	//
+	// +optional
+	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
+
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic lists will be entirely replaced when updated. This extension
+	//      may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	//      Sets are lists that must not have multiple items with the same value. Each
+	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	//      array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	//      These lists are like maps in that their elements have a non-index key
+	//      used to identify them. Order is preserved upon merge. The map tag
+	//      must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	// +optional
+	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
+
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	//      These maps are actual maps (key-value pairs) and each fields are independent
+	//      from each other (they can each be manipulated by separate actors). This is
+	//      the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic maps will be entirely replaced when updated.
+	// +optional
+	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
+
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
+	// +patchMergeKey=rule
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=rule
+	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
+}
+
+// ValidationRules describes a list of validation rules written in the CEL expression language.
+#ValidationRules: [...#ValidationRule]
+
+// ValidationRule describes a validation rule written in the CEL expression language.
+#ValidationRule: {
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	//   - An array where the items schema is of an "unknown type"
+	//   - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	//	  "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	//	  "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	//     non-intersecting elements in `Y` are appended, retaining their partial order.
+	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	//     non-intersecting keys are appended, retaining their partial order.
+	//
+	// If `rule` makes use of the `oldSelf` variable it is implicitly a
+	// `transition rule`.
+	//
+	// By default, the `oldSelf` variable is the same type as `self`.
+	// When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
+	//  variable whose value() is the same type as `self`.
+	// See the documentation for the `optionalOldSelf` field for details.
+	//
+	// Transition rules by default are applied only on UPDATE requests and are
+	// skipped if an old value could not be found. You can opt a transition
+	// rule into unconditional evaluation by setting `optionalOldSelf` to true.
+	//
+	rule: string @go(Rule) @protobuf(1,bytes,opt)
+
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+
+	// MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+	// Since messageExpression is used as a failure message, it must evaluate to a string.
+	// If both message and messageExpression are present on a rule, then messageExpression will be used if validation
+	// fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+	// as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+	// that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+	// the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+	// messageExpression has access to all the same variables as the rule; the only difference is the return type.
+	// Example:
+	// "x must be less than max ("+string(self.max)+")"
+	// +optional
+	messageExpression?: string @go(MessageExpression) @protobuf(3,bytes,opt)
+
+	// reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
+	// The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
+	// The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
+	// If not set, default to use "FieldValueInvalid".
+	// All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
+	// +optional
+	reason?: null | #FieldValueErrorReason @go(Reason,*FieldValueErrorReason) @protobuf(4,bytes,opt)
+
+	// fieldPath represents the field path returned when the validation fails.
+	// It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
+	// e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
+	// If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
+	// It does not support list numeric index.
+	// It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
+	// Numeric index of array is not supported.
+	// For field name which contains special characters, use `['specialName']` to refer the field name.
+	// e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
+	// +optional
+	fieldPath?: string @go(FieldPath) @protobuf(5,bytes,opt)
+
+	// optionalOldSelf is used to opt a transition rule into evaluation
+	// even when the object is first created, or if the old object is
+	// missing the value.
+	//
+	// When enabled `oldSelf` will be a CEL optional whose value will be
+	// `None` if there is no old value, or when the object is initially created.
+	//
+	// You may check for presence of oldSelf using `oldSelf.hasValue()` and
+	// unwrap it after checking using `oldSelf.value()`. Check the CEL
+	// documentation for Optional types for more information:
+	// https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
+	//
+	// May not be set unless `oldSelf` is used in `rule`.
+	//
+	// +featureGate=CRDValidationRatcheting
+	// +optional
+	optionalOldSelf?: null | bool @go(OptionalOldSelf,*bool) @protobuf(6,bytes,opt)
+}
+
+// JSON represents any valid JSON value.
+// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+#JSON: _
+
+// JSONSchemaURL represents a schema url.
+#JSONSchemaURL: string
+
+// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
+// or an array of JSONSchemaProps. Mainly here for serialization purposes.
+#JSONSchemaPropsOrArray: _
+
+// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
+// Defaults to true for the boolean property.
+#JSONSchemaPropsOrBool: _
+
+// JSONSchemaDependencies represent a dependencies property.
+#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
+
+// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+#JSONSchemaPropsOrStringArray: _
+
+// JSONSchemaDefinitions contains the models explicitly defined in this spec.
+#JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
+
+// ExternalDocumentation allows referencing an external resource for extended documentation.
+#ExternalDocumentation: {
+	description?: string @go(Description) @protobuf(1,bytes,opt)
+	url?:         string @go(URL) @protobuf(2,bytes,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+#Scale: int32 // #enumScale
+
+#enumScale:
+	#Nano |
+	#Micro |
+	#Milli |
+	#Kilo |
+	#Mega |
+	#Giga |
+	#Tera |
+	#Peta |
+	#Exa
+
+#values_Scale: {
+	Nano:  #Nano
+	Micro: #Micro
+	Milli: #Milli
+	Kilo:  #Kilo
+	Mega:  #Mega
+	Giga:  #Giga
+	Tera:  #Tera
+	Peta:  #Peta
+	Exa:   #Exa
+}
+
+#Nano:  #Scale & -9
+#Micro: #Scale & -6
+#Milli: #Scale & -3
+#Kilo:  #Scale & 3
+#Mega:  #Scale & 6
+#Giga:  #Scale & 9
+#Tera:  #Scale & 12
+#Peta:  #Scale & 15
+#Exa:   #Scale & 18
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+_#infDecAmount: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+// It is also the maximum decimal digits that can be represented with an int64.
+_#maxInt64Factors: 18
+
+_#mostNegative: -9223372036854775808
+
+_#mostPositive: 9223372036854775807

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and AsInt64() accessors.
+//
+// The serialization format is:
+//
+// ```
+// <quantity>        ::= <signedNumber><suffix>
+//
+//	(Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+//
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//
+//	(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+//
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//
+//	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+//
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+// ```
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//
+// - No precision is lost
+// - No fractional digits will be emitted
+// - The exponent (or suffix) is as large as possible.
+//
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//
+// - 1.5 will be serialized as "1500m"
+// - 1.5Gi will be serialized as "1536Mi"
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+#Quantity: _
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+#CanonicalValue: _
+
+// Format lists the three possible formattings of a quantity.
+#Format: string // #enumFormat
+
+#enumFormat:
+	#DecimalExponent |
+	#BinarySI |
+	#DecimalSI
+
+#DecimalExponent: #Format & "DecimalExponent"
+#BinarySI:        #Format & "BinarySI"
+#DecimalSI:       #Format & "DecimalSI"
+
+// splitREString is used to separate a number from its suffix; as such,
+// this is overly permissive, but that's OK-- it will be checked later.
+_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+
+_#int64QuantityExpectedBytes: 18
+
+// QuantityValue makes it possible to use a Quantity as value for a command
+// line parameter.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+#QuantityValue: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+_#suffix: string
+
+// suffixer can interpret and construct suffixes.
+_#suffixer: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+#Duration: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	resource: string @go(Resource) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	version:  string @go(Version) @protobuf(2,bytes,opt)
+	resource: string @go(Resource) @protobuf(3,bytes,opt)
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupKind: {
+	group: string @go(Group) @protobuf(1,bytes,opt)
+	kind:  string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionKind: {
+	group:   string @go(Group) @protobuf(1,bytes,opt)
+	version: string @go(Version) @protobuf(2,bytes,opt)
+	kind:    string @go(Kind) @protobuf(3,bytes,opt)
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersion: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// TODO: move this, Object, List, and Type to a different package
+#ObjectMetaAccessor: _
+
+// Object lets you work with object metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+#Object: _
+
+// ListMetaAccessor retrieves the list interface from an object
+#ListMetaAccessor: _
+
+// Common lets you work with core metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Common: _
+
+// ListInterface lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#ListInterface: _
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Type: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00"
+
+// MicroTime is version of Time with microsecond level precision.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#MicroTime: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#GroupName: "meta.k8s.io"
+
+#WatchEventKind: "WatchEvent"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#Time: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+#Timestamp: {
+	// Represents seconds of UTC time since Unix epoch
+	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+	// 9999-12-31T23:59:59Z inclusive.
+	seconds: int64 @go(Seconds) @protobuf(1,varint,opt)
+
+	// Non-negative fractions of a second at nanosecond resolution. Negative
+	// second values with fractions must still have non-negative nanos values
+	// that count forward in time. Must be from 0 to 999,999,999
+	// inclusive. This field may be limited in precision depending on context.
+	nanos: int32 @go(Nanos) @protobuf(2,varint,opt)
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue

@@ -0,0 +1,30 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Event represents a single event to a watched resource.
+//
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+#WatchEvent: {
+	type: string @go(Type) @protobuf(1,bytes,opt)
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *Status is recommended; other types may make sense
+	//    depending on context.
+	object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt)
+}
+
+// InternalEvent makes watch.Event versioned
+// +protobuf=false
+#InternalEvent: watch.#Event

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/allocator_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// SimpleAllocator a wrapper around make([]byte)
+// conforms to the MemoryAllocator interface
+#SimpleAllocator: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// codec binds an encoder and decoder.
+_#codec: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
+#NoopEncoder: {
+	Decoder: #Decoder
+}
+
+_#noopEncoderIdentifier: #Identifier & "noop"
+
+// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
+#NoopDecoder: {
+	Encoder: #Encoder
+}
+
+_#base64Serializer: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+_#internalGroupVersionerIdentifier: "internal"
+_#disabledGroupVersionerIdentifier: "disabled"
+
+_#internalGroupVersioner: {
+}
+
+_#disabledGroupVersioner: {
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/conversion_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime defines conversions between generic types and structs to map query strings
+// to struct objects.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/converter_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// UnstructuredConverter is an interface for converting between interface{}
+// and map[string]interface representation.
+#UnstructuredConverter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/doc_go_gen.cue

@@ -0,0 +1,39 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+// Package runtime includes helper functions for working with API objects
+// that follow the kubernetes API object conventions, which are:
+//
+// 0. Your API objects have a common metadata struct member, TypeMeta.
+//
+// 1. Your code refers to an internal set of API objects.
+//
+// 2. In a separate package, you have an external set of API objects.
+//
+// 3. The external set is considered to be versioned, and no breaking
+// changes are ever made to it (fields may be added but not changed
+// or removed).
+//
+// 4. As your api evolves, you'll make an additional versioned package
+// with every major change.
+//
+// 5. Versioned packages have conversion functions which convert to
+// and from the internal version.
+//
+// 6. You'll continue to support older versions according to your
+// deprecation policy, and you can easily provide a program/library
+// to update old versions into new versions because of 5.
+//
+// 7. All of your serializations and deserializations are handled in a
+// centralized place.
+//
+// Package runtime provides a conversion helper to make 5 easy, and the
+// Encode/Decode/DecodeInto trio to accomplish 7. You can also register
+// additional "codecs" which use a version of your choice. It's
+// recommended that you register your types with runtime in your
+// package's init function.
+//
+// As a bonus, a few common types useful from all api objects and versions
+// are provided in types.go.
+package runtime

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/embedded_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+_#encodable: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/helper_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// MultiObjectTyper returns the types of objects across multiple schemes in order.
+#MultiObjectTyper: [...#ObjectTyper]
+
+_#defaultFramer: {
+}
+
+// WithVersionEncoder serializes an object and ensures the GVK is set.
+#WithVersionEncoder: {
+	Version:     #GroupVersioner
+	Encoder:     #Encoder
+	ObjectTyper: #ObjectTyper
+}
+
+// WithoutVersionDecoder clears the group version kind of a deserialized object.
+#WithoutVersionDecoder: {
+	Decoder: #Decoder
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/interfaces_go_gen.cue

@@ -0,0 +1,165 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// APIVersionInternal may be used if you are registering a type that should not
+// be considered stable or serialized - it is a convention only and has no
+// special behavior in this package.
+#APIVersionInternal: "__internal"
+
+// GroupVersioner refines a set of possible conversion targets into a single option.
+#GroupVersioner: _
+
+// Identifier represents an identifier.
+// Identitier of two different objects should be equal if and only if for every
+// input the output they produce is exactly the same.
+#Identifier: string // #enumIdentifier
+
+#enumIdentifier:
+	_#noopEncoderIdentifier
+
+// Encoder writes objects to a serialized form
+#Encoder: _
+
+// MemoryAllocator is responsible for allocating memory.
+// By encapsulating memory allocation into its own interface, we can reuse the memory
+// across many operations in places we know it can significantly improve the performance.
+#MemoryAllocator: _
+
+// EncoderWithAllocator  serializes objects in a way that allows callers to manage any additional memory allocations.
+#EncoderWithAllocator: _
+
+// Decoder attempts to load an object from data.
+#Decoder: _
+
+// Serializer is the core interface for transforming objects into a serialized format and back.
+// Implementations may choose to perform conversion of the object, but no assumptions should be made.
+#Serializer: _
+
+// Codec is a Serializer that deals with the details of versioning objects. It offers the same
+// interface as Serializer, so this is a marker to consumers that care about the version of the objects
+// they receive.
+#Codec: #Serializer
+
+// ParameterCodec defines methods for serializing and deserializing API objects to url.Values and
+// performing any necessary conversion. Unlike the normal Codec, query parameters are not self describing
+// and the desired version must be specified.
+#ParameterCodec: _
+
+// Framer is a factory for creating readers and writers that obey a particular framing pattern.
+#Framer: _
+
+// SerializerInfo contains information about a specific serialization format
+#SerializerInfo: {
+	// MediaType is the value that represents this serializer over the wire.
+	MediaType: string
+
+	// MediaTypeType is the first part of the MediaType ("application" in "application/json").
+	MediaTypeType: string
+
+	// MediaTypeSubType is the second part of the MediaType ("json" in "application/json").
+	MediaTypeSubType: string
+
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the individual object serializer for this media type.
+	Serializer: #Serializer
+
+	// PrettySerializer, if set, can serialize this object in a form biased towards
+	// readability.
+	PrettySerializer: #Serializer
+
+	// StrictSerializer, if set, deserializes this object strictly,
+	// erring on unknown fields.
+	StrictSerializer: #Serializer
+
+	// StreamSerializer, if set, describes the streaming serialization format
+	// for this media type.
+	StreamSerializer?: null | #StreamSerializerInfo @go(,*StreamSerializerInfo)
+}
+
+// StreamSerializerInfo contains information about a specific stream serialization format
+#StreamSerializerInfo: {
+	// EncodesAsText indicates this serializer can be encoded to UTF-8 safely.
+	EncodesAsText: bool
+
+	// Serializer is the top level object serializer for this type when streaming
+	Serializer: #Serializer
+
+	// Framer is the factory for retrieving streams that separate objects on the wire
+	Framer: #Framer
+}
+
+// NegotiatedSerializer is an interface used for obtaining encoders, decoders, and serializers
+// for multiple supported media types. This would commonly be accepted by a server component
+// that performs HTTP content negotiation to accept multiple formats.
+#NegotiatedSerializer: _
+
+// ClientNegotiator handles turning an HTTP content type into the appropriate encoder.
+// Use NewClientNegotiator or NewVersionedClientNegotiator to create this interface from
+// a NegotiatedSerializer.
+#ClientNegotiator: _
+
+// StorageSerializer is an interface used for obtaining encoders, decoders, and serializers
+// that can read and write data at rest. This would commonly be used by client tools that must
+// read files, or server side storage interfaces that persist restful objects.
+#StorageSerializer: _
+
+// NestedObjectEncoder is an optional interface that objects may implement to be given
+// an opportunity to encode any nested Objects / RawExtensions during serialization.
+#NestedObjectEncoder: _
+
+// NestedObjectDecoder is an optional interface that objects may implement to be given
+// an opportunity to decode any nested Objects / RawExtensions during serialization.
+// It is possible for DecodeNestedObjects to return a non-nil error but for the decoding
+// to have succeeded in the case of strict decoding errors (e.g. unknown/duplicate fields).
+// As such it is important for callers of DecodeNestedObjects to check to confirm whether
+// an error is a runtime.StrictDecodingError before short circuiting.
+// Similarly, implementations of DecodeNestedObjects should ensure that a runtime.StrictDecodingError
+// is only returned when the rest of decoding has succeeded.
+#NestedObjectDecoder: _
+
+#ObjectDefaulter: _
+
+#ObjectVersioner: _
+
+// ObjectConvertor converts an object to a different version.
+#ObjectConvertor: _
+
+// ObjectTyper contains methods for extracting the APIVersion and Kind
+// of objects.
+#ObjectTyper: _
+
+// ObjectCreater contains methods for instantiating an object by kind and version.
+#ObjectCreater: _
+
+// EquivalentResourceMapper provides information about resources that address the same underlying data as a specified resource
+#EquivalentResourceMapper: _
+
+// EquivalentResourceRegistry provides an EquivalentResourceMapper interface,
+// and allows registering known resource[/subresource] -> kind
+#EquivalentResourceRegistry: _
+
+// ResourceVersioner provides methods for setting and retrieving
+// the resource version from an API object.
+#ResourceVersioner: _
+
+// Namer provides methods for retrieving name and namespace of an API object.
+#Namer: _
+
+// Object interface must be supported by all API types registered with Scheme. Since objects in a scheme are
+// expected to be serialized to the wire, the interface an Object must provide to the Scheme allows
+// serializers to set the kind, version, and group the object is represented as. An Object may choose
+// to return a no-op ObjectKindAccessor in cases where it is not expected to be serialized.
+#Object: _
+
+// CacheableObject allows an object to cache its different serializations
+// to avoid performing the same serialization multiple times.
+#CacheableObject: _
+
+// Unstructured objects store values as map[string]interface{}, with only values that can be serialized
+// to JSON allowed.
+#Unstructured: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/negotiate_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// NegotiateError is returned when a ClientNegotiator is unable to locate
+// a serializer for the requested operation.
+#NegotiateError: {
+	ContentType: string
+	Stream:      bool
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/splice_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Splice is the interface that wraps the Splice method.
+//
+// Splice moves data from given slice without copying the underlying data for
+// efficiency purpose. Therefore, the caller should make sure the underlying
+// data is not changed later.
+#Splice: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/swagger_doc_generator_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// Pair of strings. We keed the name of fields and the doc
+#Pair: {
+	Name: string
+	Doc:  string
+}
+
+// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
+#KubeTypes: [...#Pair]

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_go_gen.cue

@@ -0,0 +1,97 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type,
+// like this:
+//
+//	type MyAwesomeAPIObject struct {
+//	     runtime.TypeMeta    `json:",inline"`
+//	     ... // other fields
+//	}
+//
+// func (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind
+//
+// TypeMeta is provided here for convenience. You may use it directly from this package or define
+// your own with the same fields.
+//
+// +k8s:deepcopy-gen=false
+// +protobuf=true
+// +k8s:openapi-gen=true
+#TypeMeta: {
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(1,bytes,opt)
+
+	// +optional
+	kind?: string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+#ContentTypeJSON:     "application/json"
+#ContentTypeYAML:     "application/yaml"
+#ContentTypeProtobuf: "application/vnd.kubernetes.protobuf"
+
+// RawExtension is used to hold extensions in external versions.
+//
+// To use this, make a field which has RawExtension as its type in your external, versioned
+// struct, and Object in your internal struct. You also need to register your
+// various plugin types.
+//
+// // Internal package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.Object `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // External package:
+//
+//	type MyAPIObject struct {
+//		runtime.TypeMeta `json:",inline"`
+//		MyPlugin runtime.RawExtension `json:"myPlugin"`
+//	}
+//
+//	type PluginA struct {
+//		AOption string `json:"aOption"`
+//	}
+//
+// // On the wire, the JSON will look something like this:
+//
+//	{
+//		"kind":"MyAPIObject",
+//		"apiVersion":"v1",
+//		"myPlugin": {
+//			"kind":"PluginA",
+//			"aOption":"foo",
+//		},
+//	}
+//
+// So what happens? Decode first uses json or yaml to unmarshal the serialized data into
+// your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked.
+// The next step is to copy (using pkg/conversion) into the internal struct. The runtime
+// package's DefaultScheme has conversion functions installed which will unpack the
+// JSON stored in RawExtension, turning it into the correct object type, and storing it
+// in the Object. (TODO: In the case where the object is of an unknown type, a
+// runtime.Unknown object will be created and stored.)
+//
+// +k8s:deepcopy-gen=true
+// +protobuf=true
+// +k8s:openapi-gen=true
+#RawExtension: _
+
+// Unknown allows api objects with unknown types to be passed-through. This can be used
+// to deal with the API objects from a plug-in. Unknown objects still have functioning
+// TypeMeta features-- kind, version, etc.
+// TODO: Make this object have easy access to field based accessors and settors for
+// metadata and field mutatation.
+//
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +protobuf=true
+// +k8s:openapi-gen=true
+#Unknown: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/types_proto_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+#ProtobufMarshaller: _
+
+#ProtobufReverseMarshaller: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+// Package types implements various generic types used throughout kubernetes.
+package types

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/namespacedname_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+#NamespacedName: {
+	Namespace: string
+	Name:      string
+}
+
+#Separator: 47 // '/'

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/nodename_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// NodeName is a type that holds a api.Node's Name identifier.
+// Being a type captures intent and helps make sure that the node name
+// is not confused with similar concepts (the hostname, the cloud provider id,
+// the cloud provider name etc)
+//
+// To clarify the various types:
+//
+//   - Node.Name is the Name field of the Node in the API.  This should be stored in a NodeName.
+//     Unfortunately, because Name is part of ObjectMeta, we can't store it as a NodeName at the API level.
+//
+//   - Hostname is the hostname of the local machine (from uname -n).
+//     However, some components allow the user to pass in a --hostname-override flag,
+//     which will override this in most places. In the absence of anything more meaningful,
+//     kubelet will use Hostname as the Node.Name when it creates the Node.
+//
+// * The cloudproviders have the own names: GCE has InstanceName, AWS has InstanceId.
+//
+//	For GCE, InstanceName is the Name of an Instance object in the GCE API.  On GCE, Instance.Name becomes the
+//	Hostname, and thus it makes sense also to use it as the Node.Name.  But that is GCE specific, and it is up
+//	to the cloudprovider how to do this mapping.
+//
+//	For AWS, the InstanceID is not yet suitable for use as a Node.Name, so we actually use the
+//	PrivateDnsName for the Node.Name.  And this is _not_ always the same as the hostname: if
+//	we are using a custom DHCP domain it won't be.
+#NodeName: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/patch_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// Similarly to above, these are constants to support HTTP PATCH utilized by
+// both the client and server that didn't make sense for a whole package to be
+// dedicated to.
+#PatchType: string // #enumPatchType
+
+#enumPatchType:
+	#JSONPatchType |
+	#MergePatchType |
+	#StrategicMergePatchType |
+	#ApplyPatchType
+
+#JSONPatchType:           #PatchType & "application/json-patch+json"
+#MergePatchType:          #PatchType & "application/merge-patch+json"
+#StrategicMergePatchType: #PatchType & "application/strategic-merge-patch+json"
+#ApplyPatchType:          #PatchType & "application/apply-patch+yaml"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/types/uid_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/types
+
+package types
+
+// UID is a type that holds unique ID values, including UUIDs.  Because we
+// don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+// intent and helps make sure that UIDs and names do not get conflated.
+#UID: string

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/util/intstr/intstr_go_gen.cue

@@ -0,0 +1,31 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/util/intstr
+
+package intstr
+
+// IntOrString is a type that can hold an int32 or a string.  When used in
+// JSON or YAML marshalling and unmarshalling, it produces or consumes the
+// inner type.  This allows you to have, for example, a JSON field that can
+// accept a name or number.
+// TODO: Rename to Int32OrString
+//
+// +protobuf=true
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:openapi-gen=true
+#IntOrString: _
+
+// Type represents the stored type of IntOrString.
+#Type: int64 // #enumType
+
+#enumType:
+	#Int |
+	#String
+
+#values_Type: {
+	Int:    #Int
+	String: #String
+}
+
+#Int:    #Type & 0
+#String: #Type & 1

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/doc_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+// Package watch contains a generic watchable interface, and a fake for
+// testing code that uses the watch interface.
+package watch

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/filter_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Recorder records all events that are sent from the watch until it is closed.
+#Recorder: {
+	Interface: #Interface
+}

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/mux_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// FullChannelBehavior controls how the Broadcaster reacts if a watcher's watch
+// channel is full.
+#FullChannelBehavior: int // #enumFullChannelBehavior
+
+#enumFullChannelBehavior:
+	#WaitIfChannelFull |
+	#DropIfChannelFull
+
+#values_FullChannelBehavior: {
+	WaitIfChannelFull: #WaitIfChannelFull
+	DropIfChannelFull: #DropIfChannelFull
+}
+
+#WaitIfChannelFull: #FullChannelBehavior & 0
+#DropIfChannelFull: #FullChannelBehavior & 1
+
+_#incomingQueueLength: 25
+
+_#internalRunFunctionMarker: "internal-do-function"

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/streamwatcher_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+// Decoder allows StreamWatcher to watch any stream for which a Decoder can be written.
+#Decoder: _
+
+// Reporter hides the details of how an error is turned into a runtime.Object for
+// reporting on a watch stream since this package may not import a higher level report.
+#Reporter: _

docs/examples/cue.mod/gen/k8s.io/apimachinery/pkg/watch/watch_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/watch
+
+package watch
+
+import "k8s.io/apimachinery/pkg/runtime"
+
+// Interface can be implemented by anything that knows how to watch and report changes.
+#Interface: _
+
+// EventType defines the possible types of events.
+#EventType: string // #enumEventType
+
+#enumEventType:
+	#Added |
+	#Modified |
+	#Deleted |
+	#Bookmark |
+	#Error
+
+#Added:    #EventType & "ADDED"
+#Modified: #EventType & "MODIFIED"
+#Deleted:  #EventType & "DELETED"
+#Bookmark: #EventType & "BOOKMARK"
+#Error:    #EventType & "ERROR"
+
+// Event represents a single event to a watched resource.
+// +k8s:deepcopy-gen=true
+#Event: {
+	Type: #EventType
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Bookmark: the object (instance of a type being watched) where
+	//    only ResourceVersion field is set. On successful restart of watch from a
+	//    bookmark resourceVersion, client is guaranteed to not get repeat event
+	//    nor miss any events.
+	//  * If Type is Error: *api.Status is recommended; other types may make sense
+	//    depending on context.
+	Object: runtime.#Object
+}
+
+// RaceFreeFakeWatcher lets you test anything that consumes a watch.Interface; threadsafe.
+#RaceFreeFakeWatcher: {
+	Stopped: bool
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue

@@ -0,0 +1,286 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization. This
+	// interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names, and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta1/types_gen.cue

@@ -0,0 +1,319 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the desired state of a kustomization.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the desired state of a kustomization.
+#KustomizationSpec: {
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: string
+	kubeConfig?: {
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: string
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "GitRepository" | "Bucket"
+
+		// Name of the referent
+		name: string
+
+		// Namespace of the referent, defaults to the Kustomization
+		// namespace
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: string
+
+	// Validate the Kubernetes objects before applying them on the
+	// cluster. The validation strategy can be 'client' (local
+	// dry-run), 'server' (APIServer dry-run) or 'none'. When 'Force'
+	// is 'true', validation will fallback to 'client' if set to
+	// 'server' because server-side validation is not supported in
+	// this scenario.
+	validation?: "none" | "client" | "server"
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta2/types_gen.cue

@@ -0,0 +1,360 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+	// Use Patches instead.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	// Deprecated: Use Patches instead.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Deprecated: Not used in v1beta2.
+	validation?: "none" | "client" | "server"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta1/types_gen.cue

@@ -0,0 +1,89 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects
+#AlertSpec: {
+	// Filter events based on severity, defaults to ('info'). If set
+	// to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// Filter events based on the involved objects.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// A list of Golang regular expressions to be used for excluding
+	// messages.
+	exclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Short description of the impact and affected cluster.
+	summary?: string
+
+	// This flag tells the controller to suspend subsequent events
+	// dispatching. Defaults to false.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta2/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta1/types_gen.cue

@@ -0,0 +1,74 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of Provider
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of Provider
+#ProviderSpec: {
+	// HTTP/S webhook address of this provider
+	address?: =~"^(http|https)://"
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Alert channel for this provider
+	channel?: string
+
+	// HTTP/S address of the proxy
+	proxy?: =~"^(http|https)://"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Timeout for sending alerts to the provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of provider
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "azuredevops" | "googlechat" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch"
+
+	// Bot username for this provider
+	username?: string
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta2/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Provider is the Schema for the providers API.
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta3/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references. Deprecated and not used in v1beta3.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog" | "nats"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" | *"10m"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta1/types_gen.cue

@@ -0,0 +1,84 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of Receiver
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of Receiver
+#ReceiverSpec: {
+	// A list of events to handle, e.g. 'push' for GitHub or 'Push
+	// Hook' for GitLab.
+	events?: [...string]
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta2/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta1/types_gen.cue

@@ -0,0 +1,95 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Bucket is the Schema for the buckets API
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec defines the desired state of an S3 compatible bucket
+	spec!: #BucketSpec
+}
+
+// BucketSpec defines the desired state of an S3 compatible bucket
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The bucket name.
+	bucketName: string
+
+	// The bucket endpoint address.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS S3 HTTP endpoint.
+	insecure?: bool
+
+	// The interval at which to check for bucket updates.
+	interval: string
+
+	// The S3 compatible storage provider name, default ('generic').
+	provider?: "generic" | "aws" | "gcp" | *"generic"
+
+	// The bucket region.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for download operations, defaults to 60s.
+	timeout?: string | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta2/types_gen.cue

@@ -0,0 +1,104 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Bucket is the Schema for the buckets API.
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec specifies the required configuration to produce an
+	// Artifact for an object storage bucket.
+	spec!: #BucketSpec
+}
+
+// BucketSpec specifies the required configuration to produce an
+// Artifact for an object storage bucket.
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// BucketName is the name of the object storage bucket.
+	bucketName: string
+
+	// Endpoint is the object storage address the BucketName is
+	// located at.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP Endpoint.
+	insecure?: bool
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Prefix to use for server-side filtering of files in the Bucket.
+	prefix?: string
+
+	// Provider of the object storage bucket. Defaults to 'generic',
+	// which expects an S3 (API) compatible object storage.
+	provider?: "generic" | "aws" | "gcp" | "azure" | *"generic"
+
+	// Region of the Endpoint where the BucketName is located in.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this Bucket.
+	suspend?: bool
+
+	// Timeout for fetch operations, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1/types_gen.cue

@@ -0,0 +1,141 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which the GitRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	proxySecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies which Git object(s) should be verified.
+		// The variants "head" and "HEAD" both imply the same thing, i.e.
+		// verify the commit that the HEAD of the Git repository points
+		// to. The variant "head" solely exists to ensure backwards
+		// compatibility.
+		mode?: "head" | "HEAD" | "Tag" | "TagAndHEAD" | *"HEAD"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta1/types_gen.cue

@@ -0,0 +1,137 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec defines the desired state of a Git
+	// repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec defines the desired state of a Git
+// repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Determines which git client library to use. Defaults to go-git,
+	// valid values are ('go-git', 'libgit2').
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Extra git repositories to map into the repository
+	include?: [...{
+		// The path to copy contents from, defaults to the root directory.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// The path to copy contents to, defaults to the name of the
+		// source ref.
+		toPath?: string
+	}]
+
+	// The interval at which to check for repository updates.
+	interval: string
+
+	// When enabled, after the clone is created, initializes all
+	// submodules within, using their default settings. This option
+	// is available only when using the 'go-git' GitImplementation.
+	recurseSubmodules?: bool
+
+	// The Git reference to checkout and monitor for changes, defaults
+	// to master branch.
+	ref?: {
+		// The Git branch to checkout, defaults to master.
+		branch?: string
+
+		// The Git commit SHA to checkout, if specified Tag filters will
+		// be ignored.
+		commit?: string
+
+		// The Git tag semver expression, takes precedence over Tag.
+		semver?: string
+
+		// The Git tag to checkout, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote Git operations like cloning, defaults to
+	// 60s.
+	timeout?: string | *"60s"
+
+	// The repository URL, can be a HTTP/S or SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verify OpenPGP signature for the Git commit HEAD points to.
+	verify?: {
+		// Mode describes what git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta2/types_gen.cue

@@ -0,0 +1,155 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// GitImplementation specifies which Git client library
+	// implementation to use. Defaults to 'go-git', valid values are
+	// ('go-git', 'libgit2'). Deprecated: gitImplementation is
+	// deprecated now that 'go-git' is the only supported
+	// implementation.
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which to check the GitRepository for updates.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies what Git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta1/types_gen.cue

@@ -0,0 +1,109 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec defines the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec defines the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// The interval at which to check the Source for updates.
+	interval: string
+
+	// Determines what enables the creation of a new artifact. Valid
+	// values are ('ChartVersion', 'Revision'). See the documentation
+	// of the values for an explanation on their behavior. Defaults
+	// to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// The reference to the Source the chart is available at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// Alternative values file to use as the default chart values,
+	// expected to be a relative path in the SourceRef. Deprecated in
+	// favor of ValuesFiles, for backwards compatibility the file
+	// defined here is merged before the ValuesFiles items. Ignored
+	// when omitted.
+	valuesFile?: string
+
+	// Alternative list of values files to use as the chart values
+	// (values.yaml is not included by default), expected to be a
+	// relative path in the SourceRef. Values files are merged in the
+	// order of this list with the last file overriding the first.
+	// Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// The chart version semver expression, ignored for charts from
+	// GitRepository and Bucket sources. Defaults to latest when
+	// omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta2/types_gen.cue

@@ -0,0 +1,145 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API.
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec specifies the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec specifies the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Chart is the name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// Interval at which the HelmChart SourceRef is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// ReconcileStrategy determines what enables the creation of a new
+	// artifact. Valid values are ('ChartVersion', 'Revision'). See
+	// the documentation of the values for an explanation on their
+	// behavior. Defaults to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// SourceRef is the reference to the Source the chart is available
+	// at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// ValuesFile is an alternative values file to use as the default
+	// chart values, expected to be a relative path in the SourceRef.
+	// Deprecated in favor of ValuesFiles, for backwards
+	// compatibility the file specified here is merged before the
+	// ValuesFiles items. Ignored when omitted.
+	valuesFile?: string
+
+	// ValuesFiles is an alternative list of values files to use as
+	// the chart values (values.yaml is not included by default),
+	// expected to be a relative path in the SourceRef. Values files
+	// are merged in the order of this list with the last file
+	// overriding the first. Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic. This field is
+	// only supported when using HelmRepository source with spec.type
+	// 'oci'. Chart dependencies, which are not bundled in the
+	// umbrella chart artifact, are not verified.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Version is the chart version semver expression, ignored for
+	// charts from GitRepository and Bucket sources. Defaults to
+	// latest when omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta1/types_gen.cue

@@ -0,0 +1,86 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec defines the reference to a Helm repository.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec defines the reference to a Helm repository.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The interval at which to check the upstream for updates.
+	interval: string
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout of index downloading, defaults to 60s.
+	timeout?: string | *"60s"
+
+	// The Helm repository URL, a valid URL contains at least a
+	// protocol and host.
+	url: string
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta2/types_gen.cue

@@ -0,0 +1,112 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API.
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Helm repository index YAML.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec specifies the required configuration to
+// produce an Artifact for a Helm repository index YAML.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry. This field is only taken into account if the
+	// .spec.type field is set to 'oci'.
+	insecure?: bool
+
+	// Interval at which the HelmRepository URL is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+
+	// Provider used for authentication, can be 'aws', 'azure', 'gcp'
+	// or 'generic'. This field is optional, and only taken into
+	// account if the .spec.type field is set to 'oci'. When not
+	// specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this HelmRepository.
+	suspend?: bool
+
+	// Timeout is used for the index fetch operation for an HTTPS helm
+	// repository, and for remote OCI Repository operations like
+	// pulling for an OCI helm chart by the associated HelmChart. Its
+	// default value is 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of the HelmRepository. When this field is set to "oci",
+	// the URL field value must be prefixed with "oci://".
+	type?: "default" | "oci"
+
+	// URL of the Helm repository, a valid URL contains at least a
+	// protocol and host.
+	url: =~"^(http|https|oci)://.*$"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue

@@ -0,0 +1,151 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// OCIRepository is the Schema for the ocirepositories API
+#OCIRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "OCIRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// OCIRepositorySpec defines the desired state of OCIRepository
+	spec!: #OCIRepositorySpec
+}
+
+// OCIRepositorySpec defines the desired state of OCIRepository
+#OCIRepositorySpec: {
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// LayerSelector specifies which layer should be extracted from
+	// the OCI artifact. When not specified, the first layer found in
+	// the artifact is selected.
+	layerSelector?: {
+		// MediaType specifies the OCI media type of the layer which
+		// should be extracted from the OCI Artifact. The first layer
+		// matching this type is selected.
+		mediaType?: string
+
+		// Operation specifies how the selected layer should be processed.
+		// By default, the layer compressed content is extracted to
+		// storage. When the operation is set to 'copy', the layer
+		// compressed content is persisted to storage as it is.
+		operation?: "extract" | "copy"
+	}
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+
+	// The OCI reference to pull and monitor for changes, defaults to
+	// the latest tag.
+	ref?: {
+		// Digest is the image digest to pull, takes precedence over
+		// SemVer. The value should be in the format 'sha256:<HASH>'.
+		digest?: string
+
+		// SemVer is the range of tags to pull selecting the latest within
+		// the range, takes precedence over Tag.
+		semver?: string
+
+		// Tag is the image tag to pull, defaults to latest.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	serviceAccountName?: string
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote OCI Repository operations like pulling,
+	// defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL is a reference to an OCI artifact repository hosted on a
+	// remote container registry.
+	url: =~"^oci://.*$"
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/module.cue

@@ -0,0 +1 @@
+module: "github.com/holos-run/holos/docs/examples"

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -0,0 +1,11 @@
+package v1
+
+#Namespace: {
+  apiVersion: "v1"
+  kind: "Namespace"
+}
+
+#ConfigMap: {
+  apiVersion: "v1"
+  kind: "ConfigMap"
+}

docs/examples/platforms/.gitignore

@@ -0,0 +1 @@
+platform.site.cue