Add holos component HelmChart type

This patch implements rendering a holos component from an upstream helm
chart using a values.yaml file generated by CUE.  The resulting
kubernetes api objects are saved to the deploy directory in the same way
the KubernetesObject holos component type.

```
❯ holos render --cluster-name=core2 ./docs/examples/platforms/reference/projects/secrets/components/...
3:55PM INF render.go:39 rendered prod-secrets-eso version=0.41.0 status=ok action=rendered name=prod-secrets-eso
3:55PM INF render.go:39 rendered prod-secrets-namespaces version=0.41.0 status=ok action=rendered name=prod-secrets-namespaces
```

```
❯ tree deploy
deploy
└── clusters
    └── core2
        ├── components
        │   ├── prod-secrets-eso
        │   │   └── prod-secrets-eso.gen.yaml
        │   └── prod-secrets-namespaces
        │       └── prod-secrets-namespaces.gen.yaml
        └── holos
            └── components
                ├── prod-secrets-eso-kustomization.gen.yaml
                └── prod-secrets-namespaces-kustomization.gen.yaml

7 directories, 4 files
```

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta1/types_gen.cue

@@ -0,0 +1,692 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta1
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: string
+
+			// Interval at which to check the v1beta2.Source for updates.
+			// Defaults to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1beta2.Source the chart is
+			// available at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	// Note: this field is provisional to the v2beta2 API, and not
+	// actively used by v2beta1 HelmReleases.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt-in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release. This interval
+	// is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '10'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: string
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'. When set,
+		// must be a valid Data Key, consisting of alphanumeric
+		// characters, '-', '_' or '.'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta2/types_gen.cue

@@ -0,0 +1,697 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta2
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: strings.MaxRunes(2048) & strings.MinRunes(1)
+
+			// Interval at which to check the v1.Source for updates. Defaults
+			// to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1.Source the chart is available
+			// at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '5'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+			// use Patches instead.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			// Deprecated: use Patches instead.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// Filters is a list of tests to run or exclude from running.
+		filters?: [...{
+			// Exclude specifies whether the named test should be excluded.
+			exclude?: bool
+
+			// Name is the name of the test.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta2/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy.
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy.
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta1/types_gen.cue

@@ -0,0 +1,94 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: [...string]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta2/types_gen.cue

@@ -0,0 +1,105 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import (
+	"strings"
+	"list"
+)
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: list.MaxItems(25) & [...string] | *["^.*\\.sig$"]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imageupdateautomation/v1beta1/types_gen.cue

@@ -0,0 +1,170 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageUpdateAutomation is the Schema for the
+// imageupdateautomations API
+#ImageUpdateAutomation: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageUpdateAutomation"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageUpdateAutomationSpec defines the desired state of
+	// ImageUpdateAutomation
+	spec!: #ImageUpdateAutomationSpec
+}
+
+// ImageUpdateAutomationSpec defines the desired state of
+// ImageUpdateAutomation
+#ImageUpdateAutomationSpec: {
+	// GitSpec contains all the git-specific definitions. This is
+	// technically optional, but in practice mandatory until there
+	// are other kinds of source allowed.
+	git?: {
+		checkout?: {
+			// Reference gives a branch, tag or commit to clone from the Git
+			// repository.
+			ref: {
+				// Branch to check out, defaults to 'master' if no other field is
+				// defined.
+				branch?: string
+
+				// Commit SHA to check out, takes precedence over all reference
+				// fields.
+				// This can be combined with Branch to shallow clone the branch,
+				// in which the commit is expected to exist.
+				commit?: string
+
+				// Name of the reference to check out; takes precedence over
+				// Branch, Tag and SemVer.
+				// It must be a valid Git reference:
+				// https://git-scm.com/docs/git-check-ref-format#_description
+				// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+				// "refs/pull/420/head", "refs/merge-requests/1/head"
+				name?: string
+
+				// SemVer tag expression to check out, takes precedence over Tag.
+				semver?: string
+
+				// Tag to check out, takes precedence over Branch.
+				tag?: string
+			}
+		}
+
+		// Commit specifies how to commit to the git repository.
+		commit: {
+			// Author gives the email and optionally the name to use as the
+			// author of commits.
+			author: {
+				// Email gives the email to provide when making a commit.
+				email: string
+
+				// Name gives the name to provide when making a commit.
+				name?: string
+			}
+
+			// MessageTemplate provides a template for the commit message,
+			// into which will be interpolated the details of the change
+			// made.
+			messageTemplate?: string
+			signingKey?: {
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+		}
+
+		// Push specifies how and where to push commits made by the
+		// automation. If missing, commits are pushed (back) to
+		// `.spec.checkout.branch` or its default.
+		push?: {
+			// Branch specifies that commits should be pushed to the branch
+			// named. The branch is created using `.spec.checkout.branch` as
+			// the starting point, if it doesn't already exist.
+			branch?: string
+
+			// Options specifies the push options that are sent to the Git
+			// server when performing a push operation. For details, see:
+			// https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt
+			options?: {
+				[string]: string
+			}
+
+			// Refspec specifies the Git Refspec to use for a push operation.
+			// If both Branch and Refspec are provided, then the commit is
+			// pushed to the branch and also using the specified refspec. For
+			// more details about Git Refspecs, see:
+			// https://git-scm.com/book/en/v2/Git-Internals-The-Refspec
+			refspec?: string
+		}
+	}
+
+	// Interval gives an lower bound for how often the automation run
+	// should be attempted.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// SourceRef refers to the resource giving access details to a git
+	// repository.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "GitRepository" | *"GitRepository"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// Suspend tells the controller to not run this automation, until
+	// it is unset (or set to false). Defaults to false.
+	suspend?: bool
+
+	// Update gives the specification for how to update the files in
+	// the repository. This can be left empty, to use the default
+	// value.
+	update?: {
+		// Path to the directory containing the manifests to be updated.
+		// Defaults to 'None', which translates to the root path of the
+		// GitRepositoryRef.
+		path?: string
+
+		// Strategy names the strategy to be used.
+		strategy: "Setters" | *"Setters"
+	} | *{
+		strategy: "Setters"
+	}
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue

@@ -0,0 +1,286 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization. This
+	// interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names, and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta1/types_gen.cue

@@ -0,0 +1,319 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the desired state of a kustomization.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the desired state of a kustomization.
+#KustomizationSpec: {
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: string
+	kubeConfig?: {
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: string
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "GitRepository" | "Bucket"
+
+		// Name of the referent
+		name: string
+
+		// Namespace of the referent, defaults to the Kustomization
+		// namespace
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: string
+
+	// Validate the Kubernetes objects before applying them on the
+	// cluster. The validation strategy can be 'client' (local
+	// dry-run), 'server' (APIServer dry-run) or 'none'. When 'Force'
+	// is 'true', validation will fallback to 'client' if set to
+	// 'server' because server-side validation is not supported in
+	// this scenario.
+	validation?: "none" | "client" | "server"
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta2/types_gen.cue

@@ -0,0 +1,360 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+	// Use Patches instead.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	// Deprecated: Use Patches instead.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Deprecated: Not used in v1beta2.
+	validation?: "none" | "client" | "server"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta1/types_gen.cue

@@ -0,0 +1,89 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects
+#AlertSpec: {
+	// Filter events based on severity, defaults to ('info'). If set
+	// to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// Filter events based on the involved objects.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// A list of Golang regular expressions to be used for excluding
+	// messages.
+	exclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Short description of the impact and affected cluster.
+	summary?: string
+
+	// This flag tells the controller to suspend subsequent events
+	// dispatching. Defaults to false.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta2/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta1/types_gen.cue

@@ -0,0 +1,74 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of Provider
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of Provider
+#ProviderSpec: {
+	// HTTP/S webhook address of this provider
+	address?: =~"^(http|https)://"
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Alert channel for this provider
+	channel?: string
+
+	// HTTP/S address of the proxy
+	proxy?: =~"^(http|https)://"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Timeout for sending alerts to the provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of provider
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "azuredevops" | "googlechat" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch"
+
+	// Bot username for this provider
+	username?: string
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta2/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Provider is the Schema for the providers API.
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta3/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references. Deprecated and not used in v1beta3.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog" | "nats"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" | *"10m"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta1/types_gen.cue

@@ -0,0 +1,84 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of Receiver
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of Receiver
+#ReceiverSpec: {
+	// A list of events to handle, e.g. 'push' for GitHub or 'Push
+	// Hook' for GitLab.
+	events?: [...string]
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta2/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta1/types_gen.cue

@@ -0,0 +1,95 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Bucket is the Schema for the buckets API
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec defines the desired state of an S3 compatible bucket
+	spec!: #BucketSpec
+}
+
+// BucketSpec defines the desired state of an S3 compatible bucket
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The bucket name.
+	bucketName: string
+
+	// The bucket endpoint address.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS S3 HTTP endpoint.
+	insecure?: bool
+
+	// The interval at which to check for bucket updates.
+	interval: string
+
+	// The S3 compatible storage provider name, default ('generic').
+	provider?: "generic" | "aws" | "gcp" | *"generic"
+
+	// The bucket region.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for download operations, defaults to 60s.
+	timeout?: string | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta2/types_gen.cue

@@ -0,0 +1,104 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Bucket is the Schema for the buckets API.
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec specifies the required configuration to produce an
+	// Artifact for an object storage bucket.
+	spec!: #BucketSpec
+}
+
+// BucketSpec specifies the required configuration to produce an
+// Artifact for an object storage bucket.
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// BucketName is the name of the object storage bucket.
+	bucketName: string
+
+	// Endpoint is the object storage address the BucketName is
+	// located at.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP Endpoint.
+	insecure?: bool
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Prefix to use for server-side filtering of files in the Bucket.
+	prefix?: string
+
+	// Provider of the object storage bucket. Defaults to 'generic',
+	// which expects an S3 (API) compatible object storage.
+	provider?: "generic" | "aws" | "gcp" | "azure" | *"generic"
+
+	// Region of the Endpoint where the BucketName is located in.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this Bucket.
+	suspend?: bool
+
+	// Timeout for fetch operations, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1/types_gen.cue

@@ -0,0 +1,141 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which the GitRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	proxySecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies which Git object(s) should be verified.
+		// The variants "head" and "HEAD" both imply the same thing, i.e.
+		// verify the commit that the HEAD of the Git repository points
+		// to. The variant "head" solely exists to ensure backwards
+		// compatibility.
+		mode?: "head" | "HEAD" | "Tag" | "TagAndHEAD" | *"HEAD"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta1/types_gen.cue

@@ -0,0 +1,137 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec defines the desired state of a Git
+	// repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec defines the desired state of a Git
+// repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Determines which git client library to use. Defaults to go-git,
+	// valid values are ('go-git', 'libgit2').
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Extra git repositories to map into the repository
+	include?: [...{
+		// The path to copy contents from, defaults to the root directory.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// The path to copy contents to, defaults to the name of the
+		// source ref.
+		toPath?: string
+	}]
+
+	// The interval at which to check for repository updates.
+	interval: string
+
+	// When enabled, after the clone is created, initializes all
+	// submodules within, using their default settings. This option
+	// is available only when using the 'go-git' GitImplementation.
+	recurseSubmodules?: bool
+
+	// The Git reference to checkout and monitor for changes, defaults
+	// to master branch.
+	ref?: {
+		// The Git branch to checkout, defaults to master.
+		branch?: string
+
+		// The Git commit SHA to checkout, if specified Tag filters will
+		// be ignored.
+		commit?: string
+
+		// The Git tag semver expression, takes precedence over Tag.
+		semver?: string
+
+		// The Git tag to checkout, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote Git operations like cloning, defaults to
+	// 60s.
+	timeout?: string | *"60s"
+
+	// The repository URL, can be a HTTP/S or SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verify OpenPGP signature for the Git commit HEAD points to.
+	verify?: {
+		// Mode describes what git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta2/types_gen.cue

@@ -0,0 +1,155 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// GitImplementation specifies which Git client library
+	// implementation to use. Defaults to 'go-git', valid values are
+	// ('go-git', 'libgit2'). Deprecated: gitImplementation is
+	// deprecated now that 'go-git' is the only supported
+	// implementation.
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which to check the GitRepository for updates.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies what Git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta1/types_gen.cue

@@ -0,0 +1,109 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec defines the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec defines the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// The interval at which to check the Source for updates.
+	interval: string
+
+	// Determines what enables the creation of a new artifact. Valid
+	// values are ('ChartVersion', 'Revision'). See the documentation
+	// of the values for an explanation on their behavior. Defaults
+	// to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// The reference to the Source the chart is available at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// Alternative values file to use as the default chart values,
+	// expected to be a relative path in the SourceRef. Deprecated in
+	// favor of ValuesFiles, for backwards compatibility the file
+	// defined here is merged before the ValuesFiles items. Ignored
+	// when omitted.
+	valuesFile?: string
+
+	// Alternative list of values files to use as the chart values
+	// (values.yaml is not included by default), expected to be a
+	// relative path in the SourceRef. Values files are merged in the
+	// order of this list with the last file overriding the first.
+	// Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// The chart version semver expression, ignored for charts from
+	// GitRepository and Bucket sources. Defaults to latest when
+	// omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta2/types_gen.cue

@@ -0,0 +1,145 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API.
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec specifies the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec specifies the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Chart is the name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// Interval at which the HelmChart SourceRef is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// ReconcileStrategy determines what enables the creation of a new
+	// artifact. Valid values are ('ChartVersion', 'Revision'). See
+	// the documentation of the values for an explanation on their
+	// behavior. Defaults to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// SourceRef is the reference to the Source the chart is available
+	// at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// ValuesFile is an alternative values file to use as the default
+	// chart values, expected to be a relative path in the SourceRef.
+	// Deprecated in favor of ValuesFiles, for backwards
+	// compatibility the file specified here is merged before the
+	// ValuesFiles items. Ignored when omitted.
+	valuesFile?: string
+
+	// ValuesFiles is an alternative list of values files to use as
+	// the chart values (values.yaml is not included by default),
+	// expected to be a relative path in the SourceRef. Values files
+	// are merged in the order of this list with the last file
+	// overriding the first. Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic. This field is
+	// only supported when using HelmRepository source with spec.type
+	// 'oci'. Chart dependencies, which are not bundled in the
+	// umbrella chart artifact, are not verified.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Version is the chart version semver expression, ignored for
+	// charts from GitRepository and Bucket sources. Defaults to
+	// latest when omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta1/types_gen.cue

@@ -0,0 +1,86 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec defines the reference to a Helm repository.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec defines the reference to a Helm repository.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The interval at which to check the upstream for updates.
+	interval: string
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout of index downloading, defaults to 60s.
+	timeout?: string | *"60s"
+
+	// The Helm repository URL, a valid URL contains at least a
+	// protocol and host.
+	url: string
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta2/types_gen.cue

@@ -0,0 +1,112 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API.
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Helm repository index YAML.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec specifies the required configuration to
+// produce an Artifact for a Helm repository index YAML.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry. This field is only taken into account if the
+	// .spec.type field is set to 'oci'.
+	insecure?: bool
+
+	// Interval at which the HelmRepository URL is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+
+	// Provider used for authentication, can be 'aws', 'azure', 'gcp'
+	// or 'generic'. This field is optional, and only taken into
+	// account if the .spec.type field is set to 'oci'. When not
+	// specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this HelmRepository.
+	suspend?: bool
+
+	// Timeout is used for the index fetch operation for an HTTPS helm
+	// repository, and for remote OCI Repository operations like
+	// pulling for an OCI helm chart by the associated HelmChart. Its
+	// default value is 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of the HelmRepository. When this field is set to "oci",
+	// the URL field value must be prefixed with "oci://".
+	type?: "default" | "oci"
+
+	// URL of the Helm repository, a valid URL contains at least a
+	// protocol and host.
+	url: =~"^(http|https|oci)://.*$"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue

@@ -0,0 +1,151 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// OCIRepository is the Schema for the ocirepositories API
+#OCIRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "OCIRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// OCIRepositorySpec defines the desired state of OCIRepository
+	spec!: #OCIRepositorySpec
+}
+
+// OCIRepositorySpec defines the desired state of OCIRepository
+#OCIRepositorySpec: {
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// LayerSelector specifies which layer should be extracted from
+	// the OCI artifact. When not specified, the first layer found in
+	// the artifact is selected.
+	layerSelector?: {
+		// MediaType specifies the OCI media type of the layer which
+		// should be extracted from the OCI Artifact. The first layer
+		// matching this type is selected.
+		mediaType?: string
+
+		// Operation specifies how the selected layer should be processed.
+		// By default, the layer compressed content is extracted to
+		// storage. When the operation is set to 'copy', the layer
+		// compressed content is persisted to storage as it is.
+		operation?: "extract" | "copy"
+	}
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+
+	// The OCI reference to pull and monitor for changes, defaults to
+	// the latest tag.
+	ref?: {
+		// Digest is the image digest to pull, takes precedence over
+		// SemVer. The value should be in the format 'sha256:<HASH>'.
+		digest?: string
+
+		// SemVer is the range of tags to pull selecting the latest within
+		// the range, takes precedence over Tag.
+		semver?: string
+
+		// Tag is the image tag to pull, defaults to latest.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	serviceAccountName?: string
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote OCI Repository operations like pulling,
+	// defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL is a reference to an OCI artifact repository hosted on a
+	// remote container registry.
+	url: =~"^oci://.*$"
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/platforms/reference/projects/secrets/components/eso/eso.cue

@@ -0,0 +1,3 @@
+package holos
+
+#InputKeys: component: "eso"

docs/examples/platforms/reference/projects/secrets/components/eso/output.cue

@@ -0,0 +1,14 @@
+package holos
+
+#HelmChart & {
+	values: installCrds: true
+	namespace: #TargetNamespace
+	chart: {
+		name: "external-secrets"
+		version: "0.9.12"
+		repository: {
+			name: "external-secrets"
+		  url: "https://charts.external-secrets.io"
+		}
+	}
+}

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -1,9 +1,10 @@
 package holos
 
-// e.g. prod-secrets-namespaces
-metadata: name: "\(#InputKeys.stage)-\(#InputKeys.project)-namespaces"
+#InputKeys: component: "namespaces"
+
+metadata: name: #InstanceName
 objects: [
 	#Namespace & {
-		metadata: name: "external-secrets"
+		metadata: name: #TargetNamespace
 	}
 ]

docs/examples/platforms/reference/projects/secrets/components/namespaces/output.cue

@@ -0,0 +1,6 @@
+package holos
+
+// Output schema
+{} & #KubernetesObjects & {
+	ksObjects: [#Kustomization]
+}

docs/examples/platforms/reference/projects/secrets/inputkeys.cue

@@ -0,0 +1,11 @@
+package holos
+
+#TargetNamespace: "external-secrets"
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}
+
+// Holos component name
+metadata: name: #InstanceName

docs/examples/platforms/reference/projects/secrets/output.cue

@@ -1,9 +0,0 @@
-package holos
-
-// Output schema
-{} & #KubernetesObjects
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}

docs/examples/schema.cue

@@ -2,6 +2,7 @@ package holos
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
 	corev1 "k8s.io/api/core/v1"
 	"encoding/yaml"
 )
@@ -11,6 +12,9 @@ _apiVersion: "holos.run/v1alpha1"
 // #Name defines the name: string key value pair used all over the place.
 #Name: name: string
 
+// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
+#InstanceName: "\(#InputKeys.stage)-\(#InputKeys.project)-\(#InputKeys.component)"
+
 // #NamespaceMeta defines standard metadata for namespaces.
 // Refer to https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
 #NamespaceMeta: {
@@ -21,9 +25,31 @@ _apiVersion: "holos.run/v1alpha1"
 	...
 }
 
+// #TargetNamespace is the target namespace for a holos component.
+#TargetNamespace: string
+
 // Kubernetes API Objects
 #Namespace: corev1.#Namespace & #NamespaceMeta
 #ConfigMap: corev1.#ConfigMap
+#Kustomization: ksv1.#Kustomization & {
+	metadata: {
+		name: #InstanceName,
+		namespace: string | *"flux-system",
+	}
+	spec: ksv1.#KustomizationSpec & {
+		interval: string | *"30m0s"
+		path: string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(#InstanceName)"
+		prune: bool | *true
+		retryInterval: string | *"2m0s"
+		sourceRef: {
+			kind: string | *"GitRepository"
+			name: string | *"flux-system"
+		}
+		timeout: string | *"3m0s"
+		wait: bool | *true
+	}
+}
+
 
 // #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the _Platform data.
 #InputKeys: {
@@ -35,6 +61,8 @@ _apiVersion: "holos.run/v1alpha1"
 	project: string @tag(project, type=string)
 	// service is usually set by the component.
 	service: string @tag(service, type=string)
+	// component is the name of the component
+	component: string @tag(component, type=string)
 }
 
 // #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
@@ -67,7 +95,7 @@ _Platform: #Platform
 	// apiVersion is the output api version
 	apiVersion: _apiVersion
 	// kind is a discriminator of the type of output
-	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #ChartValues.kind
+	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind
 	// name holds a unique name suitable for a filename
 	metadata: name: string
 	// contentType is the standard MIME type indicating the content type of the content field
@@ -87,14 +115,44 @@ _Platform: #Platform
 	objects: [...metav1.#TypeMeta] | *[]
 	// out holds the rendered yaml text stream of kubernetes api objects.
 	content: yaml.MarshalStream(objects)
+	// ksObjects holds the flux Kustomization objects for gitops
+	ksObjects: [...#Kustomization] | *[]
+	// ksContent is the yaml representation of kustomization
+	ksContent: yaml.MarshalStream(ksObjects)
 	// platform returns the platform data structure for visibility / troubleshooting.
 	platform: _Platform
 }
 
-// #ChartValues is the output schema of a holos component which produces values for a helm chart.
-#ChartValues: {
+// #Chart defines an upstream helm chart
+#Chart: {
+	name: string
+	version: string
+	repository: {
+		name: string
+		url: string
+	}
+}
+
+// #HelmChart is a holos component which produces kubernetes api objects from cue values provided to the helm template command.
+#HelmChart: {
 	#OutputTypeMeta
-	kind: "ChartValues"
+	kind: "HelmChart"
+	// ksObjects holds the flux Kustomization objects for gitops.
+	ksObjects: [...#Kustomization] | *[#Kustomization]
+	// ksContent is the yaml representation of kustomization.
+	ksContent: yaml.MarshalStream(ksObjects)
+	// namespace defines the value passed to the helm --namespace flag
+	namespace: #TargetNamespace
+	// chart defines the upstream helm chart to process.
+	chart: #Chart
+	// values represents the helm values to provide to the chart.
+	values: {...}
+	// valuesContent holds the values yaml
+	valuesContent: yaml.Marshal(values)
+	// platform returns the platform data structure for visibility / troubleshooting.
+	platform: _Platform
+	// instance returns the key values of the holos component instance.
+	instance: #InputKeys
 }
 
 // #PlatformSpec is the output schema of a platform specification.
@@ -103,4 +161,4 @@ _Platform: #Platform
 	kind: "PlatformSpec"
 }
 
-#Output: #PlatformSpec | #KubernetesObjects | #ChartValues
+#Output: #PlatformSpec | #KubernetesObjects | #HelmChart

go.mod

@@ -4,7 +4,6 @@ go 1.21.5
 
 require (
 	cuelang.org/go v0.7.0
-	github.com/lmittmann/tint v1.0.4
 	github.com/mattn/go-isatty v0.0.20
 	github.com/spf13/cobra v1.7.0
 )

go.sum

@@ -26,8 +26,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lmittmann/tint v1.0.4 h1:LeYihpJ9hyGvE0w+K2okPTGUdVLfng1+nDNVR4vWISc=
-github.com/lmittmann/tint v1.0.4/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=

holos.go

@@ -0,0 +1,6 @@
+// Package holos defines types for the rest of the system.
+package holos
+
+// A PathCueMod is a string representing the filesystem path of a cue module.
+// It is given a unique type so the API is clear.
+type PathCueMod string

pkg/cli/render.go

@@ -17,17 +17,26 @@ func makeRenderRunFunc(cfg *config.Config) runFunc {
 
 		ctx := cmd.Context()
 		log := logger.FromContext(ctx)
-		build := builder.New(builder.Entrypoints(args))
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 		results, err := build.Run(cmd.Context())
 		if err != nil {
 			return wrapper.Wrap(err)
 		}
+		// TODO: Avoid accidental over-writes if to holos component instances result in
+		// the same file path. Write files into a blank temporary directory, error if a
+		// file exists, then move the directory into place.
 		for _, result := range results {
+			// API Objects
 			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path); err != nil {
+			if err := result.Save(ctx, path, result.Content); err != nil {
 				return wrapper.Wrap(err)
 			}
-			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "save", "path", path, "name", result.Name())
+			// Kustomization
+			path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
+			if err := result.Save(ctx, path, result.KsContent); err != nil {
+				return wrapper.Wrap(err)
+			}
+			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered", "name", result.Name())
 		}
 		return nil
 	}

pkg/config/config.go

@@ -9,7 +9,8 @@ import (
 	"os"
 )
 
-// An Option configures a Config
+// An Option configures a Config using [functional
+// options](https://commandcenter.blogspot.com/2014/01/self-referential-functions-and-design.html).
 type Option func(o *options)
 
 type options struct {
@@ -17,12 +18,12 @@ type options struct {
 	stderr io.Writer
 }
 
-// Stdout redirects standard output to w
+// Stdout redirects standard output to w, useful for test capture.
 func Stdout(w io.Writer) Option {
 	return func(o *options) { o.stdout = w }
 }
 
-// Stderr redirects standard error to w
+// Stderr redirects standard error to w, useful for test capture.
 func Stderr(w io.Writer) Option {
 	return func(o *options) { o.stderr = w }
 }
@@ -51,7 +52,9 @@ func New(opts ...Option) *Config {
 	return cfg
 }
 
-// Config holds configuration for the whole program, used by main()
+// Config holds configuration for the whole program, used by main(). The config
+// should be initialized early at a well known location in the program lifecycle
+// then remain immutable.
 type Config struct {
 	logConfig      *logger.Config
 	writeTo        string
@@ -63,7 +66,7 @@ type Config struct {
 	clusterFlagSet *flag.FlagSet
 }
 
-// LogFlagSet returns the logging *flag.FlagSet
+// LogFlagSet returns the logging *flag.FlagSet for use by the command handler.
 func (c *Config) LogFlagSet() *flag.FlagSet {
 	return c.logConfig.FlagSet()
 }
@@ -93,12 +96,12 @@ func (c *Config) Finalize() error {
 	return nil
 }
 
-// Vet validates the config
+// Vet validates the config.
 func (c *Config) Vet() error {
 	return c.logConfig.Vet()
 }
 
-// Logger returns a *slog.Logger configured by the user
+// Logger returns a *slog.Logger configured by the user.
 func (c *Config) Logger() *slog.Logger {
 	if c.logger != nil {
 		return c.logger
@@ -127,12 +130,12 @@ func (c *Config) WriteTo() string {
 	return c.writeTo
 }
 
-// ClusterName returns the configured cluster name
+// ClusterName returns the cluster name configured by flags.
 func (c *Config) ClusterName() string {
 	return c.clusterName
 }
 
-// getenv is equivalent to os.Getenv() with a default value
+// getenv is equivalent to os.LookupEnv with a default value.
 func getenv(key, defaultValue string) string {
 	if value, exists := os.LookupEnv(key); exists {
 		return value

pkg/internal/builder/builder.go

@@ -4,22 +4,36 @@
 package builder
 
 import (
+	"bytes"
 	"context"
+	"cuelang.org/go/cue/build"
 	"fmt"
+	"github.com/holos-run/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"os"
+	"os/exec"
 	"path/filepath"
 
 	"cuelang.org/go/cue/cuecontext"
 	"cuelang.org/go/cue/load"
 )
 
+const (
+	// Kube is the value of the kind field of holos build output indicating
+	// kubernetes api objects.
+	Kube = "KubernetesObjects"
+	// Helm is the value of the kind field of holos build output indicating helm
+	// values and helm command information.
+	Helm = "HelmChart"
+)
+
 // An Option configures a Builder
 type Option func(*config)
 
 type config struct {
-	args []string
+	args    []string
+	cluster string
 }
 
 type Builder struct {
@@ -41,6 +55,11 @@ func Entrypoints(args []string) Option {
 	return func(cfg *config) { cfg.args = args }
 }
 
+// Cluster configures the cluster name for the holos component instance.
+func Cluster(name string) Option {
+	return func(cfg *config) { cfg.cluster = name }
+}
+
 type buildInfo struct {
 	APIVersion string `json:"apiVersion,omitempty"`
 	Kind       string `json:"kind,omitempty"`
@@ -53,8 +72,31 @@ type Metadata struct {
 
 // Result is the build result for display or writing.
 type Result struct {
-	Metadata Metadata `json:"metadata,omitempty"`
-	Content  string   `json:"content,omitempty"`
+	Metadata  Metadata `json:"metadata,omitempty"`
+	Content   string   `json:"content,omitempty"`
+	KsContent string   `json:"ksContent,omitempty"`
+}
+
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}
+
+type Chart struct {
+	Name       string     `json:"name"`
+	Version    string     `json:"version"`
+	Repository Repository `json:"repository"`
+}
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+type HelmChart struct {
+	APIVersion    string   `json:"apiVersion"`
+	Kind          string   `json:"kind"`
+	Metadata      Metadata `json:"metadata"`
+	KsContent     string   `json:"ksContent"`
+	Namespace     string   `json:"namespace"`
+	Chart         Chart    `json:"chart"`
+	ValuesContent string   `json:"valuesContent"`
 }
 
 // Name returns the metadata name of the result. Equivalent to the
@@ -67,34 +109,41 @@ func (r *Result) Filename(writeTo string, cluster string) string {
 	return filepath.Join(writeTo, "clusters", cluster, "components", r.Name(), r.Name()+".gen.yaml")
 }
 
+func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Name()+"-kustomization.gen.yaml")
+}
+
 // Save writes the content to the filesystem for git ops.
-func (r *Result) Save(ctx context.Context, path string) error {
-	if r.Name() == "" {
-		return wrapper.Wrap(fmt.Errorf("missing name from cue result"))
-	}
+func (r *Result) Save(ctx context.Context, path string, content string) error {
 	log := logger.FromContext(ctx)
 	dir := filepath.Dir(path)
 	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
 		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
 		return wrapper.Wrap(err)
 	}
-	if err := os.WriteFile(path, []byte(r.Content), os.FileMode(0644)); err != nil {
+	// Write the kube api objects
+	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
 		log.WarnContext(ctx, "could not write", "path", path, "err", err)
 		return wrapper.Wrap(err)
 	}
-	log.DebugContext(ctx, "wrote "+path, "action", "mkdir", "path", path, "status", "ok")
+	log.DebugContext(ctx, "wrote "+path, "action", "write", "path", path, "status", "ok")
 	return nil
 }
 
-func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
-	log := logger.FromContext(ctx)
-	cueCtx := cuecontext.New()
-	results := make([]*Result, 0, len(b.cfg.args))
+// Cluster returns the cluster name of the component instance being built.
+func (b *Builder) Cluster() string {
+	return b.cfg.cluster
+}
 
-	dir, err := b.findCueMod()
+// Instances returns the cue build instances being built.
+func (b *Builder) Instances(ctx context.Context) ([]*build.Instance, error) {
+	log := logger.FromContext(ctx)
+
+	mod, err := b.findCueMod()
 	if err != nil {
 		return nil, wrapper.Wrap(err)
 	}
+	dir := string(mod)
 
 	cfg := load.Config{Dir: dir}
 
@@ -111,36 +160,69 @@ func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
 		}
 		relPath = "./" + relPath
 		args[idx] = relPath
-		equiv := fmt.Sprintf("cue export --out yaml %v", relPath)
-		log.Debug(equiv)
+		equiv := fmt.Sprintf("cue export --out yaml -t cluster=%v %v", b.Cluster(), relPath)
+		log.Debug("cue: equivalent command: " + equiv)
 	}
 
-	instances := load.Instances(args, &cfg)
+	// Refer to https://github.com/cue-lang/cue/blob/v0.7.0/cmd/cue/cmd/common.go#L429
+	cfg.Tags = append(cfg.Tags, "cluster="+b.Cluster())
+	log.DebugContext(ctx, fmt.Sprintf("cue: tags %v", cfg.Tags))
+
+	return load.Instances(args, &cfg), nil
+}
+
+func (b *Builder) Run(ctx context.Context) (results []*Result, err error) {
+	results = make([]*Result, 0, len(b.cfg.args))
+	cueCtx := cuecontext.New()
+	logger.FromContext(ctx).DebugContext(ctx, "cue: building instances")
+	instances, err := b.Instances(ctx)
+	if err != nil {
+		return results, err
+	}
 
 	for _, instance := range instances {
 		var info buildInfo
 		var result Result
+		log := logger.FromContext(ctx).With("dir", instance.Dir)
 		results = append(results, &result)
 		if err := instance.Err; err != nil {
 			return nil, wrapper.Wrap(fmt.Errorf("could not load: %w", err))
 		}
+		log.DebugContext(ctx, "cue: building instance")
 		value := cueCtx.BuildInstance(instance)
 		if err := value.Err(); err != nil {
 			return nil, wrapper.Wrap(fmt.Errorf("could not build: %w", err))
 		}
+		log.DebugContext(ctx, "cue: validating instance")
 		if err := value.Validate(); err != nil {
 			return nil, wrapper.Wrap(fmt.Errorf("could not validate: %w", err))
 		}
-
+		log.DebugContext(ctx, "cue: decoding holos component build info")
 		if err := value.Decode(&info); err != nil {
 			return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
 		}
 
+		log.DebugContext(ctx, "cue: processing holos component kind "+info.Kind)
 		switch kind := info.Kind; kind {
-		case "KubernetesObjects":
+		case Kube:
+			// CUE directly provides the kubernetes api objects in result.Content
 			if err := value.Decode(&result); err != nil {
 				return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
 			}
+		case Helm:
+			var helmChart HelmChart
+			// First decode into the result.  Helm will populate the api objects later.
+			if err := value.Decode(&result); err != nil {
+				return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+			}
+			// Decode again into the helm chart struct to get the values content to provide to helm.
+			if err := value.Decode(&helmChart); err != nil {
+				return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+			}
+			// runHelm populates result.Content from helm template output.
+			if err := runHelm(ctx, &helmChart, &result); err != nil {
+				return nil, err
+			}
 		default:
 			return nil, wrapper.Wrap(fmt.Errorf("build kind not implemented: %v", kind))
 		}
@@ -152,14 +234,15 @@ func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
 // findCueMod returns the root module location containing the cue.mod file or
 // directory or an error if the builder arguments do not share a common root
 // module.
-func (b *Builder) findCueMod() (dir string, err error) {
+func (b *Builder) findCueMod() (dir holos.PathCueMod, err error) {
 	for _, origPath := range b.cfg.args {
-		var path string
-		if path, err = filepath.Abs(origPath); err != nil {
-			return
+		absPath, err := filepath.Abs(origPath)
+		if err != nil {
+			return "", err
 		}
+		path := holos.PathCueMod(absPath)
 		for {
-			if _, err := os.Stat(filepath.Join(path, "cue.mod")); err == nil {
+			if _, err := os.Stat(filepath.Join(string(path), "cue.mod")); err == nil {
 				if dir != "" && dir != path {
 					return "", fmt.Errorf("multiple modules not supported: %v is not %v", dir, path)
 				}
@@ -168,7 +251,7 @@ func (b *Builder) findCueMod() (dir string, err error) {
 			} else if !os.IsNotExist(err) {
 				return "", err
 			}
-			parentPath := filepath.Dir(path)
+			parentPath := holos.PathCueMod(filepath.Dir(string(path)))
 			if parentPath == path {
 				return "", fmt.Errorf("no cue.mod from root to leaf: %v", origPath)
 			}
@@ -177,3 +260,78 @@ func (b *Builder) findCueMod() (dir string, err error) {
 	}
 	return dir, nil
 }
+
+type runResult struct {
+	stdout *bytes.Buffer
+	stderr *bytes.Buffer
+}
+
+func runCmd(ctx context.Context, name string, args ...string) (result runResult, err error) {
+	result = runResult{
+		stdout: new(bytes.Buffer),
+		stderr: new(bytes.Buffer),
+	}
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Stdout = result.stdout
+	cmd.Stderr = result.stderr
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "running: "+name, "name", name, "args", args)
+	err = cmd.Run()
+	return
+}
+
+// runHelm provides the values produced by CUE to helm template and returns
+// the rendered kubernetes api objects in the result.
+func runHelm(ctx context.Context, hc *HelmChart, r *Result) error {
+	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
+	// Add repositories
+	repo := hc.Chart.Repository
+	out, err := runCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
+	if err != nil {
+		log.ErrorContext(ctx, "could not run helm", "stderr", out.stderr.String(), "stdout", out.stdout.String())
+		return wrapper.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
+	}
+	out, err = runCmd(ctx, "helm", "repo", "update", repo.Name)
+	if err != nil {
+		log.ErrorContext(ctx, "could not run helm", "stderr", out.stderr.String(), "stdout", out.stdout.String())
+		return wrapper.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+	}
+
+	// Write values file
+	tempDir, err := os.MkdirTemp("", "holos")
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer remove(ctx, tempDir)
+
+	// Write values file
+	valuesPath := filepath.Join(tempDir, "values.yaml")
+	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not write values: %w", err))
+	}
+	log.DebugContext(ctx, "wrote values", "path", valuesPath)
+
+	// TODO: Cache the chart
+
+	// Run charts
+	chart := hc.Chart
+	chartPath := fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
+	helmOut, err := runCmd(ctx, "helm", "template", "--values", valuesPath, "--namespace", hc.Namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Name, chartPath)
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not run helm template: %w", err))
+	}
+
+	r.Content = helmOut.stdout.String()
+
+	return nil
+}
+
+// remove cleans up path, useful for temporary directories.
+func remove(ctx context.Context, path string) {
+	log := logger.FromContext(ctx)
+	if err := os.RemoveAll(path); err != nil {
+		log.WarnContext(ctx, "could not remove", "err", err, "path", path)
+	} else {
+		log.DebugContext(ctx, "removed", "path", path)
+	}
+}

pkg/logger/logger.go

@@ -5,9 +5,9 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"github.com/holos-run/holos/pkg/tint"
 	"github.com/holos-run/holos/pkg/version"
 	"github.com/holos-run/holos/pkg/wrapper"
-	"github.com/lmittmann/tint"
 	"github.com/mattn/go-isatty"
 	"io"
 	"log/slog"

pkg/tint/buffer.go

@@ -0,0 +1,46 @@
+package tint
+
+import "sync"
+
+type buffer []byte
+
+var bufPool = sync.Pool{
+	New: func() any {
+		b := make(buffer, 0, 1024)
+		return (*buffer)(&b)
+	},
+}
+
+func newBuffer() *buffer {
+	return bufPool.Get().(*buffer)
+}
+
+func (b *buffer) Free() {
+	// To reduce peak allocation, return only smaller buffers to the pool.
+	const maxBufferSize = 16 << 10
+	if cap(*b) <= maxBufferSize {
+		*b = (*b)[:0]
+		bufPool.Put(b)
+	}
+}
+func (b *buffer) Write(bytes []byte) (int, error) {
+	*b = append(*b, bytes...)
+	return len(bytes), nil
+}
+
+func (b *buffer) WriteByte(char byte) error {
+	*b = append(*b, char)
+	return nil
+}
+
+func (b *buffer) WriteString(str string) (int, error) {
+	*b = append(*b, str...)
+	return len(str), nil
+}
+
+func (b *buffer) WriteStringIf(ok bool, str string) (int, error) {
+	if !ok {
+		return 0, nil
+	}
+	return b.WriteString(str)
+}

pkg/tint/doc.go

@@ -0,0 +1,2 @@
+// Package tint copied from https://github.com/lmittmann/tint/tree/v1.0.4 to adjust the colors
+package tint

pkg/tint/handler.go

@@ -0,0 +1,452 @@
+/*
+Package tint implements a zero-dependency [slog.Handler] that writes tinted
+(colorized) logs. The output format is inspired by the [zerolog.ConsoleWriter]
+and [slog.TextHandler].
+
+The output format can be customized using [Options], which is a drop-in
+replacement for [slog.HandlerOptions].
+
+# Customize Attributes
+
+Options.ReplaceAttr can be used to alter or drop attributes. If set, it is
+called on each non-group attribute before it is logged.
+See [slog.HandlerOptions] for details.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(w, &tint.Options{
+			ReplaceAttr: func(groups []string, a slog.Attr) slog.Attr {
+				if a.Key == slog.TimeKey && len(groups) == 0 {
+					return slog.Attr{}
+				}
+				return a
+			},
+		}),
+	)
+
+# Automatically Enable Colors
+
+Colors are enabled by default and can be disabled using the Options.NoColor
+attribute. To automatically enable colors based on the terminal capabilities,
+use e.g. the [go-isatty] package.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(w, &tint.Options{
+			NoColor: !isatty.IsTerminal(w.Fd()),
+		}),
+	)
+
+# Windows Support
+
+Color support on Windows can be added by using e.g. the [go-colorable] package.
+
+	w := os.Stderr
+	logger := slog.New(
+		tint.NewHandler(colorable.NewColorable(w), nil),
+	)
+
+[zerolog.ConsoleWriter]: https://pkg.go.dev/github.com/rs/zerolog#ConsoleWriter
+[go-isatty]: https://pkg.go.dev/github.com/mattn/go-isatty
+[go-colorable]: https://pkg.go.dev/github.com/mattn/go-colorable
+*/
+package tint
+
+import (
+	"context"
+	"encoding"
+	"fmt"
+	"io"
+	"log/slog"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"sync"
+	"time"
+	"unicode"
+)
+
+// ANSI modes
+const (
+	ansiReset          = "\033[0m"
+	ansiFaint          = "\033[2m"
+	ansiResetFaint     = "\033[22m"
+	ansiBrightRed      = "\033[91m"
+	ansiBrightGreen    = "\033[92m"
+	ansiBrightYellow   = "\033[93m"
+	ansiBrightRedFaint = "\033[91;2m"
+	// Following colors look good with solarized dark
+	ansiRed          = "\033[31m"
+	ansiGreen        = "\033[32m"
+	ansiYellow       = "\033[33m"
+	ansiBlue         = "\033[34m"
+	ansiMagenta      = "\033[35m"
+	ansiCyan         = "\033[36m"
+	ansiLightGray    = "\033[37m"
+	ansiLightRed     = "\033[91m"
+	ansiLightMagenta = "\033[95m"
+)
+
+const errKey = "err"
+
+var (
+	defaultLevel      = slog.LevelInfo
+	defaultTimeFormat = time.StampMilli
+)
+
+// Options for a slog.Handler that writes tinted logs. A zero Options consists
+// entirely of default values.
+//
+// Options can be used as a drop-in replacement for [slog.HandlerOptions].
+type Options struct {
+	// Enable source code location (Default: false)
+	AddSource bool
+
+	// Minimum level to log (Default: slog.LevelInfo)
+	Level slog.Leveler
+
+	// ReplaceAttr is called to rewrite each non-group attribute before it is logged.
+	// See https://pkg.go.dev/log/slog#HandlerOptions for details.
+	ReplaceAttr func(groups []string, attr slog.Attr) slog.Attr
+
+	// Time format (Default: time.StampMilli)
+	TimeFormat string
+
+	// Disable color (Default: false)
+	NoColor bool
+}
+
+// NewHandler creates a [slog.Handler] that writes tinted logs to Writer w,
+// using the default options. If opts is nil, the default options are used.
+func NewHandler(w io.Writer, opts *Options) slog.Handler {
+	h := &handler{
+		w:          w,
+		level:      defaultLevel,
+		timeFormat: defaultTimeFormat,
+	}
+	if opts == nil {
+		return h
+	}
+
+	h.addSource = opts.AddSource
+	if opts.Level != nil {
+		h.level = opts.Level
+	}
+	h.replaceAttr = opts.ReplaceAttr
+	if opts.TimeFormat != "" {
+		h.timeFormat = opts.TimeFormat
+	}
+	h.noColor = opts.NoColor
+	return h
+}
+
+// handler implements a [slog.Handler].
+type handler struct {
+	attrsPrefix string
+	groupPrefix string
+	groups      []string
+
+	mu sync.Mutex
+	w  io.Writer
+
+	addSource   bool
+	level       slog.Leveler
+	replaceAttr func([]string, slog.Attr) slog.Attr
+	timeFormat  string
+	noColor     bool
+}
+
+func (h *handler) clone() *handler {
+	return &handler{
+		attrsPrefix: h.attrsPrefix,
+		groupPrefix: h.groupPrefix,
+		groups:      h.groups,
+		w:           h.w,
+		addSource:   h.addSource,
+		level:       h.level,
+		replaceAttr: h.replaceAttr,
+		timeFormat:  h.timeFormat,
+		noColor:     h.noColor,
+	}
+}
+
+func (h *handler) Enabled(_ context.Context, level slog.Level) bool {
+	return level >= h.level.Level()
+}
+
+func (h *handler) Handle(_ context.Context, r slog.Record) error {
+	// get a buffer from the sync pool
+	buf := newBuffer()
+	defer buf.Free()
+
+	rep := h.replaceAttr
+
+	// write time
+	if !r.Time.IsZero() {
+		val := r.Time.Round(0) // strip monotonic to match Attr behavior
+		if rep == nil {
+			h.appendTime(buf, r.Time)
+			_ = buf.WriteByte(' ')
+		} else if a := rep(nil /* groups */, slog.Time(slog.TimeKey, val)); a.Key != "" {
+			if a.Value.Kind() == slog.KindTime {
+				h.appendTime(buf, a.Value.Time())
+			} else {
+				h.appendValue(buf, a.Value, false)
+			}
+			_ = buf.WriteByte(' ')
+		}
+	}
+
+	// write level
+	if rep == nil {
+		h.appendLevel(buf, r.Level)
+		_ = buf.WriteByte(' ')
+	} else if a := rep(nil /* groups */, slog.Any(slog.LevelKey, r.Level)); a.Key != "" {
+		h.appendValue(buf, a.Value, false)
+		_ = buf.WriteByte(' ')
+	}
+
+	// write source
+	if h.addSource {
+		fs := runtime.CallersFrames([]uintptr{r.PC})
+		f, _ := fs.Next()
+		if f.File != "" {
+			src := &slog.Source{
+				Function: f.Function,
+				File:     f.File,
+				Line:     f.Line,
+			}
+
+			if rep == nil {
+				h.appendSource(buf, src)
+				_ = buf.WriteByte(' ')
+			} else if a := rep(nil /* groups */, slog.Any(slog.SourceKey, src)); a.Key != "" {
+				h.appendValue(buf, a.Value, false)
+				_ = buf.WriteByte(' ')
+			}
+		}
+	}
+
+	// write message
+	if rep == nil {
+		_, _ = buf.WriteStringIf(!h.noColor, ansiLightGray)
+		_, _ = buf.WriteString(r.Message)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+		_ = buf.WriteByte(' ')
+	} else if a := rep(nil /* groups */, slog.String(slog.MessageKey, r.Message)); a.Key != "" {
+		_, _ = buf.WriteStringIf(!h.noColor, ansiLightGray)
+		h.appendValue(buf, a.Value, false)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+		_ = buf.WriteByte(' ')
+	}
+
+	// write handler attributes
+	if len(h.attrsPrefix) > 0 {
+		_, _ = buf.WriteString(h.attrsPrefix)
+	}
+
+	// write attributes
+	r.Attrs(func(attr slog.Attr) bool {
+		h.appendAttr(buf, attr, h.groupPrefix, h.groups)
+		return true
+	})
+
+	if len(*buf) == 0 {
+		return nil
+	}
+	(*buf)[len(*buf)-1] = '\n' // replace last space with newline
+
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	_, err := h.w.Write(*buf)
+	return err
+}
+
+func (h *handler) WithAttrs(attrs []slog.Attr) slog.Handler {
+	if len(attrs) == 0 {
+		return h
+	}
+	h2 := h.clone()
+
+	buf := newBuffer()
+	defer buf.Free()
+
+	// write attributes to buffer
+	for _, attr := range attrs {
+		h.appendAttr(buf, attr, h.groupPrefix, h.groups)
+	}
+	h2.attrsPrefix = h.attrsPrefix + string(*buf)
+	return h2
+}
+
+func (h *handler) WithGroup(name string) slog.Handler {
+	if name == "" {
+		return h
+	}
+	h2 := h.clone()
+	h2.groupPrefix += name + "."
+	h2.groups = append(h2.groups, name)
+	return h2
+}
+
+func (h *handler) appendTime(buf *buffer, t time.Time) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiFaint)
+	*buf = t.AppendFormat(*buf, h.timeFormat)
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendLevel(buf *buffer, level slog.Level) {
+	switch {
+	case level < slog.LevelInfo:
+		_, _ = buf.WriteString("DBG")
+		appendLevelDelta(buf, level-slog.LevelDebug)
+	case level < slog.LevelWarn:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiBlue)
+		_, _ = buf.WriteString("INF")
+		appendLevelDelta(buf, level-slog.LevelInfo)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	case level < slog.LevelError:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiYellow)
+		_, _ = buf.WriteString("WRN")
+		appendLevelDelta(buf, level-slog.LevelWarn)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	default:
+		_, _ = buf.WriteStringIf(!h.noColor, ansiRed)
+		_, _ = buf.WriteString("ERR")
+		appendLevelDelta(buf, level-slog.LevelError)
+		_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+	}
+}
+
+func appendLevelDelta(buf *buffer, delta slog.Level) {
+	if delta == 0 {
+		return
+	} else if delta > 0 {
+		_ = buf.WriteByte('+')
+	}
+	*buf = strconv.AppendInt(*buf, int64(delta), 10)
+}
+
+func (h *handler) appendSource(buf *buffer, src *slog.Source) {
+	dir, file := filepath.Split(src.File)
+
+	_, _ = buf.WriteStringIf(!h.noColor, ansiLightMagenta)
+	_, _ = buf.WriteString(filepath.Join(filepath.Base(dir), file))
+	_ = buf.WriteByte(':')
+	_, _ = buf.WriteString(strconv.Itoa(src.Line))
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendAttr(buf *buffer, attr slog.Attr, groupsPrefix string, groups []string) {
+	attr.Value = attr.Value.Resolve()
+	if rep := h.replaceAttr; rep != nil && attr.Value.Kind() != slog.KindGroup {
+		attr = rep(groups, attr)
+		attr.Value = attr.Value.Resolve()
+	}
+
+	if attr.Equal(slog.Attr{}) {
+		return
+	}
+
+	if attr.Value.Kind() == slog.KindGroup {
+		if attr.Key != "" {
+			groupsPrefix += attr.Key + "."
+			groups = append(groups, attr.Key)
+		}
+		for _, groupAttr := range attr.Value.Group() {
+			h.appendAttr(buf, groupAttr, groupsPrefix, groups)
+		}
+	} else if err, ok := attr.Value.Any().(tintError); ok {
+		// append tintError
+		h.appendTintError(buf, err, groupsPrefix)
+		_ = buf.WriteByte(' ')
+	} else {
+		h.appendKey(buf, attr.Key, groupsPrefix)
+		h.appendValue(buf, attr.Value, true)
+		_ = buf.WriteByte(' ')
+	}
+}
+
+func (h *handler) appendKey(buf *buffer, key, groups string) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiFaint)
+	appendString(buf, groups+key, true)
+	_ = buf.WriteByte('=')
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func (h *handler) appendValue(buf *buffer, v slog.Value, quote bool) {
+	switch v.Kind() {
+	case slog.KindString:
+		appendString(buf, v.String(), quote)
+	case slog.KindInt64:
+		*buf = strconv.AppendInt(*buf, v.Int64(), 10)
+	case slog.KindUint64:
+		*buf = strconv.AppendUint(*buf, v.Uint64(), 10)
+	case slog.KindFloat64:
+		*buf = strconv.AppendFloat(*buf, v.Float64(), 'g', -1, 64)
+	case slog.KindBool:
+		*buf = strconv.AppendBool(*buf, v.Bool())
+	case slog.KindDuration:
+		appendString(buf, v.Duration().String(), quote)
+	case slog.KindTime:
+		appendString(buf, v.Time().String(), quote)
+	case slog.KindAny:
+		switch cv := v.Any().(type) {
+		case slog.Level:
+			h.appendLevel(buf, cv)
+		case encoding.TextMarshaler:
+			data, err := cv.MarshalText()
+			if err != nil {
+				break
+			}
+			appendString(buf, string(data), quote)
+		case *slog.Source:
+			h.appendSource(buf, cv)
+		default:
+			appendString(buf, fmt.Sprintf("%+v", v.Any()), quote)
+		}
+	}
+}
+
+func (h *handler) appendTintError(buf *buffer, err error, groupsPrefix string) {
+	_, _ = buf.WriteStringIf(!h.noColor, ansiLightRed)
+	appendString(buf, groupsPrefix+errKey, true)
+	_ = buf.WriteByte('=')
+	_, _ = buf.WriteStringIf(!h.noColor, ansiRed)
+	appendString(buf, err.Error(), true)
+	_, _ = buf.WriteStringIf(!h.noColor, ansiReset)
+}
+
+func appendString(buf *buffer, s string, quote bool) {
+	if quote && needsQuoting(s) {
+		*buf = strconv.AppendQuote(*buf, s)
+	} else {
+		_, _ = buf.WriteString(s)
+	}
+}
+
+func needsQuoting(s string) bool {
+	if len(s) == 0 {
+		return true
+	}
+	for _, r := range s {
+		if unicode.IsSpace(r) || r == '"' || r == '=' || !unicode.IsPrint(r) {
+			return true
+		}
+	}
+	return false
+}
+
+type tintError struct{ error }
+
+// Err returns a tinted (colorized) [slog.Attr] that will be written in red color
+// by the [tint.Handler]. When used with any other [slog.Handler], it behaves as
+//
+//	slog.Any("err", err)
+func Err(err error) slog.Attr {
+	if err != nil {
+		err = tintError{err}
+	}
+	return slog.Any(errKey, err)
+}

pkg/version/embedded/minor

@@ -1 +1 @@
-40
+41

pkg/version/embedded/patch

@@ -1 +1 @@
-2
+0