Render flux Kustomization along with api objects

This patch writes a Flux Kustomization to apply the api objects rendered
by a component instance.

    ❯ holos render --log-format=json --log-level=debug --cluster-name core2 ./docs/examples/platforms/reference/projects/secrets/components/namespaces/ 2> >(./scripts/msgs)
    config.go:91    finalized config from flags
    builder.go:129  cue export --out yaml -t cluster=core2 ./platforms/reference/projects/secrets/components/namespaces
    builder.go:134  configured cue tags: [cluster=core2]
    builder.go:94   wrote deploy/clusters/core2/components/prod-secrets-namespaces/prod-secrets-namespaces.gen.yaml
    builder.go:94   wrote deploy/clusters/core2/holos/components/prod-secrets-namespaces-kustomization.gen.yaml
    render.go:39    rendered prod-secrets-namespaces

```yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  name: prod-secrets-namespaces
  namespace: flux-system
spec:
  interval: 30m0s
  path: deploy/clusters/core2/components/prod-secrets-namespaces
  prune: true
  retryInterval: 2m0s
  sourceRef:
    kind: GitRepository
    name: flux-system
  timeout: 3m0s
  wait: true
```

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta1/types_gen.cue

@@ -0,0 +1,692 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta1
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: string
+
+			// Interval at which to check the v1beta2.Source for updates.
+			// Defaults to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1beta2.Source the chart is
+			// available at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	// Note: this field is provisional to the v2beta2 API, and not
+	// actively used by v2beta1 HelmReleases.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt-in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release. This interval
+	// is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '10'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: string
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'. When set,
+		// must be a valid Data Key, consisting of alphanumeric
+		// characters, '-', '_' or '.'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta2/types_gen.cue

@@ -0,0 +1,697 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v2beta2
+
+import "strings"
+
+// HelmRelease is the Schema for the helmreleases API
+#HelmRelease: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "helm.toolkit.fluxcd.io/v2beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRelease"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmReleaseSpec defines the desired state of a Helm release.
+	spec!: #HelmReleaseSpec
+}
+
+// HelmReleaseSpec defines the desired state of a Helm release.
+#HelmReleaseSpec: {
+	// Chart defines the template of the v1beta2.HelmChart that should
+	// be created for this HelmRelease.
+	chart: {
+		// ObjectMeta holds the template for metadata like labels and
+		// annotations.
+		metadata?: {
+			// Annotations is an unstructured key value map stored with a
+			// resource that may be set by external tools to store and
+			// retrieve arbitrary metadata. They are not queryable and should
+			// be preserved when modifying objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+			annotations?: {
+				[string]: string
+			}
+
+			// Map of string keys and values that can be used to organize and
+			// categorize (scope and select) objects. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+			labels?: {
+				[string]: string
+			}
+		}
+
+		// Spec holds the template for the v1beta2.HelmChartSpec for this
+		// HelmRelease.
+		spec: {
+			// The name or path the Helm chart is available at in the
+			// SourceRef.
+			chart: strings.MaxRunes(2048) & strings.MinRunes(1)
+
+			// Interval at which to check the v1.Source for updates. Defaults
+			// to 'HelmReleaseSpec.Interval'.
+			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+			// Determines what enables the creation of a new artifact. Valid
+			// values are ('ChartVersion', 'Revision'). See the documentation
+			// of the values for an explanation on their behavior. Defaults
+			// to ChartVersion when omitted.
+			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+			// The name and namespace of the v1.Source the chart is available
+			// at.
+			sourceRef: {
+				// APIVersion of the referent.
+				apiVersion?: string
+
+				// Kind of the referent.
+				kind?: "HelmRepository" | "GitRepository" | "Bucket"
+
+				// Name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace of the referent.
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+			}
+
+			// Alternative values file to use as the default chart values,
+			// expected to be a relative path in the SourceRef. Deprecated in
+			// favor of ValuesFiles, for backwards compatibility the file
+			// defined here is merged before the ValuesFiles items. Ignored
+			// when omitted.
+			valuesFile?: string
+
+			// Alternative list of values files to use as the chart values
+			// (values.yaml is not included by default), expected to be a
+			// relative path in the SourceRef. Values files are merged in the
+			// order of this list with the last file overriding the first.
+			// Ignored when omitted.
+			valuesFiles?: [...string]
+
+			// Verify contains the secret name containing the trusted public
+			// keys used to verify the signature and specifies which provider
+			// to use to check whether OCI image is authentic. This field is
+			// only supported for OCI sources. Chart dependencies, which are
+			// not bundled in the umbrella chart artifact, are not verified.
+			verify?: {
+				// Provider specifies the technology used to sign the OCI Helm
+				// chart.
+				provider: "cosign" | *"cosign"
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+
+			// Version semver expression, ignored for charts from
+			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
+			// latest when omitted.
+			version?: string | *"*"
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to HelmRelease resources that must be ready
+	// before this HelmRelease can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// DriftDetection holds the configuration for detecting and
+	// handling differences between the manifest in the Helm storage
+	// and the resources currently existing in the cluster.
+	driftDetection?: {
+		// Ignore contains a list of rules for specifying which changes to
+		// ignore during diffing.
+		ignore?: [...{
+			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
+			// from consideration in a Kubernetes object.
+			paths: [...string]
+
+			// Target is a selector for specifying Kubernetes objects to which
+			// this rule applies. If Target is not set, the Paths will be
+			// ignored for all Kubernetes objects within the manifest of the
+			// Helm release.
+			target?: {
+				// AnnotationSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource annotations.
+				annotationSelector?: string
+
+				// Group is the API group to select resources from. Together with
+				// Version and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				group?: string
+
+				// Kind of the API Group to select resources from. Together with
+				// Group and Version it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				kind?: string
+
+				// LabelSelector is a string that follows the label selection
+				// expression
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+				// It matches with the resource labels.
+				labelSelector?: string
+
+				// Name to match resources with.
+				name?: string
+
+				// Namespace to select resources from.
+				namespace?: string
+
+				// Version of the API Group to select resources from. Together
+				// with Group and Kind it is capable of unambiguously identifying
+				// and/or selecting resources.
+				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+				version?: string
+			}
+		}]
+
+		// Mode defines how differences should be handled between the Helm
+		// manifest and the manifest currently applied to the cluster. If
+		// not explicitly set, it defaults to DiffModeDisabled.
+		mode?: "enabled" | "warn" | "disabled"
+	}
+
+	// Install holds the configuration for Helm install actions for
+	// this HelmRelease.
+	install?: {
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Create` and if omitted CRDs are installed but not updated.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are applied (installed) during Helm install
+		// action. With this option users can opt in to CRD replace
+		// existing CRDs on Helm install actions, which is not (yet)
+		// natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// CreateNamespace tells the Helm install action to create the
+		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
+		// uninstall, the namespace will not be garbage collected.
+		createNamespace?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// install action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm install action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm install has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm install has been performed.
+		disableWaitForJobs?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm install action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an install action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false'.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using an uninstall, is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+		}
+
+		// Replace tells the Helm install action to re-use the
+		// 'ReleaseName', but only if that name is a deleted release
+		// which remains in the history.
+		replace?: bool
+
+		// SkipCRDs tells the Helm install action to not install any CRDs.
+		// By default, CRDs are installed if not already present.
+		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
+		// instead.
+		skipCRDs?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Interval at which to reconcile the Helm release.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// MaxHistory is the number of revisions saved by Helm for this
+	// HelmRelease. Use '0' for an unlimited number of revisions;
+	// defaults to '5'.
+	maxHistory?: int
+
+	// PersistentClient tells the controller to use a persistent
+	// Kubernetes client for this release. When enabled, the client
+	// will be reused for the duration of the reconciliation, instead
+	// of being created and destroyed for each (step of a) Helm
+	// action.
+	// This can improve performance, but may cause issues with some
+	// Helm charts that for example do create Custom Resource
+	// Definitions during installation outside Helm's CRD lifecycle
+	// hooks, which are then not observed to be available by e.g.
+	// post-install hooks.
+	// If not set, it defaults to true.
+	persistentClient?: bool
+
+	// PostRenderers holds an array of Helm PostRenderers, which will
+	// be applied in order of their definition.
+	postRenderers?: [...{
+		// Kustomization to apply as PostRenderer.
+		kustomize?: {
+			// Images is a list of (image name, new name, new tag or digest)
+			// for changing image names, tags or digests. This can also be
+			// achieved with a patch, but this operator is simpler to
+			// specify.
+			images?: [...{
+				// Digest is the value used to replace the original image tag. If
+				// digest is present NewTag value is ignored.
+				digest?: string
+
+				// Name is a tag-less image name.
+				name: string
+
+				// NewName is the value used to replace the original name.
+				newName?: string
+
+				// NewTag is the value used to replace the original tag.
+				newTag?: string
+			}]
+
+			// Strategic merge and JSON patches, defined as inline YAML
+			// objects, capable of targeting objects based on kind, label and
+			// annotation selectors.
+			patches?: [...{
+				// Patch contains an inline StrategicMerge patch or an inline
+				// JSON6902 patch with an array of operation objects.
+				patch: string
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target?: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+			// use Patches instead.
+			patchesJson6902?: [...{
+				// Patch contains the JSON6902 patch document with an array of
+				// operation objects.
+				patch: [...{
+					// From contains a JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op, and is
+					// NOT taken into account by all operations.
+					from?: string
+
+					// Op indicates the operation to perform. Its value MUST be one of
+					// "add", "remove", "replace", "move", "copy", or "test".
+					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+					// Path contains the JSON-pointer value that references a location
+					// within the target document where the operation is performed.
+					// The meaning of the value depends on the value of Op.
+					path: string
+
+					// Value contains a valid JSON structure. The meaning of the value
+					// depends on the value of Op, and is NOT taken into account by
+					// all operations.
+					value?: _
+				}]
+
+				// Target points to the resources that the patch document should
+				// be applied to.
+				target: {
+					// AnnotationSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource annotations.
+					annotationSelector?: string
+
+					// Group is the API group to select resources from. Together with
+					// Version and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					group?: string
+
+					// Kind of the API Group to select resources from. Together with
+					// Group and Version it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					kind?: string
+
+					// LabelSelector is a string that follows the label selection
+					// expression
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+					// It matches with the resource labels.
+					labelSelector?: string
+
+					// Name to match resources with.
+					name?: string
+
+					// Namespace to select resources from.
+					namespace?: string
+
+					// Version of the API Group to select resources from. Together
+					// with Group and Kind it is capable of unambiguously identifying
+					// and/or selecting resources.
+					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+					version?: string
+				}
+			}]
+
+			// Strategic merge patches, defined as inline YAML objects.
+			// Deprecated: use Patches instead.
+			patchesStrategicMerge?: [...]
+		}
+	}]
+
+	// ReleaseName used for the Helm release. Defaults to a
+	// composition of '[TargetNamespace-]Name'.
+	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
+
+	// Rollback holds the configuration for Helm rollback actions for
+	// this HelmRelease.
+	rollback?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm rollback action when it fails.
+		cleanupOnFail?: bool
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm rollback has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm rollback has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// Recreate performs pod restarts for the resource if applicable.
+		recreate?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this HelmRelease.
+	serviceAccountName?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// StorageNamespace used for the Helm storage. Defaults to the
+	// namespace of the HelmRelease.
+	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Suspend tells the controller to suspend reconciliation for this
+	// HelmRelease, it does not apply to already started
+	// reconciliations. Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace to target when performing operations for the
+	// HelmRelease. Defaults to the namespace of the HelmRelease.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Test holds the configuration for Helm test actions for this
+	// HelmRelease.
+	test?: {
+		// Enable enables Helm test actions for this HelmRelease after an
+		// Helm install or upgrade action has been performed.
+		enable?: bool
+
+		// Filters is a list of tests to run or exclude from running.
+		filters?: [...{
+			// Exclude specifies whether the named test should be excluded.
+			exclude?: bool
+
+			// Name is the name of the test.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+
+		// IgnoreFailures tells the controller to skip remediation when
+		// the Helm tests are run but fail. Can be overwritten for tests
+		// run after install or upgrade actions in
+		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
+		ignoreFailures?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation during the performance of a Helm test action.
+		// Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Timeout is the time to wait for any individual Kubernetes
+	// operation (like Jobs for hooks) during the performance of a
+	// Helm action. Defaults to '5m0s'.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Uninstall holds the configuration for Helm uninstall actions
+	// for this HelmRelease.
+	uninstall?: {
+		// DeletionPropagation specifies the deletion propagation policy
+		// when a Helm uninstall is performed.
+		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// rollback action.
+		disableHooks?: bool
+
+		// DisableWait disables waiting for all the resources to be
+		// deleted after a Helm uninstall is performed.
+		disableWait?: bool
+
+		// KeepHistory tells Helm to remove all associated resources and
+		// mark the release as deleted, but retain the release history.
+		keepHistory?: bool
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Upgrade holds the configuration for Helm upgrade actions for
+	// this HelmRelease.
+	upgrade?: {
+		// CleanupOnFail allows deletion of new resources created during
+		// the Helm upgrade action when it fails.
+		cleanupOnFail?: bool
+
+		// CRDs upgrade CRDs from the Helm Chart's crds directory
+		// according to the CRD upgrade policy provided here. Valid
+		// values are `Skip`, `Create` or `CreateReplace`. Default is
+		// `Skip` and if omitted CRDs are neither installed nor upgraded.
+		// Skip: do neither install nor replace (update) any CRDs.
+		// Create: new CRDs are created, existing CRDs are neither updated
+		// nor deleted.
+		// CreateReplace: new CRDs are created, existing CRDs are updated
+		// (replaced) but not deleted.
+		// By default, CRDs are not applied during Helm upgrade action.
+		// With this option users can opt-in to CRD upgrade, which is not
+		// (yet) natively supported by Helm.
+		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
+		crds?: "Skip" | "Create" | "CreateReplace"
+
+		// DisableHooks prevents hooks from running during the Helm
+		// upgrade action.
+		disableHooks?: bool
+
+		// DisableOpenAPIValidation prevents the Helm upgrade action from
+		// validating rendered templates against the Kubernetes OpenAPI
+		// Schema.
+		disableOpenAPIValidation?: bool
+
+		// DisableWait disables the waiting for resources to be ready
+		// after a Helm upgrade has been performed.
+		disableWait?: bool
+
+		// DisableWaitForJobs disables waiting for jobs to complete after
+		// a Helm upgrade has been performed.
+		disableWaitForJobs?: bool
+
+		// Force forces resource updates through a replacement strategy.
+		force?: bool
+
+		// PreserveValues will make Helm reuse the last release's values
+		// and merge in overrides from 'Values'. Setting this flag makes
+		// the HelmRelease non-declarative.
+		preserveValues?: bool
+
+		// Remediation holds the remediation configuration for when the
+		// Helm upgrade action for the HelmRelease fails. The default is
+		// to not perform any action.
+		remediation?: {
+			// IgnoreTestFailures tells the controller to skip remediation
+			// when the Helm tests are run after an upgrade action but fail.
+			// Defaults to 'Test.IgnoreFailures'.
+			ignoreTestFailures?: bool
+
+			// RemediateLastFailure tells the controller to remediate the last
+			// failure, when no retries remain. Defaults to 'false' unless
+			// 'Retries' is greater than 0.
+			remediateLastFailure?: bool
+
+			// Retries is the number of retries that should be attempted on
+			// failures before bailing. Remediation, using 'Strategy', is
+			// performed between each attempt. Defaults to '0', a negative
+			// integer equals to unlimited retries.
+			retries?: int
+
+			// Strategy to use for failure remediation. Defaults to
+			// 'rollback'.
+			strategy?: "rollback" | "uninstall"
+		}
+
+		// Timeout is the time to wait for any individual Kubernetes
+		// operation (like Jobs for hooks) during the performance of a
+		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
+		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	}
+
+	// Values holds the values for this Helm release.
+	values?: _
+
+	// ValuesFrom holds references to resources containing Helm values
+	// for this HelmRelease, and information about how they should be
+	// merged.
+	valuesFrom?: [...{
+		// Kind of the values referent, valid values are ('Secret',
+		// 'ConfigMap').
+		kind: "Secret" | "ConfigMap"
+
+		// Name of the values referent. Should reside in the same
+		// namespace as the referring resource.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Optional marks this ValuesReference as optional. When set, a
+		// not found error for the values reference is ignored, but any
+		// ValuesKey, TargetPath or transient error will still result in
+		// a reconciliation failure.
+		optional?: bool
+
+		// TargetPath is the YAML dot notation path the value should be
+		// merged at. When set, the ValuesKey is expected to be a single
+		// flat value. Defaults to 'None', which results in the values
+		// getting merged at the root.
+		targetPath?: strings.MaxRunes(250) & {
+			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
+		}
+
+		// ValuesKey is the data key where the values.yaml or a specific
+		// value can be found at. Defaults to 'values.yaml'.
+		valuesKey?: strings.MaxRunes(253) & {
+			=~"^[\\-._a-zA-Z0-9]+$"
+		}
+	}]
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta2/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// ImagePolicy is the Schema for the imagepolicies API
+#ImagePolicy: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImagePolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImagePolicySpec defines the parameters for calculating the
+	// ImagePolicy.
+	spec!: #ImagePolicySpec
+}
+
+// ImagePolicySpec defines the parameters for calculating the
+// ImagePolicy.
+#ImagePolicySpec: {
+	// FilterTags enables filtering for only a subset of tags based on
+	// a set of rules. If no rules are provided, all the tags from
+	// the repository will be ordered and compared.
+	filterTags?: {
+		// Extract allows a capture group to be extracted from the
+		// specified regular expression pattern, useful before tag
+		// evaluation.
+		extract?: string
+
+		// Pattern specifies a regular expression pattern used to filter
+		// for image tags.
+		pattern?: string
+	}
+
+	// ImageRepositoryRef points at the object specifying the image
+	// being scanned
+	imageRepositoryRef: {
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}
+
+	// Policy gives the particulars of the policy to be followed in
+	// selecting the most recent image
+	policy: {
+		alphabetical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// letters of the alphabet as tags, ascending order would select
+			// Z, and descending order would select A.
+			order?: "asc" | "desc" | *"asc"
+		}
+		numerical?: {
+			// Order specifies the sorting order of the tags. Given the
+			// integer values from 0 to 9 as tags, ascending order would
+			// select 9, and descending order would select 0.
+			order?: "asc" | "desc" | *"asc"
+		}
+		semver?: {
+			// Range gives a semver range for the image tag; the highest
+			// version within the range that's a tag yields the latest image.
+			range: string
+		}
+	}
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta1/types_gen.cue

@@ -0,0 +1,94 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: [...string]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagerepository/v1beta2/types_gen.cue

@@ -0,0 +1,105 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import (
+	"strings"
+	"list"
+)
+
+// ImageRepository is the Schema for the imagerepositories API
+#ImageRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageRepositorySpec defines the parameters for scanning an
+	// image repository, e.g., `fluxcd/flux`.
+	spec!: #ImageRepositorySpec
+}
+
+// ImageRepositorySpec defines the parameters for scanning an
+// image repository, e.g., `fluxcd/flux`.
+#ImageRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ExclusionList is a list of regex strings used to exclude
+	// certain tags from being stored in the database.
+	exclusionList?: list.MaxItems(25) & [...string] | *["^.*\\.sig$"]
+
+	// Image is the name of the image repository
+	image?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval is the length of time to wait between scans of the
+	// image repository.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets.
+	serviceAccountName?: strings.MaxRunes(253)
+
+	// This flag tells the controller to suspend subsequent image
+	// scans. It does not apply to already started scans. Defaults to
+	// false.
+	suspend?: bool
+
+	// Timeout for image scanning. Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imageupdateautomation/v1beta1/types_gen.cue

@@ -0,0 +1,170 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// ImageUpdateAutomation is the Schema for the
+// imageupdateautomations API
+#ImageUpdateAutomation: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ImageUpdateAutomation"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ImageUpdateAutomationSpec defines the desired state of
+	// ImageUpdateAutomation
+	spec!: #ImageUpdateAutomationSpec
+}
+
+// ImageUpdateAutomationSpec defines the desired state of
+// ImageUpdateAutomation
+#ImageUpdateAutomationSpec: {
+	// GitSpec contains all the git-specific definitions. This is
+	// technically optional, but in practice mandatory until there
+	// are other kinds of source allowed.
+	git?: {
+		checkout?: {
+			// Reference gives a branch, tag or commit to clone from the Git
+			// repository.
+			ref: {
+				// Branch to check out, defaults to 'master' if no other field is
+				// defined.
+				branch?: string
+
+				// Commit SHA to check out, takes precedence over all reference
+				// fields.
+				// This can be combined with Branch to shallow clone the branch,
+				// in which the commit is expected to exist.
+				commit?: string
+
+				// Name of the reference to check out; takes precedence over
+				// Branch, Tag and SemVer.
+				// It must be a valid Git reference:
+				// https://git-scm.com/docs/git-check-ref-format#_description
+				// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+				// "refs/pull/420/head", "refs/merge-requests/1/head"
+				name?: string
+
+				// SemVer tag expression to check out, takes precedence over Tag.
+				semver?: string
+
+				// Tag to check out, takes precedence over Branch.
+				tag?: string
+			}
+		}
+
+		// Commit specifies how to commit to the git repository.
+		commit: {
+			// Author gives the email and optionally the name to use as the
+			// author of commits.
+			author: {
+				// Email gives the email to provide when making a commit.
+				email: string
+
+				// Name gives the name to provide when making a commit.
+				name?: string
+			}
+
+			// MessageTemplate provides a template for the commit message,
+			// into which will be interpolated the details of the change
+			// made.
+			messageTemplate?: string
+			signingKey?: {
+				secretRef?: {
+					// Name of the referent.
+					name: string
+				}
+			}
+		}
+
+		// Push specifies how and where to push commits made by the
+		// automation. If missing, commits are pushed (back) to
+		// `.spec.checkout.branch` or its default.
+		push?: {
+			// Branch specifies that commits should be pushed to the branch
+			// named. The branch is created using `.spec.checkout.branch` as
+			// the starting point, if it doesn't already exist.
+			branch?: string
+
+			// Options specifies the push options that are sent to the Git
+			// server when performing a push operation. For details, see:
+			// https://git-scm.com/docs/git-push#Documentation/git-push.txt---push-optionltoptiongt
+			options?: {
+				[string]: string
+			}
+
+			// Refspec specifies the Git Refspec to use for a push operation.
+			// If both Branch and Refspec are provided, then the commit is
+			// pushed to the branch and also using the specified refspec. For
+			// more details about Git Refspecs, see:
+			// https://git-scm.com/book/en/v2/Git-Internals-The-Refspec
+			refspec?: string
+		}
+	}
+
+	// Interval gives an lower bound for how often the automation run
+	// should be attempted.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// SourceRef refers to the resource giving access details to a git
+	// repository.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "GitRepository" | *"GitRepository"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// Suspend tells the controller to not run this automation, until
+	// it is unset (or set to false). Defaults to false.
+	suspend?: bool
+
+	// Update gives the specification for how to update the files in
+	// the repository. This can be left empty, to use the default
+	// value.
+	update?: {
+		// Path to the directory containing the manifests to be updated.
+		// Defaults to 'None', which translates to the root path of the
+		// GitRepositoryRef.
+		path?: string
+
+		// Strategy names the strategy to be used.
+		strategy: "Setters" | *"Setters"
+	} | *{
+		strategy: "Setters"
+	}
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1/types_gen.cue

@@ -0,0 +1,286 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization. This
+	// interval is approximate and may be subject to jitter to ensure
+	// efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names, and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta1/types_gen.cue

@@ -0,0 +1,319 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the desired state of a kustomization.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the desired state of a kustomization.
+#KustomizationSpec: {
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: string
+	kubeConfig?: {
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: string
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "GitRepository" | "Bucket"
+
+		// Name of the referent
+		name: string
+
+		// Namespace of the referent, defaults to the Kustomization
+		// namespace
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: string
+
+	// Validate the Kubernetes objects before applying them on the
+	// cluster. The validation strategy can be 'client' (local
+	// dry-run), 'server' (APIServer dry-run) or 'none'. When 'Force'
+	// is 'true', validation will fallback to 'client' if set to
+	// 'server' because server-side validation is not supported in
+	// this scenario.
+	validation?: "none" | "client" | "server"
+}

docs/examples/cue.mod/gen/kustomize.toolkit.fluxcd.io/kustomization/v1beta2/types_gen.cue

@@ -0,0 +1,360 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Kustomization is the Schema for the kustomizations API.
+#Kustomization: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "kustomize.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Kustomization"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// KustomizationSpec defines the configuration to calculate the
+	// desired state from a Source using Kustomize.
+	spec!: #KustomizationSpec
+}
+
+// KustomizationSpec defines the configuration to calculate the
+// desired state from a Source using Kustomize.
+#KustomizationSpec: {
+	// CommonMetadata specifies the common labels and annotations that
+	// are applied to all resources. Any existing label or annotation
+	// will be overridden if its key matches a common one.
+	commonMetadata?: {
+		// Annotations to be added to the object's metadata.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels to be added to the object's metadata.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Components specifies relative paths to specifications of other
+	// Components.
+	components?: [...string]
+
+	// Decrypt Kubernetes secrets before applying them on the cluster.
+	decryption?: {
+		// Provider is the name of the decryption engine.
+		provider: "sops"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// DependsOn may contain a meta.NamespacedObjectReference slice
+	// with references to Kustomization resources that must be ready
+	// before this Kustomization can be reconciled.
+	dependsOn?: [...{
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Force instructs the controller to recreate resources when
+	// patching fails due to an immutable field change.
+	force?: bool | *false
+
+	// A list of resources to be included in the health assessment.
+	healthChecks?: [...{
+		// API version of the referent, if not specified the Kubernetes
+		// preferred version will be used.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: string
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, when not specified it acts as
+		// LocalObjectReference.
+		namespace?: string
+	}]
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be
+	// achieved with a patch, but this operator is simpler to
+	// specify.
+	images?: [...{
+		// Digest is the value used to replace the original image tag. If
+		// digest is present NewTag value is ignored.
+		digest?: string
+
+		// Name is a tag-less image name.
+		name: string
+
+		// NewName is the value used to replace the original name.
+		newName?: string
+
+		// NewTag is the value used to replace the original tag.
+		newTag?: string
+	}]
+
+	// The interval at which to reconcile the Kustomization.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	kubeConfig?: {
+		// SecretRef holds the name of a secret that contains a key with
+		// the kubeconfig file as the value. If no key is set, the key
+		// will default to 'value'. It is recommended that the kubeconfig
+		// is self-contained, and the secret is regularly updated if
+		// credentials such as a cloud-access-token expire. Cloud
+		// specific `cmd-path` auth helpers will not function without
+		// adding binaries and credentials to the Pod that is responsible
+		// for reconciling Kubernetes resources.
+		secretRef: {
+			// Key in the Secret, when not specified an
+			// implementation-specific default key is used.
+			key?: string
+
+			// Name of the Secret.
+			name: string
+		}
+	}
+
+	// Strategic merge and JSON patches, defined as inline YAML
+	// objects, capable of targeting objects based on kind, label and
+	// annotation selectors.
+	patches?: [...{
+		// Patch contains an inline StrategicMerge patch or an inline
+		// JSON6902 patch with an array of operation objects.
+		patch: string
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target?: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// JSON 6902 patches, defined as inline YAML objects. Deprecated:
+	// Use Patches instead.
+	patchesJson6902?: [...{
+		// Patch contains the JSON6902 patch document with an array of
+		// operation objects.
+		patch: [...{
+			// From contains a JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op, and is
+			// NOT taken into account by all operations.
+			from?: string
+
+			// Op indicates the operation to perform. Its value MUST be one of
+			// "add", "remove", "replace", "move", "copy", or "test".
+			// https://datatracker.ietf.org/doc/html/rfc6902#section-4
+			op: "test" | "remove" | "add" | "replace" | "move" | "copy"
+
+			// Path contains the JSON-pointer value that references a location
+			// within the target document where the operation is performed.
+			// The meaning of the value depends on the value of Op.
+			path: string
+
+			// Value contains a valid JSON structure. The meaning of the value
+			// depends on the value of Op, and is NOT taken into account by
+			// all operations.
+			value?: _
+		}]
+
+		// Target points to the resources that the patch document should
+		// be applied to.
+		target: {
+			// AnnotationSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource annotations.
+			annotationSelector?: string
+
+			// Group is the API group to select resources from. Together with
+			// Version and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			group?: string
+
+			// Kind of the API Group to select resources from. Together with
+			// Group and Version it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			kind?: string
+
+			// LabelSelector is a string that follows the label selection
+			// expression
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+			// It matches with the resource labels.
+			labelSelector?: string
+
+			// Name to match resources with.
+			name?: string
+
+			// Namespace to select resources from.
+			namespace?: string
+
+			// Version of the API Group to select resources from. Together
+			// with Group and Kind it is capable of unambiguously identifying
+			// and/or selecting resources.
+			// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
+			version?: string
+		}
+	}]
+
+	// Strategic merge patches, defined as inline YAML objects.
+	// Deprecated: Use Patches instead.
+	patchesStrategicMerge?: [...]
+
+	// Path to the directory containing the kustomization.yaml file,
+	// or the set of plain YAMLs a kustomization.yaml should be
+	// generated for. Defaults to 'None', which translates to the
+	// root path of the SourceRef.
+	path?: string
+
+	// PostBuild describes which actions to perform on the YAML
+	// manifest generated by building the kustomize overlay.
+	postBuild?: {
+		// Substitute holds a map of key/value pairs. The variables
+		// defined in your YAML manifests that match any of the keys
+		// defined in the map will be substituted with the set value.
+		// Includes support for bash string replacement functions e.g.
+		// ${var:=default}, ${var:position} and
+		// ${var/substring/replacement}.
+		substitute?: {
+			[string]: string
+		}
+
+		// SubstituteFrom holds references to ConfigMaps and Secrets
+		// containing the variables and their values to be substituted in
+		// the YAML manifests. The ConfigMap and the Secret data keys
+		// represent the var names and they must match the vars declared
+		// in the manifests for the substitution to happen.
+		substituteFrom?: [...{
+			// Kind of the values referent, valid values are ('Secret',
+			// 'ConfigMap').
+			kind: "Secret" | "ConfigMap"
+
+			// Name of the values referent. Should reside in the same
+			// namespace as the referring resource.
+			name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+			// Optional indicates whether the referenced resource must exist,
+			// or whether to tolerate its absence. If true and the referenced
+			// resource is absent, proceed as if the resource was present but
+			// empty, without any variables defined.
+			optional?: bool | *false
+		}]
+	}
+
+	// Prune enables garbage collection.
+	prune: bool
+
+	// The interval at which to retry a previously failed
+	// reconciliation. When not specified, the controller uses the
+	// KustomizationSpec.Interval value to retry failures.
+	retryInterval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// The name of the Kubernetes service account to impersonate when
+	// reconciling this Kustomization.
+	serviceAccountName?: string
+
+	// Reference of the source where the kustomization file is.
+	sourceRef: {
+		// API version of the referent.
+		apiVersion?: string
+
+		// Kind of the referent.
+		kind: "OCIRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+
+		// Namespace of the referent, defaults to the namespace of the
+		// Kubernetes resource object that contains the reference.
+		namespace?: string
+	}
+
+	// This flag tells the controller to suspend subsequent kustomize
+	// executions, it does not apply to already started executions.
+	// Defaults to false.
+	suspend?: bool
+
+	// TargetNamespace sets or overrides the namespace in the
+	// kustomization.yaml file.
+	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
+
+	// Timeout for validation, apply and health checking operations.
+	// Defaults to 'Interval' duration.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Deprecated: Not used in v1beta2.
+	validation?: "none" | "client" | "server"
+
+	// Wait instructs the controller to check the health of all the
+	// reconciled resources. When enabled, the HealthChecks are
+	// ignored. Defaults to false.
+	wait?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta1/types_gen.cue

@@ -0,0 +1,89 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects
+#AlertSpec: {
+	// Filter events based on severity, defaults to ('info'). If set
+	// to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// Filter events based on the involved objects.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// A list of Golang regular expressions to be used for excluding
+	// messages.
+	exclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Short description of the impact and affected cluster.
+	summary?: string
+
+	// This flag tells the controller to suspend subsequent events
+	// dispatching. Defaults to false.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta2/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/alert/v1beta3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Alert is the Schema for the alerts API
+#Alert: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Alert"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AlertSpec defines an alerting rule for events involving a list
+	// of objects.
+	spec!: #AlertSpec
+}
+
+// AlertSpec defines an alerting rule for events involving a list
+// of objects.
+#AlertSpec: {
+	// EventMetadata is an optional field for adding metadata to
+	// events dispatched by the controller. This can be used for
+	// enhancing the context of the event. If a field would override
+	// one already present on the original event as generated by the
+	// emitter, then the override doesn't happen, i.e. the original
+	// value is preserved, and an info log is printed.
+	eventMetadata?: {
+		[string]: string
+	}
+
+	// EventSeverity specifies how to filter events based on severity.
+	// If set to 'info' no events will be filtered.
+	eventSeverity?: "info" | "error" | *"info"
+
+	// EventSources specifies how to filter events based on the
+	// involved object kind, name and namespace.
+	eventSources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+
+	// ExclusionList specifies a list of Golang regular expressions to
+	// be used for excluding messages.
+	exclusionList?: [...string]
+
+	// InclusionList specifies a list of Golang regular expressions to
+	// be used for including messages.
+	inclusionList?: [...string]
+	providerRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Summary holds a short description of the impact and affected
+	// cluster.
+	summary?: strings.MaxRunes(255)
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Alert.
+	suspend?: bool
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta1/types_gen.cue

@@ -0,0 +1,74 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of Provider
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of Provider
+#ProviderSpec: {
+	// HTTP/S webhook address of this provider
+	address?: =~"^(http|https)://"
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Alert channel for this provider
+	channel?: string
+
+	// HTTP/S address of the proxy
+	proxy?: =~"^(http|https)://"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Timeout for sending alerts to the provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of provider
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "azuredevops" | "googlechat" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch"
+
+	// Bot username for this provider
+	username?: string
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta2/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Provider is the Schema for the providers API.
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/provider/v1beta3/types_gen.cue

@@ -0,0 +1,85 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta3
+
+import "strings"
+
+// Provider is the Schema for the providers API
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta3"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec defines the desired state of the Provider.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec defines the desired state of the Provider.
+#ProviderSpec: {
+	// Address specifies the endpoint, in a generic sense, to where
+	// alerts are sent. What kind of endpoint depends on the specific
+	// Provider type being used. For the generic Provider, for
+	// example, this is an HTTP/S address. For other Provider types
+	// this could be a project ID or a namespace.
+	address?: strings.MaxRunes(2048)
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Channel specifies the destination channel where events should
+	// be posted.
+	channel?: strings.MaxRunes(2048)
+
+	// Interval at which to reconcile the Provider with its Secret
+	// references. Deprecated and not used in v1beta3.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Proxy the HTTP/S address of the proxy server.
+	proxy?: strings.MaxRunes(2048) & {
+		=~"^(http|https)://.*$"
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this Provider.
+	suspend?: bool
+
+	// Timeout for sending alerts to the Provider.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type specifies which Provider implementation to use.
+	type: "slack" | "discord" | "msteams" | "rocket" | "generic" | "generic-hmac" | "github" | "gitlab" | "gitea" | "bitbucketserver" | "bitbucket" | "azuredevops" | "googlechat" | "googlepubsub" | "webex" | "sentry" | "azureeventhub" | "telegram" | "lark" | "matrix" | "opsgenie" | "alertmanager" | "grafana" | "githubdispatch" | "pagerduty" | "datadog" | "nats"
+
+	// Username specifies the name under which events are posted.
+	username?: strings.MaxRunes(2048)
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$" | *"10m"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta1/types_gen.cue

@@ -0,0 +1,84 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Receiver is the Schema for the receivers API
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of Receiver
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of Receiver
+#ReceiverSpec: {
+	// A list of events to handle, e.g. 'push' for GitHub or 'Push
+	// Hook' for GitLab.
+	events?: [...string]
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind?: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend subsequent events
+	// handling. Defaults to false.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/notification.toolkit.fluxcd.io/receiver/v1beta2/types_gen.cue

@@ -0,0 +1,90 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Receiver is the Schema for the receivers API.
+#Receiver: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "notification.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Receiver"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ReceiverSpec defines the desired state of the Receiver.
+	spec!: #ReceiverSpec
+}
+
+// ReceiverSpec defines the desired state of the Receiver.
+#ReceiverSpec: {
+	// Events specifies the list of event types to handle, e.g. 'push'
+	// for GitHub or 'Push Hook' for GitLab.
+	events?: [...string]
+
+	// Interval at which to reconcile the Receiver with its Secret
+	// references.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// A list of resources to be notified about changes.
+	resources: [...{
+		// API version of the referent
+		apiVersion?: string
+
+		// Kind of the referent
+		kind: "Bucket" | "GitRepository" | "Kustomization" | "HelmRelease" | "HelmChart" | "HelmRepository" | "ImageRepository" | "ImagePolicy" | "ImageUpdateAutomation" | "OCIRepository"
+
+		// MatchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed. MatchLabels requires the name to be
+		// set to `*`.
+		matchLabels?: {
+			[string]: string
+		}
+
+		// Name of the referent If multiple resources are targeted `*` may
+		// be set.
+		name: strings.MaxRunes(53) & strings.MinRunes(1)
+
+		// Namespace of the referent
+		namespace?: strings.MaxRunes(53) & strings.MinRunes(1)
+	}]
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend subsequent events
+	// handling for this receiver.
+	suspend?: bool
+
+	// Type of webhook sender, used to determine the validation
+	// procedure and payload deserialization.
+	type: "generic" | "generic-hmac" | "github" | "gitlab" | "bitbucket" | "harbor" | "dockerhub" | "quay" | "gcr" | "nexus" | "acr"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta1/types_gen.cue

@@ -0,0 +1,95 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// Bucket is the Schema for the buckets API
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec defines the desired state of an S3 compatible bucket
+	spec!: #BucketSpec
+}
+
+// BucketSpec defines the desired state of an S3 compatible bucket
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The bucket name.
+	bucketName: string
+
+	// The bucket endpoint address.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS S3 HTTP endpoint.
+	insecure?: bool
+
+	// The interval at which to check for bucket updates.
+	interval: string
+
+	// The S3 compatible storage provider name, default ('generic').
+	provider?: "generic" | "aws" | "gcp" | *"generic"
+
+	// The bucket region.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for download operations, defaults to 60s.
+	timeout?: string | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/bucket/v1beta2/types_gen.cue

@@ -0,0 +1,104 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// Bucket is the Schema for the buckets API.
+#Bucket: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Bucket"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// BucketSpec specifies the required configuration to produce an
+	// Artifact for an object storage bucket.
+	spec!: #BucketSpec
+}
+
+// BucketSpec specifies the required configuration to produce an
+// Artifact for an object storage bucket.
+#BucketSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// BucketName is the name of the object storage bucket.
+	bucketName: string
+
+	// Endpoint is the object storage address the BucketName is
+	// located at.
+	endpoint: string
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP Endpoint.
+	insecure?: bool
+
+	// Interval at which the Bucket Endpoint is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// Prefix to use for server-side filtering of files in the Bucket.
+	prefix?: string
+
+	// Provider of the object storage bucket. Defaults to 'generic',
+	// which expects an S3 (API) compatible object storage.
+	provider?: "generic" | "aws" | "gcp" | "azure" | *"generic"
+
+	// Region of the Endpoint where the BucketName is located in.
+	region?: string
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this Bucket.
+	suspend?: bool
+
+	// Timeout for fetch operations, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1/types_gen.cue

@@ -0,0 +1,141 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which the GitRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+	proxySecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies which Git object(s) should be verified.
+		// The variants "head" and "HEAD" both imply the same thing, i.e.
+		// verify the commit that the HEAD of the Git repository points
+		// to. The variant "head" solely exists to ensure backwards
+		// compatibility.
+		mode?: "head" | "HEAD" | "Tag" | "TagAndHEAD" | *"HEAD"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta1/types_gen.cue

@@ -0,0 +1,137 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec defines the desired state of a Git
+	// repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec defines the desired state of a Git
+// repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Determines which git client library to use. Defaults to go-git,
+	// valid values are ('go-git', 'libgit2').
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Extra git repositories to map into the repository
+	include?: [...{
+		// The path to copy contents from, defaults to the root directory.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// The path to copy contents to, defaults to the name of the
+		// source ref.
+		toPath?: string
+	}]
+
+	// The interval at which to check for repository updates.
+	interval: string
+
+	// When enabled, after the clone is created, initializes all
+	// submodules within, using their default settings. This option
+	// is available only when using the 'go-git' GitImplementation.
+	recurseSubmodules?: bool
+
+	// The Git reference to checkout and monitor for changes, defaults
+	// to master branch.
+	ref?: {
+		// The Git branch to checkout, defaults to master.
+		branch?: string
+
+		// The Git commit SHA to checkout, if specified Tag filters will
+		// be ignored.
+		commit?: string
+
+		// The Git tag semver expression, takes precedence over Tag.
+		semver?: string
+
+		// The Git tag to checkout, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote Git operations like cloning, defaults to
+	// 60s.
+	timeout?: string | *"60s"
+
+	// The repository URL, can be a HTTP/S or SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verify OpenPGP signature for the Git commit HEAD points to.
+	verify?: {
+		// Mode describes what git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/gitrepository/v1beta2/types_gen.cue

@@ -0,0 +1,155 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// GitRepository is the Schema for the gitrepositories API.
+#GitRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GitRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// GitRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Git repository.
+	spec!: #GitRepositorySpec
+}
+
+// GitRepositorySpec specifies the required configuration to
+// produce an Artifact for a Git repository.
+#GitRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// GitImplementation specifies which Git client library
+	// implementation to use. Defaults to 'go-git', valid values are
+	// ('go-git', 'libgit2'). Deprecated: gitImplementation is
+	// deprecated now that 'go-git' is the only supported
+	// implementation.
+	gitImplementation?: "go-git" | "libgit2" | *"go-git"
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Include specifies a list of GitRepository resources which
+	// Artifacts should be included in the Artifact produced for this
+	// GitRepository.
+	include?: [...{
+		// FromPath specifies the path to copy contents from, defaults to
+		// the root of the Artifact.
+		fromPath?: string
+		repository: {
+			// Name of the referent.
+			name: string
+		}
+
+		// ToPath specifies the path to copy contents to, defaults to the
+		// name of the GitRepositoryRef.
+		toPath?: string
+	}]
+
+	// Interval at which to check the GitRepository for updates.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// RecurseSubmodules enables the initialization of all submodules
+	// within the GitRepository as cloned from the URL, using their
+	// default settings.
+	recurseSubmodules?: bool
+
+	// Reference specifies the Git reference to resolve and monitor
+	// for changes, defaults to the 'master' branch.
+	ref?: {
+		// Branch to check out, defaults to 'master' if no other field is
+		// defined.
+		branch?: string
+
+		// Commit SHA to check out, takes precedence over all reference
+		// fields.
+		// This can be combined with Branch to shallow clone the branch,
+		// in which the commit is expected to exist.
+		commit?: string
+
+		// Name of the reference to check out; takes precedence over
+		// Branch, Tag and SemVer.
+		// It must be a valid Git reference:
+		// https://git-scm.com/docs/git-check-ref-format#_description
+		// Examples: "refs/heads/main", "refs/tags/v0.1.0",
+		// "refs/pull/420/head", "refs/merge-requests/1/head"
+		name?: string
+
+		// SemVer tag expression to check out, takes precedence over Tag.
+		semver?: string
+
+		// Tag to check out, takes precedence over Branch.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this GitRepository.
+	suspend?: bool
+
+	// Timeout for Git operations like cloning, defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL specifies the Git repository URL, it can be an HTTP/S or
+	// SSH address.
+	url: =~"^(http|https|ssh)://.*$"
+
+	// Verification specifies the configuration to verify the Git
+	// commit signature(s).
+	verify?: {
+		// Mode specifies what Git object should be verified, currently
+		// ('head').
+		mode: "head"
+		secretRef: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta1/types_gen.cue

@@ -0,0 +1,109 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec defines the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec defines the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// The interval at which to check the Source for updates.
+	interval: string
+
+	// Determines what enables the creation of a new artifact. Valid
+	// values are ('ChartVersion', 'Revision'). See the documentation
+	// of the values for an explanation on their behavior. Defaults
+	// to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// The reference to the Source the chart is available at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// Alternative values file to use as the default chart values,
+	// expected to be a relative path in the SourceRef. Deprecated in
+	// favor of ValuesFiles, for backwards compatibility the file
+	// defined here is merged before the ValuesFiles items. Ignored
+	// when omitted.
+	valuesFile?: string
+
+	// Alternative list of values files to use as the chart values
+	// (values.yaml is not included by default), expected to be a
+	// relative path in the SourceRef. Values files are merged in the
+	// order of this list with the last file overriding the first.
+	// Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// The chart version semver expression, ignored for charts from
+	// GitRepository and Bucket sources. Defaults to latest when
+	// omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmchart/v1beta2/types_gen.cue

@@ -0,0 +1,145 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmChart is the Schema for the helmcharts API.
+#HelmChart: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmChart"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmChartSpec specifies the desired state of a Helm chart.
+	spec!: #HelmChartSpec
+}
+
+// HelmChartSpec specifies the desired state of a Helm chart.
+#HelmChartSpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// Chart is the name or path the Helm chart is available at in the
+	// SourceRef.
+	chart: string
+
+	// Interval at which the HelmChart SourceRef is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// ReconcileStrategy determines what enables the creation of a new
+	// artifact. Valid values are ('ChartVersion', 'Revision'). See
+	// the documentation of the values for an explanation on their
+	// behavior. Defaults to ChartVersion when omitted.
+	reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
+
+	// SourceRef is the reference to the Source the chart is available
+	// at.
+	sourceRef: {
+		// APIVersion of the referent.
+		apiVersion?: string
+
+		// Kind of the referent, valid values are ('HelmRepository',
+		// 'GitRepository', 'Bucket').
+		kind: "HelmRepository" | "GitRepository" | "Bucket"
+
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// ValuesFile is an alternative values file to use as the default
+	// chart values, expected to be a relative path in the SourceRef.
+	// Deprecated in favor of ValuesFiles, for backwards
+	// compatibility the file specified here is merged before the
+	// ValuesFiles items. Ignored when omitted.
+	valuesFile?: string
+
+	// ValuesFiles is an alternative list of values files to use as
+	// the chart values (values.yaml is not included by default),
+	// expected to be a relative path in the SourceRef. Values files
+	// are merged in the order of this list with the last file
+	// overriding the first. Ignored when omitted.
+	valuesFiles?: [...string]
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic. This field is
+	// only supported when using HelmRepository source with spec.type
+	// 'oci'. Chart dependencies, which are not bundled in the
+	// umbrella chart artifact, are not verified.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+
+	// Version is the chart version semver expression, ignored for
+	// charts from GitRepository and Bucket sources. Defaults to
+	// latest when omitted.
+	version?: string | *"*"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta1/types_gen.cue

@@ -0,0 +1,86 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta1
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec defines the reference to a Helm repository.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec defines the reference to a Helm repository.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+
+	// The interval at which to check the upstream for updates.
+	interval: string
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout of index downloading, defaults to 60s.
+	timeout?: string | *"60s"
+
+	// The Helm repository URL, a valid URL contains at least a
+	// protocol and host.
+	url: string
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/helmrepository/v1beta2/types_gen.cue

@@ -0,0 +1,112 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// HelmRepository is the Schema for the helmrepositories API.
+#HelmRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "HelmRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// HelmRepositorySpec specifies the required configuration to
+	// produce an Artifact for a Helm repository index YAML.
+	spec!: #HelmRepositorySpec
+}
+
+// HelmRepositorySpec specifies the required configuration to
+// produce an Artifact for a Helm repository index YAML.
+#HelmRepositorySpec: {
+	accessFrom?: {
+		// NamespaceSelectors is the list of namespace selectors to which
+		// this ACL applies. Items in this list are evaluated using a
+		// logical OR operation.
+		namespaceSelectors: [...{
+			// MatchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}]
+	}
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry. This field is only taken into account if the
+	// .spec.type field is set to 'oci'.
+	insecure?: bool
+
+	// Interval at which the HelmRepository URL is checked for
+	// updates. This interval is approximate and may be subject to
+	// jitter to ensure efficient use of resources.
+	interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// PassCredentials allows the credentials from the SecretRef to be
+	// passed on to a host that does not match the host as defined in
+	// URL. This may be required if the host of the advertised chart
+	// URLs in the index differ from the defined URL. Enabling this
+	// should be done with caution, as it can potentially result in
+	// credentials getting stolen in a MITM-attack.
+	passCredentials?: bool
+
+	// Provider used for authentication, can be 'aws', 'azure', 'gcp'
+	// or 'generic'. This field is optional, and only taken into
+	// account if the .spec.type field is set to 'oci'. When not
+	// specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Suspend tells the controller to suspend the reconciliation of
+	// this HelmRepository.
+	suspend?: bool
+
+	// Timeout is used for the index fetch operation for an HTTPS helm
+	// repository, and for remote OCI Repository operations like
+	// pulling for an OCI helm chart by the associated HelmChart. Its
+	// default value is 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$"
+
+	// Type of the HelmRepository. When this field is set to "oci",
+	// the URL field value must be prefixed with "oci://".
+	type?: "default" | "oci"
+
+	// URL of the Helm repository, a valid URL contains at least a
+	// protocol and host.
+	url: =~"^(http|https|oci)://.*$"
+}

docs/examples/cue.mod/gen/source.toolkit.fluxcd.io/ocirepository/v1beta2/types_gen.cue

@@ -0,0 +1,151 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
+
+package v1beta2
+
+import "strings"
+
+// OCIRepository is the Schema for the ocirepositories API
+#OCIRepository: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "source.toolkit.fluxcd.io/v1beta2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "OCIRepository"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// OCIRepositorySpec defines the desired state of OCIRepository
+	spec!: #OCIRepositorySpec
+}
+
+// OCIRepositorySpec defines the desired state of OCIRepository
+#OCIRepositorySpec: {
+	certSecretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// Ignore overrides the set of excluded patterns in the
+	// .sourceignore format (which is the same as .gitignore). If not
+	// provided, a default will be used, consult the documentation
+	// for your version to find out what those are.
+	ignore?: string
+
+	// Insecure allows connecting to a non-TLS HTTP container
+	// registry.
+	insecure?: bool
+
+	// Interval at which the OCIRepository URL is checked for updates.
+	// This interval is approximate and may be subject to jitter to
+	// ensure efficient use of resources.
+	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
+
+	// LayerSelector specifies which layer should be extracted from
+	// the OCI artifact. When not specified, the first layer found in
+	// the artifact is selected.
+	layerSelector?: {
+		// MediaType specifies the OCI media type of the layer which
+		// should be extracted from the OCI Artifact. The first layer
+		// matching this type is selected.
+		mediaType?: string
+
+		// Operation specifies how the selected layer should be processed.
+		// By default, the layer compressed content is extracted to
+		// storage. When the operation is set to 'copy', the layer
+		// compressed content is persisted to storage as it is.
+		operation?: "extract" | "copy"
+	}
+
+	// The provider used for authentication, can be 'aws', 'azure',
+	// 'gcp' or 'generic'. When not specified, defaults to 'generic'.
+	provider?: "generic" | "aws" | "azure" | "gcp" | *"generic"
+
+	// The OCI reference to pull and monitor for changes, defaults to
+	// the latest tag.
+	ref?: {
+		// Digest is the image digest to pull, takes precedence over
+		// SemVer. The value should be in the format 'sha256:<HASH>'.
+		digest?: string
+
+		// SemVer is the range of tags to pull selecting the latest within
+		// the range, takes precedence over Tag.
+		semver?: string
+
+		// Tag is the image tag to pull, defaults to latest.
+		tag?: string
+	}
+	secretRef?: {
+		// Name of the referent.
+		name: string
+	}
+
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount
+	// used to authenticate the image pull if the service account has
+	// attached pull secrets. For more information:
+	// https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
+	serviceAccountName?: string
+
+	// This flag tells the controller to suspend the reconciliation of
+	// this source.
+	suspend?: bool
+
+	// The timeout for remote OCI Repository operations like pulling,
+	// defaults to 60s.
+	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m))+$" | *"60s"
+
+	// URL is a reference to an OCI artifact repository hosted on a
+	// remote container registry.
+	url: =~"^oci://.*$"
+
+	// Verify contains the secret name containing the trusted public
+	// keys used to verify the signature and specifies which provider
+	// to use to check whether OCI image is authentic.
+	verify?: {
+		// MatchOIDCIdentity specifies the identity matching criteria to
+		// use while verifying an OCI artifact which was signed using
+		// Cosign keyless signing. The artifact's identity is deemed to
+		// be verified if any of the specified matchers match against the
+		// identity.
+		matchOIDCIdentity?: [...{
+			// Issuer specifies the regex pattern to match against to verify
+			// the OIDC issuer in the Fulcio certificate. The pattern must be
+			// a valid Go regular expression.
+			issuer: string
+
+			// Subject specifies the regex pattern to match against to verify
+			// the identity subject in the Fulcio certificate. The pattern
+			// must be a valid Go regular expression.
+			subject: string
+		}]
+
+		// Provider specifies the technology used to sign the OCI
+		// Artifact.
+		provider: "cosign" | *"cosign"
+		secretRef?: {
+			// Name of the referent.
+			name: string
+		}
+	}
+}

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -1,7 +1,8 @@
 package holos
 
-// e.g. prod-secrets-namespaces
-metadata: name: "\(#InputKeys.stage)-\(#InputKeys.project)-namespaces"
+#InputKeys: component: "namespaces"
+
+metadata: name: #InstanceName
 objects: [
 	#Namespace & {
 		metadata: name: "external-secrets"

docs/examples/platforms/reference/projects/secrets/output.cue

@@ -1,7 +1,9 @@
 package holos
 
 // Output schema
-{} & #KubernetesObjects
+{} & #KubernetesObjects & {
+	ksObjects: [#Kustomization]
+}
 
 #InputKeys: {
 	project: "secrets"

docs/examples/schema.cue

@@ -2,6 +2,7 @@ package holos
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
 	corev1 "k8s.io/api/core/v1"
 	"encoding/yaml"
 )
@@ -11,6 +12,9 @@ _apiVersion: "holos.run/v1alpha1"
 // #Name defines the name: string key value pair used all over the place.
 #Name: name: string
 
+// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
+#InstanceName: "\(#InputKeys.stage)-\(#InputKeys.project)-\(#InputKeys.component)"
+
 // #NamespaceMeta defines standard metadata for namespaces.
 // Refer to https://kubernetes.io/docs/reference/labels-annotations-taints/#kubernetes-io-metadata-name
 #NamespaceMeta: {
@@ -24,6 +28,25 @@ _apiVersion: "holos.run/v1alpha1"
 // Kubernetes API Objects
 #Namespace: corev1.#Namespace & #NamespaceMeta
 #ConfigMap: corev1.#ConfigMap
+#Kustomization: ksv1.#Kustomization & {
+	metadata: {
+		name: #InstanceName,
+		namespace: string | *"flux-system",
+	}
+	spec: ksv1.#KustomizationSpec & {
+		interval: string | *"30m0s"
+		path: string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(#InstanceName)"
+		prune: bool | *true
+		retryInterval: string | *"2m0s"
+		sourceRef: {
+			kind: string | *"GitRepository"
+			name: string | *"flux-system"
+		}
+		timeout: string | *"3m0s"
+		wait: bool | *true
+	}
+}
+
 
 // #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the _Platform data.
 #InputKeys: {
@@ -35,6 +58,8 @@ _apiVersion: "holos.run/v1alpha1"
 	project: string @tag(project, type=string)
 	// service is usually set by the component.
 	service: string @tag(service, type=string)
+	// component is the name of the component
+	component: string @tag(component, type=string)
 }
 
 // #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
@@ -87,6 +112,10 @@ _Platform: #Platform
 	objects: [...metav1.#TypeMeta] | *[]
 	// out holds the rendered yaml text stream of kubernetes api objects.
 	content: yaml.MarshalStream(objects)
+	// ksObjects holds the flux Kustomization objects for gitops
+	ksObjects: [...#Kustomization] | *[]
+	// ksContent is the yaml representation of kustomization
+	ksContent: yaml.MarshalStream(ksObjects)
 	// platform returns the platform data structure for visibility / troubleshooting.
 	platform: _Platform
 }

pkg/cli/render.go

@@ -17,14 +17,23 @@ func makeRenderRunFunc(cfg *config.Config) runFunc {
 
 		ctx := cmd.Context()
 		log := logger.FromContext(ctx)
-		build := builder.New(builder.Entrypoints(args))
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 		results, err := build.Run(cmd.Context())
 		if err != nil {
 			return wrapper.Wrap(err)
 		}
+		// TODO: Avoid accidental over-writes if to holos component instances result in
+		// the same file path. Write files into a blank temporary directory, error if a
+		// file exists, then move the directory into place.
 		for _, result := range results {
+			// API Objects
 			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path); err != nil {
+			if err := result.Save(ctx, path, result.Content); err != nil {
+				return wrapper.Wrap(err)
+			}
+			// Kustomization
+			path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
+			if err := result.Save(ctx, path, result.KsContent); err != nil {
 				return wrapper.Wrap(err)
 			}
 			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "save", "path", path, "name", result.Name())

pkg/internal/builder/builder.go

@@ -19,7 +19,8 @@ import (
 type Option func(*config)
 
 type config struct {
-	args []string
+	args    []string
+	cluster string
 }
 
 type Builder struct {
@@ -41,6 +42,11 @@ func Entrypoints(args []string) Option {
 	return func(cfg *config) { cfg.args = args }
 }
 
+// Cluster configures the cluster name for the holos component instance.
+func Cluster(name string) Option {
+	return func(cfg *config) { cfg.cluster = name }
+}
+
 type buildInfo struct {
 	APIVersion string `json:"apiVersion,omitempty"`
 	Kind       string `json:"kind,omitempty"`
@@ -53,8 +59,9 @@ type Metadata struct {
 
 // Result is the build result for display or writing.
 type Result struct {
-	Metadata Metadata `json:"metadata,omitempty"`
-	Content  string   `json:"content,omitempty"`
+	Metadata  Metadata `json:"metadata,omitempty"`
+	Content   string   `json:"content,omitempty"`
+	KsContent string   `json:"ksContent,omitempty"`
 }
 
 // Name returns the metadata name of the result. Equivalent to the
@@ -67,25 +74,32 @@ func (r *Result) Filename(writeTo string, cluster string) string {
 	return filepath.Join(writeTo, "clusters", cluster, "components", r.Name(), r.Name()+".gen.yaml")
 }
 
+func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Name()+"-kustomization.gen.yaml")
+}
+
 // Save writes the content to the filesystem for git ops.
-func (r *Result) Save(ctx context.Context, path string) error {
-	if r.Name() == "" {
-		return wrapper.Wrap(fmt.Errorf("missing name from cue result"))
-	}
+func (r *Result) Save(ctx context.Context, path string, content string) error {
 	log := logger.FromContext(ctx)
 	dir := filepath.Dir(path)
 	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
 		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
 		return wrapper.Wrap(err)
 	}
-	if err := os.WriteFile(path, []byte(r.Content), os.FileMode(0644)); err != nil {
+	// Write the kube api objects
+	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
 		log.WarnContext(ctx, "could not write", "path", path, "err", err)
 		return wrapper.Wrap(err)
 	}
-	log.DebugContext(ctx, "wrote "+path, "action", "mkdir", "path", path, "status", "ok")
+	log.DebugContext(ctx, "wrote "+path, "action", "write", "path", path, "status", "ok")
 	return nil
 }
 
+// Cluster returns the cluster name of the component instance being built.
+func (b *Builder) Cluster() string {
+	return b.cfg.cluster
+}
+
 func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
 	log := logger.FromContext(ctx)
 	cueCtx := cuecontext.New()
@@ -111,10 +125,14 @@ func (b *Builder) Run(ctx context.Context) ([]*Result, error) {
 		}
 		relPath = "./" + relPath
 		args[idx] = relPath
-		equiv := fmt.Sprintf("cue export --out yaml %v", relPath)
+		equiv := fmt.Sprintf("cue export --out yaml -t cluster=%v %v", b.Cluster(), relPath)
 		log.Debug(equiv)
 	}
 
+	// Refer to https://github.com/cue-lang/cue/blob/v0.7.0/cmd/cue/cmd/common.go#L429
+	cfg.Tags = append(cfg.Tags, "cluster="+b.Cluster())
+	log.DebugContext(ctx, fmt.Sprintf("configured cue tags: %v", cfg.Tags))
+
 	instances := load.Instances(args, &cfg)
 
 	for _, instance := range instances {

pkg/version/embedded/patch

@@ -1 +1 @@
-3
+4