Add holos build --cluster-name flag

Without this patch the build command doesn't fill in the cue cluster
name tag, resulting in incorrect output compared to the render command.

With this patch the correct output is generated.  Note the `mountPath`
field is correct:

```
❯ holos build ~/workspace/holos-run/holos/docs/examples/platforms/reference/projects/secrets/components/validate
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: default
  namespace: default
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: k2
          role: default
          serviceAccountRef:
            name: default
      path: kv/k8s
      server: https://vault.core.ois.run
      version: v2
```

docs/examples/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,378 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ClusterExternalSecret is the Schema for the
+// clusterexternalsecrets API.
+#ClusterExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ClusterExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ClusterExternalSecretSpec defines the desired state of
+	// ClusterExternalSecret.
+	spec!: #ClusterExternalSecretSpec
+}
+
+// ClusterExternalSecretSpec defines the desired state of
+// ClusterExternalSecret.
+#ClusterExternalSecretSpec: {
+	// The metadata of the external secrets to be created
+	externalSecretMetadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// The name of the external secrets to be created defaults to the
+	// name of the ClusterExternalSecret
+	externalSecretName?: string
+
+	// The spec for the ExternalSecrets to be created
+	externalSecretSpec: {
+		// Data defines the connection between the Kubernetes Secret keys
+		// and the Provider data
+		data?: [...{
+			// RemoteRef points to the remote secret and defines
+			// which secret (version/property/..) to fetch.
+			remoteRef: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// SecretKey defines the key in which the controller stores
+			// the value. This is the key in the Kind=Secret
+			secretKey: string
+
+			// SourceRef allows you to override the source
+			// from which the value will pulled from.
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				//
+				//
+				// Deprecated: The generatorRef is not implemented in .data[].
+				// this will be removed with v1.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// DataFrom is used to fetch all properties from a specific
+		// Provider data
+		// If multiple entries are specified, the Secret keys are merged
+		// in the specified order
+		dataFrom?: [...{
+			// Used to extract multiple key/value pairs from one secret
+			// Note: Extract does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			extract?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// Used to find secrets based on tags or regular expressions
+			// Note: Find does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			find?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+				name?: {
+					// Finds secrets base
+					regexp?: string
+				}
+
+				// A root path to start the find operations.
+				path?: string
+
+				// Find secrets based on tags.
+				tags?: {
+					[string]: string
+				}
+			}
+
+			// Used to rewrite secret Keys after getting them from the secret
+			// Provider
+			// Multiple Rewrite operations can be provided. They are applied
+			// in a layered order (first to last)
+			rewrite?: [...{
+				// Used to rewrite with regular expressions.
+				// The resulting key will be the output of a regexp.ReplaceAll
+				// operation.
+				regexp?: {
+					// Used to define the regular expression of a re.Compiler.
+					source: string
+
+					// Used to define the target pattern of a ReplaceAll operation.
+					target: string
+				}
+				transform?: {
+					// Used to define the template to apply on the secret name.
+					// `.value ` will specify the secret name in the template.
+					template: string
+				}
+			}]
+
+			// SourceRef points to a store or generator
+			// which contains secret values ready to use.
+			// Use this in combination with Extract or Find pull values out of
+			// a specific SecretStore.
+			// When sourceRef points to a generator Extract or Find is not
+			// supported.
+			// The generator returns a static map of values
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// RefreshInterval is the amount of time before the values are
+		// read again from the SecretStore provider
+		// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+		// May be set to zero to fetch and create it once. Defaults to 1h.
+		refreshInterval?: string | *"1h"
+
+		// SecretStoreRef defines which SecretStore to fetch the
+		// ExternalSecret data.
+		secretStoreRef?: {
+			// Kind of the SecretStore resource (SecretStore or
+			// ClusterSecretStore)
+			// Defaults to `SecretStore`
+			kind?: string
+
+			// Name of the SecretStore resource
+			name: string
+		}
+
+		// ExternalSecretTarget defines the Kubernetes Secret to be
+		// created
+		// There can be only one target per ExternalSecret.
+		target?: {
+			// CreationPolicy defines rules on how to create the resulting
+			// Secret
+			// Defaults to 'Owner'
+			creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+			// DeletionPolicy defines rules on how to delete the resulting
+			// Secret
+			// Defaults to 'Retain'
+			deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+			// Immutable defines if the final secret will be immutable
+			immutable?: bool
+
+			// Name defines the name of the Secret resource to be managed
+			// This field is immutable
+			// Defaults to the .metadata.name of the ExternalSecret resource
+			name?: string
+
+			// Template defines a blueprint for the created Secret resource.
+			template?: {
+				data?: {
+					[string]: string
+				}
+
+				// EngineVersion specifies the template engine version
+				// that should be used to compile/execute the
+				// template specified in .data and .templateFrom[].
+				engineVersion?: "v1" | "v2" | *"v2"
+				mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+				// ExternalSecretTemplateMetadata defines metadata fields for the
+				// Secret blueprint.
+				metadata?: {
+					annotations?: {
+						[string]: string
+					}
+					labels?: {
+						[string]: string
+					}
+				}
+				templateFrom?: [...{
+					configMap?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					literal?: string
+					secret?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					target?: "Data" | "Annotations" | "Labels" | *"Data"
+				}]
+				type?: string
+			}
+		} | *{
+			creationPolicy: "Owner"
+			deletionPolicy: "Retain"
+		}
+	}
+
+	// The labels to select by to find the Namespaces to create the
+	// ExternalSecrets in.
+	namespaceSelector?: {
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn,
+			// the values array must be non-empty. If the operator is Exists
+			// or DoesNotExist,
+			// the values array must be empty. This array is replaced during a
+			// strategic
+			// merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels
+		// map is equivalent to an element of matchExpressions, whose key
+		// field is "key", the
+		// operator is "In", and the values array contains only "value".
+		// The requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Choose namespaces by name. This field is ORed with anything
+	// that NamespaceSelector ends up choosing.
+	namespaces?: [...string]
+
+	// The time in which the controller should reconcile its objects
+	// and recheck namespaces for labels.
+	refreshTime?: string
+}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,168 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// ExternalSecretDataRemoteRef defines Provider data location.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+		secretKey: string
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to define a conversion Strategy
+		conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+		// Key is the key used in the Provider, mandatory
+		key: string
+
+		// Used to select a specific property of the Provider value (if a
+		// map), if supported
+		property?: string
+
+		// Used to select a specific version of the Provider value, if
+		// supported
+		version?: string
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Merge" | "None" | *"Owner"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v1"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...struct.MaxFields(1) & {
+				configMap?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+				secret?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+			}]
+			type?: string
+		}
+	}
+}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// RemoteRef points to the remote secret and defines
+		// which secret (version/property/..) to fetch.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// SecretKey defines the key in which the controller stores
+		// the value. This is the key in the Kind=Secret
+		secretKey: string
+
+		// SourceRef allows you to override the source
+		// from which the value will pulled from.
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			//
+			//
+			// Deprecated: The generatorRef is not implemented in .data[].
+			// this will be removed with v1.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to extract multiple key/value pairs from one secret
+		// Note: Extract does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		extract?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// Used to find secrets based on tags or regular expressions
+		// Note: Find does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		find?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+			name?: {
+				// Finds secrets base
+				regexp?: string
+			}
+
+			// A root path to start the find operations.
+			path?: string
+
+			// Find secrets based on tags.
+			tags?: {
+				[string]: string
+			}
+		}
+
+		// Used to rewrite secret Keys after getting them from the secret
+		// Provider
+		// Multiple Rewrite operations can be provided. They are applied
+		// in a layered order (first to last)
+		rewrite?: [...{
+			// Used to rewrite with regular expressions.
+			// The resulting key will be the output of a regexp.ReplaceAll
+			// operation.
+			regexp?: {
+				// Used to define the regular expression of a re.Compiler.
+				source: string
+
+				// Used to define the target pattern of a ReplaceAll operation.
+				target: string
+			}
+			transform?: {
+				// Used to define the template to apply on the secret name.
+				// `.value ` will specify the secret name in the template.
+				template: string
+			}
+		}]
+
+		// SourceRef points to a store or generator
+		// which contains secret values ready to use.
+		// Use this in combination with Extract or Find pull values out of
+		// a specific SecretStore.
+		// When sourceRef points to a generator Extract or Find is not
+		// supported.
+		// The generator returns a static map of values
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef?: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target?: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+		// DeletionPolicy defines rules on how to delete the resulting
+		// Secret
+		// Defaults to 'Retain'
+		deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v2"
+			mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...{
+				configMap?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				literal?: string
+				secret?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				target?: "Data" | "Annotations" | "Labels" | *"Data"
+			}]
+			type?: string
+		}
+	} | *{
+		creationPolicy: "Owner"
+		deletionPolicy: "Retain"
+	}
+}

docs/examples/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,171 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#PushSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PushSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PushSecretSpec configures the behavior of the PushSecret.
+	spec!: #PushSecretSpec
+}
+
+// PushSecretSpec configures the behavior of the PushSecret.
+#PushSecretSpec: {
+	// Secret Data that should be pushed to providers
+	data?: [...{
+		// Match a given Secret Key to be pushed to the provider.
+		match: {
+			// Remote Refs to push to providers.
+			remoteRef: {
+				// Name of the property in the resulting secret
+				property?: string
+
+				// Name of the resulting provider secret.
+				remoteKey: string
+			}
+
+			// Secret Key to be pushed
+			secretKey?: string
+		}
+
+		// Metadata is metadata attached to the secret.
+		// The structure of metadata is provider specific, please look it
+		// up in the provider documentation.
+		metadata?: _
+	}]
+
+	// Deletion Policy to handle Secrets in the provider. Possible
+	// Values: "Delete/None". Defaults to "None".
+	deletionPolicy?: "Delete" | "None" | *"None"
+
+	// The Interval to which External Secrets will try to push a
+	// secret definition
+	refreshInterval?: string
+	secretStoreRefs: [...{
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string | *"SecretStore"
+
+		// Optionally, sync to secret stores with label selector
+		labelSelector?: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn,
+				// the values array must be non-empty. If the operator is Exists
+				// or DoesNotExist,
+				// the values array must be empty. This array is replaced during a
+				// strategic
+				// merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels
+			// map is equivalent to an element of matchExpressions, whose key
+			// field is "key", the
+			// operator is "In", and the values array contains only "value".
+			// The requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+
+		// Optionally, sync to the SecretStore of the given name
+		name?: string
+	}]
+	selector: {
+		secret: {
+			// Name of the Secret. The Secret must exist in the same namespace
+			// as the PushSecret manifest.
+			name: string
+		}
+	}
+
+	// Template defines a blueprint for the created Secret resource.
+	template?: {
+		data?: {
+			[string]: string
+		}
+
+		// EngineVersion specifies the template engine version
+		// that should be used to compile/execute the
+		// template specified in .data and .templateFrom[].
+		engineVersion?: "v1" | "v2" | *"v2"
+		mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+		// ExternalSecretTemplateMetadata defines metadata fields for the
+		// Secret blueprint.
+		metadata?: {
+			annotations?: {
+				[string]: string
+			}
+			labels?: {
+				[string]: string
+			}
+		}
+		templateFrom?: [...{
+			configMap?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			literal?: string
+			secret?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			target?: "Data" | "Annotations" | "Labels" | *"Data"
+		}]
+		type?: string
+	}
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/acraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,167 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ACRAccessToken returns a Azure Container Registry token
+// that can be used for pushing/pulling images.
+// Note: by default it will return an ACR Refresh Token with full
+// access
+// (depending on the identity).
+// This can be scoped down to the repository level using
+// .spec.scope.
+// In case scope is defined it will return an ACR Access Token.
+//
+//
+// See docs:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+#ACRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ACRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ACRAccessTokenSpec defines how to generate the access token
+	// e.g. how to authenticate and which registry to use.
+	// see:
+	// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+	spec!: #ACRAccessTokenSpec
+}
+
+// ACRAccessTokenSpec defines how to generate the access token
+// e.g. how to authenticate and which registry to use.
+// see:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+#ACRAccessTokenSpec: {
+	auth: {
+		managedIdentity?: {
+			// If multiple Managed Identity is assigned to the pod, you can
+			// select the one to be used
+			identityId?: string
+		}
+		servicePrincipal?: {
+			// Configuration used to authenticate with Azure using static
+			// credentials stored in a Kind=Secret.
+			secretRef: {
+				// The Azure clientId of the service principle used for
+				// authentication.
+				clientId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure ClientSecret of the service principle used for
+				// authentication.
+				clientSecret?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+		}
+		workloadIdentity?: {
+			// ServiceAccountRef specified the service account
+			// that should be used when authenticating with WorkloadIdentity.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// EnvironmentType specifies the Azure cloud environment endpoints
+	// to use for
+	// connecting and authenticating with Azure. By default it points
+	// to the public cloud AAD endpoint.
+	// The following endpoints are available, also see here:
+	// https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	environmentType?: "PublicCloud" | "USGovernmentCloud" | "ChinaCloud" | "GermanCloud" | *"PublicCloud"
+
+	// the domain name of the ACR registry
+	// e.g. foobarexample.azurecr.io
+	registry: string
+
+	// Define the scope for the access token, e.g. pull/push access
+	// for a repository.
+	// if not provided it will return a refresh token that has full
+	// scope.
+	// Note: you need to pin it down to the repository level, there is
+	// no wildcard available.
+	//
+	//
+	// examples:
+	// repository:my-repository:pull,push
+	// repository:my-repository:pull
+	//
+	//
+	// see docs for details:
+	// https://docs.docker.com/registry/spec/auth/scope/
+	scope?: string
+
+	// TenantID configures the Azure Tenant to send requests to.
+	// Required for ServicePrincipal auth type.
+	tenantId?: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/ecrauthorizationtoken/v1alpha1/types_gen.cue

@@ -0,0 +1,142 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to
+// retrieve an
+// authorization token.
+// The authorization token is valid for 12 hours.
+// The authorizationToken returned is a base64 encoded string that
+// can be decoded
+// and used in a docker login command to authenticate to a
+// registry.
+// For more information, see Registry authentication
+// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth)
+// in the Amazon Elastic Container Registry User Guide.
+#ECRAuthorizationToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ECRAuthorizationToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #ECRAuthorizationTokenSpec
+}
+#ECRAuthorizationTokenSpec: {
+	// Auth defines how to authenticate with AWS
+	auth?: {
+		jwt?: {
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// AWSAuthSecretRef holds secret references for AWS credentials
+		// both AccessKeyID and SecretAccessKey must be defined in order
+		// to properly authenticate.
+		secretRef?: {
+			// The AccessKeyID is used for authentication
+			accessKeyIDSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SessionToken used for authentication
+			// This must be defined if AccessKeyID and SecretAccessKey are
+			// temporary credentials
+			// see:
+			// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+			sessionTokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// Region specifies the region to operate in.
+	region: string
+
+	// You can assume a role before making calls to the
+	// desired AWS service.
+	role?: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/fake/v1alpha1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Fake generator is used for testing. It lets you define
+// a static set of credentials that is always returned.
+#Fake: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Fake"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// FakeSpec contains the static data.
+	spec!: #FakeSpec
+}
+
+// FakeSpec contains the static data.
+#FakeSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Data defines the static data returned
+	// by this generator.
+	data?: {
+		[string]: string
+	}
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/gcraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GCRAccessToken generates an GCP access token
+// that can be used to authenticate with GCR.
+#GCRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GCRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GCRAccessTokenSpec
+}
+#GCRAccessTokenSpec: {
+	// Auth defines the means for authenticating with GCP
+	auth: {
+		secretRef?: {
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+		workloadIdentity?: {
+			clusterLocation:   string
+			clusterName:       string
+			clusterProjectID?: string
+
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// ProjectID defines which project to use to authenticate with
+	projectID: string
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/password/v1alpha1/types_gen.cue

@@ -0,0 +1,77 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Password generates a random password based on the
+// configuration parameters in spec.
+// You can specify the length, characterset and other attributes.
+#Password: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Password"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PasswordSpec controls the behavior of the password generator.
+	spec!: #PasswordSpec
+}
+
+// PasswordSpec controls the behavior of the password generator.
+#PasswordSpec: {
+	// set AllowRepeat to true to allow repeating characters.
+	allowRepeat: bool | *false
+
+	// Digits specifies the number of digits in the generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	digits?: int
+
+	// Length of the password to be generated.
+	// Defaults to 24
+	length: int | *24
+
+	// Set NoUpper to disable uppercase characters
+	noUpper: bool | *false
+
+	// SymbolCharacters specifies the special characters that should
+	// be used
+	// in the generated password.
+	symbolCharacters?: string
+
+	// Symbols specifies the number of symbol characters in the
+	// generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	symbols?: int
+}

docs/examples/cue.mod/gen/generators.external-secrets.io/vaultdynamicsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,609 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#VaultDynamicSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "VaultDynamicSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #VaultDynamicSecretSpec
+}
+#VaultDynamicSecretSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Vault API method to use (GET/POST/other)
+	method?: string
+
+	// Parameters to pass to Vault write (for non-GET methods)
+	parameters?: _
+
+	// Vault path to obtain the dynamic secret from
+	path: string
+
+	// Vault provider common spec
+	provider: {
+		// Auth configures how secret-manager authenticates with the Vault
+		// server.
+		auth: {
+			// AppRole authenticates with Vault using the App Role auth
+			// mechanism,
+			// with the role and secret stored in a Kubernetes Secret
+			// resource.
+			appRole?: {
+				// Path where the App Role authentication backend is mounted
+				// in Vault, e.g: "approle"
+				path: string | *"approle"
+
+				// RoleID configured in the App Role authentication backend when
+				// setting
+				// up the authentication backend in Vault.
+				roleId?: string
+
+				// Reference to a key in a Secret that contains the App Role ID
+				// used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role id.
+				roleRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Reference to a key in a Secret that contains the App Role
+				// secret used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role secret.
+				secretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Cert authenticates with TLS Certificates by passing client
+			// certificate, private key and ca certificate
+			// Cert authentication method
+			cert?: {
+				// ClientCert is a certificate to authenticate using the Cert
+				// Vault
+				// authentication method
+				clientCert?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// SecretRef to a key in a Secret resource containing client
+				// private key to
+				// authenticate with Vault using the Cert authentication method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Iam authenticates with vault by passing a special AWS request
+			// signed with AWS IAM credentials
+			// AWS IAM authentication method
+			iam?: {
+				// AWS External ID set on assumed IAM roles
+				externalID?: string
+				jwt?: {
+					// A reference to a ServiceAccount resource.
+					serviceAccountRef?: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+				path?: string
+
+				// AWS region
+				region?: string
+
+				// This is the AWS role to be assumed before talking to vault
+				role?: string
+
+				// Specify credentials in a Secret object
+				secretRef?: {
+					// The AccessKeyID is used for authentication
+					accessKeyIDSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SecretAccessKey is used for authentication
+					secretAccessKeySecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SessionToken used for authentication
+					// This must be defined if AccessKeyID and SecretAccessKey are
+					// temporary credentials
+					// see:
+					// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+					sessionTokenSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault
+				// IAM auth method to mitigate against different types of replay
+				// attacks. More details here:
+				// https://developer.hashicorp.com/vault/docs/auth/aws
+				vaultAwsIamServerID?: string
+
+				// Vault Role. In vault, a role describes an identity with a set
+				// of permissions, groups, or policies you want to attach a user
+				// of the secrets engine
+				vaultRole: string
+			}
+
+			// Jwt authenticates with Vault by passing role and JWT token
+			// using the
+			// JWT/OIDC authentication method
+			jwt?: {
+				// Optional ServiceAccountToken specifies the Kubernetes service
+				// account for which to request
+				// a token for with the `TokenRequest` API.
+				kubernetesServiceAccountToken?: {
+					// Optional audiences field that will be used to request a
+					// temporary Kubernetes service
+					// account token for the service account referenced by
+					// `serviceAccountRef`.
+					// Defaults to a single audience `vault` it not specified.
+					// Deprecated: use serviceAccountRef.Audiences instead
+					audiences?: [...string]
+
+					// Optional expiration time in seconds that will be used to
+					// request a temporary
+					// Kubernetes service account token for the service account
+					// referenced by
+					// `serviceAccountRef`.
+					// Deprecated: this will be removed in the future.
+					// Defaults to 10 minutes.
+					expirationSeconds?: int
+
+					// Service account field containing the name of a kubernetes
+					// ServiceAccount.
+					serviceAccountRef: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the JWT authentication backend is mounted
+				// in Vault, e.g: "jwt"
+				path: string | *"jwt"
+
+				// Role is a JWT role to authenticate using the JWT/OIDC Vault
+				// authentication method
+				role?: string
+
+				// Optional SecretRef that refers to a key in a Secret resource
+				// containing JWT token to
+				// authenticate with Vault using the JWT/OIDC authentication
+				// method.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Kubernetes authenticates with Vault by passing the
+			// ServiceAccount
+			// token stored in the named Secret resource to the Vault server.
+			kubernetes?: {
+				// Path where the Kubernetes authentication backend is mounted in
+				// Vault, e.g:
+				// "kubernetes"
+				mountPath: string | *"kubernetes"
+
+				// A required field containing the Vault Role to assume. A Role
+				// binds a
+				// Kubernetes ServiceAccount with a set of Vault policies.
+				role: string
+
+				// Optional secret field containing a Kubernetes ServiceAccount
+				// JWT used
+				// for authenticating with Vault. If a name is specified without a
+				// key,
+				// `token` is the default. If one is not specified, the one bound
+				// to
+				// the controller will be used.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Optional service account field containing the name of a
+				// kubernetes ServiceAccount.
+				// If the service account is specified, the service account secret
+				// token JWT will be used
+				// for authenticating with Vault. If the service account selector
+				// is not supplied,
+				// the secretRef will be used instead.
+				serviceAccountRef?: {
+					// Audience specifies the `aud` claim for the service account
+					// token
+					// If the service account uses a well-known annotation for e.g.
+					// IRSA or GCP Workload Identity
+					// then this audiences will be appended to the list
+					audiences?: [...string]
+
+					// The name of the ServiceAccount resource being referred to.
+					name: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Ldap authenticates with Vault by passing username/password pair
+			// using
+			// the LDAP authentication method
+			ldap?: {
+				// Path where the LDAP authentication backend is mounted
+				// in Vault, e.g: "ldap"
+				path: string | *"ldap"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the LDAP
+				// user used to authenticate with Vault using the LDAP
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a LDAP user name used to authenticate using the
+				// LDAP Vault
+				// authentication method
+				username: string
+			}
+
+			// TokenSecretRef authenticates with Vault by presenting a token.
+			tokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// UserPass authenticates with Vault by passing username/password
+			// pair
+			userPass?: {
+				// Path where the UserPassword authentication backend is mounted
+				// in Vault, e.g: "user"
+				path: string | *"user"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the
+				// user used to authenticate with Vault using the UserPass
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a user name used to authenticate using the UserPass
+				// Vault
+				// authentication method
+				username: string
+			}
+		}
+
+		// PEM encoded CA bundle used to validate Vault server
+		// certificate. Only used
+		// if the Server URL is using HTTPS protocol. This parameter is
+		// ignored for
+		// plain HTTP protocol connection. If not set the system root
+		// certificates
+		// are used to validate the TLS connection.
+		caBundle?: string
+
+		// The provider for the CA bundle to use to validate Vault server
+		// certificate.
+		caProvider?: {
+			// The key where the CA certificate can be found in the Secret or
+			// ConfigMap.
+			key?: string
+
+			// The name of the object located at the provider type.
+			name: string
+
+			// The namespace the Provider type is in.
+			// Can only be defined when used in a ClusterSecretStore.
+			namespace?: string
+
+			// The type of provider to use such as "Secret", or "ConfigMap".
+			type: "Secret" | "ConfigMap"
+		}
+
+		// ForwardInconsistent tells Vault to forward read-after-write
+		// requests to the Vault
+		// leader instead of simply retrying within a loop. This can
+		// increase performance if
+		// the option is enabled serverside.
+		// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+		forwardInconsistent?: bool
+
+		// Name of the vault namespace. Namespaces is a set of features
+		// within Vault Enterprise that allows
+		// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+		// More about namespaces can be found here
+		// https://www.vaultproject.io/docs/enterprise/namespaces
+		namespace?: string
+
+		// Path is the mount path of the Vault KV backend endpoint, e.g:
+		// "secret". The v2 KV secret engine version specific "/data" path
+		// suffix
+		// for fetching secrets from Vault is optional and will be
+		// appended
+		// if not present in specified path.
+		path?: string
+
+		// ReadYourWrites ensures isolated read-after-write semantics by
+		// providing discovered cluster replication states in each
+		// request.
+		// More information about eventual consistency in Vault can be
+		// found here
+		// https://www.vaultproject.io/docs/enterprise/consistency
+		readYourWrites?: bool
+
+		// Server is the connection address for the Vault server, e.g:
+		// "https://vault.example.com:8200".
+		server: string
+
+		// The configuration used for client side related TLS
+		// communication, when the Vault server
+		// requires mutual authentication. Only used if the Server URL is
+		// using HTTPS protocol.
+		// This parameter is ignored for plain HTTP protocol connection.
+		// It's worth noting this configuration is different from the "TLS
+		// certificates auth method",
+		// which is available under the `auth.cert` section.
+		tls?: {
+			// CertSecretRef is a certificate added to the transport layer
+			// when communicating with the Vault server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.crt'.
+			certSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// KeySecretRef to a key in a Secret resource containing client
+			// private key
+			// added to the transport layer when communicating with the Vault
+			// server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.key'.
+			keySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// Version is the Vault KV secret engine version. This can be
+		// either "v1" or
+		// "v2". Version defaults to "v2".
+		version?: "v1" | "v2" | *"v2"
+	}
+
+	// Result type defines which data is returned from the generator.
+	// By default it is the "data" section of the Vault API response.
+	// When using e.g. /auth/token/create the "data" section is empty
+	// but
+	// the "auth" section contains the generated token.
+	// Please refer to the vault docs regarding the result data
+	// structure.
+	resultType?: "Data" | "Auth" | *"Data"
+}

docs/examples/platforms/constraints.cue

@@ -1,4 +1 @@
 package holos
-
-// Constrain the output to one of the defined kinds.
-{} & #Output

docs/examples/platforms/platform.example.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Copy this file to platform.site.cue and specify concrete values for your local site.
-_Platform: org: {
-	name: string | *"example"
+#Platform: org: {
+	name:   string | *"example"
 	domain: string | *"example.com"
 }

docs/examples/platforms/reference/projects/secrets/components/eso/inputkeys.cue

@@ -6,6 +6,3 @@ package holos
 	project: "secrets"
 	service: "eso"
 }
-
-// Holos component name
-metadata: name: #InstanceName

docs/examples/platforms/reference/projects/secrets/components/eso/output.cue

@@ -1,16 +1,16 @@
 package holos
 
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix+"-namespaces"}]
+#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-namespaces"}]
 
 #HelmChart & {
 	values: installCrds: true
 	namespace: #TargetNamespace
 	chart: {
-		name: "external-secrets"
+		name:    "external-secrets"
 		version: "0.9.12"
 		repository: {
 			name: "external-secrets"
-		  url: "https://charts.external-secrets.io"
+			url:  "https://charts.external-secrets.io"
 		}
 	}
 }

docs/examples/platforms/reference/projects/secrets/components/namespaces/inputkeys.cue

@@ -0,0 +1,8 @@
+package holos
+
+#TargetNamespace: "external-secrets"
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -6,5 +6,5 @@ metadata: name: #InstanceName
 objects: [
 	#Namespace & {
 		metadata: name: #TargetNamespace
-	}
+	},
 ]

docs/examples/platforms/reference/projects/secrets/components/validate/component.cue

@@ -0,0 +1,8 @@
+package holos
+
+objects: [
+	#SecretStore,
+	#ExternalSecret & {_name: "validate"},
+]
+
+{} & #KubernetesObjects

docs/examples/platforms/reference/projects/secrets/components/validate/inputkeys.cue

@@ -0,0 +1,8 @@
+package holos
+
+#TargetNamespace: "default"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "validate"
+}

docs/examples/schema.cue

@@ -4,6 +4,8 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
 	corev1 "k8s.io/api/core/v1"
+	es "external-secrets.io/externalsecret/v1beta1"
+	ss "external-secrets.io/secretstore/v1beta1"
 	"encoding/yaml"
 )
 
@@ -14,6 +16,7 @@ _apiVersion: "holos.run/v1alpha1"
 
 // #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
 #InstanceName: "\(#InputKeys.stage)-\(#InputKeys.project)-\(#InputKeys.component)"
+
 // #InstancePrefix is the stage and project without the component name.  Useful for dependency management among multiple components for a project stage.
 #InstancePrefix: "\(#InputKeys.stage)-\(#InputKeys.project)"
 
@@ -33,27 +36,67 @@ _apiVersion: "holos.run/v1alpha1"
 // Kubernetes API Objects
 #Namespace: corev1.#Namespace & #NamespaceMeta
 #ConfigMap: corev1.#ConfigMap
+
+// Flux Kustomization CRDs
 #Kustomization: ksv1.#Kustomization & {
 	metadata: {
-		name: #InstanceName,
-		namespace: string | *"flux-system",
+		name:      #InstanceName
+		namespace: string | *"flux-system"
 	}
 	spec: ksv1.#KustomizationSpec & {
-		interval: string | *"30m0s"
-		path: string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(#InstanceName)"
-		prune: bool | *true
+		interval:      string | *"30m0s"
+		path:          string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(#InstanceName)"
+		prune:         bool | *true
 		retryInterval: string | *"2m0s"
 		sourceRef: {
 			kind: string | *"GitRepository"
 			name: string | *"flux-system"
 		}
 		timeout: string | *"3m0s"
-		wait: bool | *true
+		wait:    bool | *true
 	}
 }
 
+// External Secrets CRDs
+#ExternalSecret: es.#ExternalSecret & {
+	_name: string
+	metadata: {
+		namespace: string | *"default"
+		name:      _name
+	}
+	spec: {
+		dataFrom: [{extract: key: "ns/" + metadata.namespace + "/" + _name}]
+		refreshInterval: string | *"1h"
+		secretStoreRef: {
+			kind: string | *"SecretStore"
+			name: string | *"default"
+		}
+		target: {
+			creationPolicy: string | *"Owner"
+		}
+	}
+}
 
-// #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the _Platform data.
+#SecretStore: ss.#SecretStore & {
+	metadata: {
+		name:      string | *"default"
+		namespace: string | *#TargetNamespace
+	}
+	spec: provider: {
+		vault: {
+			auth: kubernetes: {
+				mountPath: #InputKeys.cluster
+				role:      string | *"default"
+				serviceAccountRef: name: string | *"default"
+			}
+			path:    string | *"kv/k8s"
+			server:  "https://vault.core." + #Platform.org.domain
+			version: string | *"v2"
+		}
+	}
+}
+
+// #InputKeys defines the set of cue tags required to build a cue holos component. The values are used as lookup keys into the #Platform data.
 #InputKeys: {
 	// cluster is usually the only key necessary when working with a component on the command line.
 	cluster: string @tag(cluster, type=string)
@@ -71,11 +114,11 @@ _apiVersion: "holos.run/v1alpha1"
 #Platform: {
 	// org holds user defined values scoped organization wide.  A platform has one and only one organization.
 	org: {
-		name: string
+		name:   string
 		domain: string
 	}
 	clusters: [ID=_]: {
-		name: string & ID
+		name:    string & ID
 		region?: string
 	}
 	stages: [ID=_]: {
@@ -89,8 +132,6 @@ _apiVersion: "holos.run/v1alpha1"
 		name: string & ID
 	}
 }
-// _PlatformData stores the values of the primary lookup table.
-_Platform: #Platform
 
 // #OutputTypeMeta is shared among all output types
 #OutputTypeMeta: {
@@ -111,6 +152,7 @@ _Platform: #Platform
 // #KubernetesObjectOutput is the output schema of a single component.
 #KubernetesObjects: {
 	#OutputTypeMeta
+
 	// kind KubernetesObjects provides a yaml text stream of kubernetes api objects in the out field.
 	kind: "KubernetesObjects"
 	// objects holds a list of the kubernetes api objects to configure.
@@ -122,16 +164,16 @@ _Platform: #Platform
 	// ksContent is the yaml representation of kustomization
 	ksContent: yaml.MarshalStream(ksObjects)
 	// platform returns the platform data structure for visibility / troubleshooting.
-	platform: _Platform
+	platform: #Platform
 }
 
 // #Chart defines an upstream helm chart
 #Chart: {
-	name: string
+	name:    string
 	version: string
 	repository: {
 		name: string
-		url: string
+		url:  string
 	}
 }
 
@@ -152,7 +194,7 @@ _Platform: #Platform
 	// valuesContent holds the values yaml
 	valuesContent: yaml.Marshal(values)
 	// platform returns the platform data structure for visibility / troubleshooting.
-	platform: _Platform
+	platform: #Platform
 	// instance returns the key values of the holos component instance.
 	instance: #InputKeys
 }
@@ -164,3 +206,6 @@ _Platform: #Platform
 }
 
 #Output: #PlatformSpec | #KubernetesObjects | #HelmChart
+
+// Holos component name
+metadata: name: #InstanceName

pkg/cli/build.go

@@ -9,22 +9,24 @@ import (
 	"strings"
 )
 
-// build is the internal implementation of the build cli command
-func build(cmd *cobra.Command, args []string) error {
-	build := builder.New(builder.Entrypoints(args))
-	results, err := build.Run(cmd.Context())
-	if err != nil {
-		return err
+// makeBuildRunFunc returns the internal implementation of the build cli command
+func makeBuildRunFunc(cfg *config.Config) runFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
+		results, err := build.Run(cmd.Context())
+		if err != nil {
+			return err
+		}
+		outs := make([]string, 0, len(results))
+		for _, result := range results {
+			outs = append(outs, result.Content)
+		}
+		out := strings.Join(outs, "---\n")
+		if _, err := fmt.Fprintln(cmd.OutOrStdout(), out); err != nil {
+			return wrapper.Wrap(err)
+		}
+		return nil
 	}
-	outs := make([]string, 0, len(results))
-	for _, result := range results {
-		outs = append(outs, result.Content)
-	}
-	out := strings.Join(outs, "---\n")
-	if _, err := fmt.Fprintln(cmd.OutOrStdout(), out); err != nil {
-		return wrapper.Wrap(err)
-	}
-	return nil
 }
 
 // newBuildCmd returns the build subcommand for the root command
@@ -32,6 +34,7 @@ func newBuildCmd(cfg *config.Config) *cobra.Command {
 	cmd := newCmd("build [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "build kubernetes api objects from a directory"
-	cmd.RunE = build
+	cmd.RunE = makeBuildRunFunc(cfg)
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
 	return cmd
 }

pkg/version/embedded/patch

@@ -1 +1 @@
-0
+1