(#30) Add https redirect overlay resources

This patch migrates the https redirect and the
istio-ingressgateway-loopback Service from
`holos-infra/components/core/istio/ingress/templates/deployment`

.golangci.yaml

@@ -0,0 +1,2 @@
+run:
+  timeout: 5m

cmd/holos/main.go

@@ -1,28 +1,10 @@
 package main
 
 import (
-	"context"
-	"errors"
 	"github.com/holos-run/holos/pkg/cli"
-	"github.com/holos-run/holos/pkg/config"
-	"github.com/holos-run/holos/pkg/wrapper"
-	"log/slog"
 	"os"
 )
 
 func main() {
-	cfg := config.New()
-	slog.SetDefault(cfg.Logger())
-	ctx := context.Background()
-	if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
-		log := cfg.NewTopLevelLogger()
-		var errAt *wrapper.ErrorAt
-		const msg = "could not execute"
-		if ok := errors.As(err, &errAt); ok {
-			log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
-		} else {
-			log.ErrorContext(ctx, msg, "err", err)
-		}
-		os.Exit(1)
-	}
+	os.Exit(cli.MakeMain()())
 }

cmd/holos/main_test.go

@@ -0,0 +1,20 @@
+package main
+
+import (
+	"github.com/holos-run/holos/pkg/cli"
+	"github.com/rogpeppe/go-internal/testscript"
+	"os"
+	"testing"
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(testscript.RunMain(m, map[string]func() int{
+		"holos": cli.MakeMain(),
+	}))
+}
+
+func TestGetSecrets(t *testing.T) {
+	testscript.Run(t, testscript.Params{
+		Dir: "testdata",
+	})
+}

cmd/holos/testdata/constraints.txt

@@ -0,0 +1,42 @@
+# Want support for intermediary constraints
+exec holos build ./foo/... --log-level debug
+stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
+stderr 'processing holos component kind Skip'
+
+-- cue.mod --
+package holos
+-- foo/constraints.cue --
+package holos
+
+metadata: name: "jeff"
+-- foo/bar/bar.cue --
+package holos
+
+#KubernetesObjects & {
+  apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
+}
+-- schema.cue --
+package holos
+
+cluster: string @tag(cluster, string)
+
+// #OutputTypeMeta is shared among all output types
+#OutputTypeMeta: {
+	apiVersion: "holos.run/v1alpha1"
+	kind: #KubernetesObjects.kind | #NoOutput.kind
+	metadata: name: string
+}
+
+#KubernetesObjects: {
+	#OutputTypeMeta
+	kind: "KubernetesObjects"
+	apiObjectMap: {...}
+}
+
+#NoOutput: {
+	#OutputTypeMeta
+	kind: string | *"Skip"
+	metadata: name: string | *"skipped"
+}
+
+#NoOutput & {}

cmd/holos/testdata/issue15_cue_errors.txt

@@ -0,0 +1,16 @@
+# Want cue errors to show files and lines
+! exec holos build .
+stderr '^apiObjectMap.foo.bar: cannot convert non-concrete value string'
+stderr '/component.cue:7:20$'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KubernetesObjects"
+cluster: string @tag(cluster, string)
+
+apiObjectMap: foo: bar: baz
+baz: string

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -0,0 +1,57 @@
+# Want kube api objects in the apiObjects output.
+exec holos build .
+stdout '^kind: SecretStore$'
+stdout '# Source: CUE apiObjects.SecretStore.default'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KubernetesObjects"
+cluster: string @tag(cluster, string)
+
+#SecretStore: {
+    kind: string
+    metadata: name: string
+}
+
+#APIObjects & {
+  apiObjects: {
+    SecretStore: {
+      default: #SecretStore & { metadata: name: "default" }
+    }
+  }
+}
+
+
+-- schema.cue --
+package holos
+
+// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
+import "encoding/yaml"
+
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[Name=_]: {
+				kind: Kind
+				metadata: name: Name
+			}
+		}
+	}
+
+	// apiObjectsContent holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+				  "\(name)": yaml.Marshal(obj)
+			  }
+			}
+		}
+	}
+}
+

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -0,0 +1,58 @@
+# Want kube api objects in the apiObjects output.
+exec holos build .
+stdout '^kind: SecretStore$'
+stdout '# Source: CUE apiObjects.SecretStore.default'
+stderr 'skipping helm: no chart name specified'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "HelmChart"
+cluster: string @tag(cluster, string)
+
+#SecretStore: {
+    kind: string
+    metadata: name: string
+}
+
+#APIObjects & {
+  apiObjects: {
+    SecretStore: {
+      default: #SecretStore & { metadata: name: "default" }
+    }
+  }
+}
+
+
+-- schema.cue --
+package holos
+
+// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
+import "encoding/yaml"
+
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[Name=_]: {
+				kind: Kind
+				metadata: name: Name
+			}
+		}
+	}
+
+	// apiObjectsContent holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+				  "\(name)": yaml.Marshal(obj)
+			  }
+			}
+		}
+	}
+}
+

cmd/holos/testdata/issue25_show_object_names.txt

@@ -0,0 +1,22 @@
+# Want api object kind and name in errors
+! exec holos build .
+stderr 'apiObjects.secretstore.default.foo: field not allowed'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KubernetesObjects"
+cluster: string @tag(cluster, string)
+
+#SecretStore: {
+    metadata: name: string
+}
+
+apiObjects: {
+  secretstore: {
+    default: #SecretStore & { foo: "not allowed" }
+  }
+}

cmd/holos/testdata/version.txt

@@ -0,0 +1,5 @@
+exec holos --version
+# want version with no v on stdout
+stdout -count=1 '^\d+\.\d+\.\d+$'
+# want nothing on stderr
+! stderr .

docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue

@@ -0,0 +1,82 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// Order is a type to represent an Order with an ACME server
+#Order: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "acme.cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Order"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #OrderSpec
+}
+#OrderSpec: {
+	// CommonName is the common name as specified on the DER encoded
+	// CSR. If specified, this value must also be present in
+	// `dnsNames` or `ipAddresses`. This field must match the
+	// corresponding field on the DER encoded CSR.
+	commonName?: string
+
+	// DNSNames is a list of DNS names that should be included as part
+	// of the Order validation process. This field must match the
+	// corresponding field on the DER encoded CSR.
+	dnsNames?: [...string]
+
+	// Duration is the duration for the not after date for the
+	// requested certificate. this is set on order creation as pe the
+	// ACME spec.
+	duration?: string
+
+	// IPAddresses is a list of IP addresses that should be included
+	// as part of the Order validation process. This field must match
+	// the corresponding field on the DER encoded CSR.
+	ipAddresses?: [...string]
+
+	// IssuerRef references a properly configured ACME-type Issuer
+	// which should be used to create this Order. If the Issuer does
+	// not exist, processing will be retried. If the Issuer is not an
+	// 'ACME' Issuer, an error will be returned and the Order will be
+	// marked as failed.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Certificate signing request bytes in DER encoding. This will be
+	// used when finalizing the order. This field must be set on the
+	// order.
+	request: string
+}

docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -0,0 +1,422 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A Certificate resource should be created to ensure an up to
+// date and signed X.509 certificate is stored in the Kubernetes
+// Secret resource named in `spec.secretName`.
+// The stored certificate will be renewed before it expires (as
+// configured by `spec.renewBefore`).
+#Certificate: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Certificate"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the Certificate resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateSpec
+}
+
+// Specification of the desired state of the Certificate resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateSpec: {
+	// Defines extra output formats of the private key and signed
+	// certificate chain to be written to this Certificate's target
+	// Secret.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=AdditionalCertificateOutputFormats=true`
+	// option set on both the controller and webhook components.
+	additionalOutputFormats?: [...{
+		// Type is the name of the format type that should be written to
+		// the Certificate's target Secret.
+		type: "DER" | "CombinedPEM"
+	}]
+
+	// Requested common name X509 certificate subject attribute. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// NOTE: TLS clients will ignore this value when any subject
+	// alternative name is set (see
+	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
+	// Should have a length of 64 characters or fewer to avoid
+	// generating invalid CSRs. Cannot be set if the `literalSubject`
+	// field is set.
+	commonName?: string
+
+	// Requested DNS subject alternative names.
+	dnsNames?: [...string]
+
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	// If unset, this defaults to 90 days. Minimum accepted duration
+	// is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+	duration?: string
+
+	// Requested email subject alternative names.
+	emailAddresses?: [...string]
+
+	// Whether the KeyUsage and ExtKeyUsage extensions should be set
+	// in the encoded CSR.
+	// This option defaults to true, and should only be disabled if
+	// the target issuer does not support CSRs with these X509
+	// KeyUsage/ ExtKeyUsage extensions.
+	encodeUsagesInRequest?: bool
+
+	// Requested IP address subject alternative names.
+	ipAddresses?: [...string]
+
+	// Requested basic constraints isCA value. The isCA value is used
+	// to set the `isCA` field on the created CertificateRequest
+	// resources. Note that the issuer may choose to ignore the
+	// requested isCA value, just like any other requested attribute.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Additional keystore output formats to be stored in the
+	// Certificate's Secret.
+	keystores?: {
+		// JKS configures options for storing a JKS keystore in the
+		// `spec.secretName` Secret resource.
+		jks?: {
+			// Create enables JKS keystore creation for the Certificate. If
+			// true, a file named `keystore.jks` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.jks` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the JKS keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+		}
+
+		// PKCS12 configures options for storing a PKCS12 keystore in the
+		// `spec.secretName` Secret resource.
+		pkcs12?: {
+			// Create enables PKCS12 keystore creation for the Certificate. If
+			// true, a file named `keystore.p12` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.p12` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the PKCS12 keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+
+			// Profile specifies the key and certificate encryption algorithms
+			// and the HMAC algorithm used to create the PKCS12 keystore.
+			// Default value is `LegacyRC2` for backward compatibility.
+			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
+			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
+			// Less secure algorithm. Use this option for maximal
+			// compatibility. `Modern2023`: Secure algorithm. Use this option
+			// in case you have to always use secure algorithms (eg. because
+			// of company policy). Please note that the security of the
+			// algorithm is not that important in reality, because the
+			// unencrypted certificate and private key are also stored in the
+			// Secret.
+			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
+		}
+	}
+
+	// Requested X.509 certificate subject, represented using the LDAP
+	// "String Representation of a Distinguished Name" [1].
+	// Important: the LDAP string format also specifies the order of
+	// the attributes in the subject, this is important when issuing
+	// certs for LDAP authentication. Example:
+	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
+	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
+	// https://github.com/cert-manager/cert-manager/issues/3203 More
+	// info: https://github.com/cert-manager/cert-manager/issues/4424
+	// Cannot be set if the `subject` or `commonName` field is set.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=LiteralCertificateSubject=true` option set on
+	// both the controller and webhook components.
+	literalSubject?: string
+
+	// x.509 certificate NameConstraint extension which MUST NOT be
+	// used in a non-CA certificate. More Info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=NameConstraints=true` option set on both the
+	// controller and webhook components.
+	nameConstraints?: {
+		// if true then the name constraints are marked critical.
+		critical?: bool
+
+		// Excluded contains the constraints which must be disallowed. Any
+		// name matching a restriction in the excluded field is invalid
+		// regardless of information appearing in the permitted
+		excluded?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+
+		// Permitted contains the constraints in which the names must be
+		// located.
+		permitted?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+	}
+
+	// `otherNames` is an escape hatch for SAN that allows any type.
+	// We currently restrict the support to string like otherNames,
+	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
+	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
+	// somevalue for `otherName`. Most commonly this would be UPN set
+	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
+	// OID passed is valid for the UTF8String type as we do not
+	// explicitly validate this.
+	otherNames?: [...{
+		// OID is the object identifier for the otherName SAN. The object
+		// identifier must be expressed as a dotted string, for example,
+		// "1.2.840.113556.1.4.221".
+		oid?: string
+
+		// utf8Value is the string value of the otherName SAN. The
+		// utf8Value accepts any valid UTF8 string to set as value for
+		// the otherName SAN.
+		utf8Value?: string
+	}]
+
+	// Private key options. These include the key algorithm and size,
+	// the used encoding and the rotation policy.
+	privateKey?: {
+		// Algorithm is the private key algorithm of the corresponding
+		// private key for this certificate.
+		// If provided, allowed values are either `RSA`, `ECDSA` or
+		// `Ed25519`. If `algorithm` is specified and `size` is not
+		// provided, key size of 2048 will be used for `RSA` key
+		// algorithm and key size of 256 will be used for `ECDSA` key
+		// algorithm. key size is ignored when using the `Ed25519` key
+		// algorithm.
+		algorithm?: "RSA" | "ECDSA" | "Ed25519"
+
+		// The private key cryptography standards (PKCS) encoding for this
+		// certificate's private key to be encoded in.
+		// If provided, allowed values are `PKCS1` and `PKCS8` standing
+		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
+		// not specified.
+		encoding?: "PKCS1" | "PKCS8"
+
+		// RotationPolicy controls how private keys should be regenerated
+		// when a re-issuance is being processed.
+		// If set to `Never`, a private key will only be generated if one
+		// does not already exist in the target `spec.secretName`. If one
+		// does exists but it does not have the correct algorithm or
+		// size, a warning will be raised to await user intervention. If
+		// set to `Always`, a private key matching the specified
+		// requirements will be generated whenever a re-issuance occurs.
+		// Default is `Never` for backward compatibility.
+		rotationPolicy?: "Never" | "Always"
+
+		// Size is the key bit size of the corresponding private key for
+		// this certificate.
+		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
+		// or `8192`, and will default to `2048` if not specified. If
+		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
+		// or `521`, and will default to `256` if not specified. If
+		// `algorithm` is set to `Ed25519`, Size is ignored. No other
+		// values are allowed.
+		size?: int
+	}
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. For example, if a
+	// certificate is valid for 60 minutes, and `renewBefore=10m`,
+	// cert-manager will begin to attempt to renew the certificate 50
+	// minutes after it was issued (i.e. when there are 10 minutes
+	// remaining until the certificate is no longer valid).
+	// NOTE: The actual lifetime of the issued certificate is used to
+	// determine the renewal time. If an issuer returns a certificate
+	// with a different lifetime than the one requested, cert-manager
+	// will use the lifetime of the issued certificate.
+	// If unset, this defaults to 1/3 of the issued certificate's
+	// lifetime. Minimum accepted value is 5 minutes. Value must be
+	// in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration.
+	renewBefore?: string
+
+	// The maximum number of CertificateRequest revisions that are
+	// maintained in the Certificate's history. Each revision
+	// represents a single `CertificateRequest` created by this
+	// Certificate, either when it was created, renewed, or Spec was
+	// changed. Revisions will be removed by oldest first if the
+	// number of revisions exceeds this number.
+	// If set, revisionHistoryLimit must be a value of `1` or greater.
+	// If unset (`nil`), revisions will not be garbage collected.
+	// Default value is `nil`.
+	revisionHistoryLimit?: int
+
+	// Name of the Secret resource that will be automatically created
+	// and managed by this Certificate resource. It will be populated
+	// with a private key and certificate, signed by the denoted
+	// issuer. The Secret resource lives in the same namespace as the
+	// Certificate resource.
+	secretName: string
+
+	// Defines annotations and labels to be copied to the
+	// Certificate's Secret. Labels and annotations on the Secret
+	// will be changed as they appear on the SecretTemplate when
+	// added or removed. SecretTemplate annotations are added in
+	// conjunction with, and cannot overwrite, the base set of
+	// annotations cert-manager sets on the Certificate's Secret.
+	secretTemplate?: {
+		// Annotations is a key value map to be copied to the target
+		// Kubernetes Secret.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels is a key value map to be copied to the target Kubernetes
+		// Secret.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Requested set of X509 certificate subject attributes. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// The common name attribute is specified separately in the
+	// `commonName` field. Cannot be set if the `literalSubject`
+	// field is set.
+	subject?: {
+		// Countries to be used on the Certificate.
+		countries?: [...string]
+
+		// Cities to be used on the Certificate.
+		localities?: [...string]
+
+		// Organizational Units to be used on the Certificate.
+		organizationalUnits?: [...string]
+
+		// Organizations to be used on the Certificate.
+		organizations?: [...string]
+
+		// Postal codes to be used on the Certificate.
+		postalCodes?: [...string]
+
+		// State/Provinces to be used on the Certificate.
+		provinces?: [...string]
+
+		// Serial number to be used on the Certificate.
+		serialNumber?: string
+
+		// Street addresses to be used on the Certificate.
+		streetAddresses?: [...string]
+	}
+
+	// Requested URI subject alternative names.
+	uris?: [...string]
+
+	// Requested key usages and extended key usages. These usages are
+	// used to set the `usages` field on the created
+	// CertificateRequest resources. If `encodeUsagesInRequest` is
+	// unset or set to `true`, the usages will additionally be
+	// encoded in the `request` field which contains the CSR blob.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+}

docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A CertificateRequest is used to request a signed certificate
+// from one of the configured issuers.
+// All fields within the CertificateRequest's `spec` are immutable
+// after creation. A CertificateRequest will either succeed or
+// fail, as denoted by its `Ready` status condition and its
+// `status.failureTime` field.
+// A CertificateRequest is a one-shot resource, meaning it
+// represents a single point in time request for a certificate
+// and cannot be re-used.
+#CertificateRequest: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "CertificateRequest"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the CertificateRequest
+	// resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateRequestSpec
+}
+
+// Specification of the desired state of the CertificateRequest
+// resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateRequestSpec: {
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	duration?: string
+
+	// Extra contains extra attributes of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	extra?: {
+		[string]: [...string]
+	}
+
+	// Groups contains group membership of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	groups?: [...string]
+
+	// Requested basic constraints isCA value. Note that the issuer
+	// may choose to ignore the requested isCA value, just like any
+	// other requested attribute.
+	// NOTE: If the CSR in the `Request` field has a BasicConstraints
+	// extension, it must have the same isCA value as specified here.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// The PEM-encoded X.509 certificate signing request to be
+	// submitted to the issuer for signing.
+	// If the CSR has a BasicConstraints extension, its isCA attribute
+	// must match the `isCA` value of this CertificateRequest. If the
+	// CSR has a KeyUsage extension, its key usages must match the
+	// key usages in the `usages` field of this CertificateRequest.
+	// If the CSR has a ExtKeyUsage extension, its extended key
+	// usages must match the extended key usages in the `usages`
+	// field of this CertificateRequest.
+	request: string
+
+	// UID contains the uid of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	uid?: string
+
+	// Requested key usages and extended key usages.
+	// NOTE: If the CSR in the `Request` field has uses the KeyUsage
+	// or ExtKeyUsage extension, these extensions must have the same
+	// values as specified here without any additional values.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+
+	// Username contains the name of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	username?: string
+}

docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"list"
+)
+
+#WasmPlugin: {
+	// Extend the functionality provided by the Istio proxy through
+	// WebAssembly filters. See more details at:
+	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+	spec!:      #WasmPluginSpec
+	apiVersion: "extensions.istio.io/v1alpha1"
+	kind:       "WasmPlugin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Extend the functionality provided by the Istio proxy through
+// WebAssembly filters. See more details at:
+// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+#WasmPluginSpec: {
+	// Specifies the failure behavior for the plugin due to fatal
+	// errors.
+	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
+
+	// The pull behaviour to be applied when fetching Wasm module by
+	// either OCI image or http/https.
+	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
+
+	// Credentials to use for OCI image pulling.
+	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Specifies the criteria to determine which traffic is passed to
+	// WasmPlugin.
+	match?: [...{
+		// Criteria for selecting traffic by their direction.
+		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
+
+		// Criteria for selecting traffic by their destination port.
+		ports?: [...{
+			number: uint16 & >=1
+		}]
+	}]
+
+	// Determines where in the filter chain this `WasmPlugin` is to be
+	// injected.
+	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
+
+	// The configuration that will be passed on to the plugin.
+	pluginConfig?: {
+		...
+	}
+
+	// The plugin name to be used in the Envoy configuration (used to
+	// be called `rootID`).
+	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
+
+	// Determines ordering of `WasmPlugins` in the same `phase`.
+	priority?: null | int
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// SHA256 checksum that will be used to verify Wasm module or OCI
+	// container.
+	sha256?: =~"(^$|^[a-f0-9]{64}$)"
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Specifies the type of Wasm Extension to be used.
+	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
+
+	// URL of a Wasm module or OCI container.
+	url:              strings.MinRunes(1)
+	verificationKey?: string
+	vmConfig?: {
+		// Specifies environment variables to be injected to this VM.
+		env?: list.MaxItems(256) & [...{
+			// Name of the environment variable.
+			name: strings.MaxRunes(256) & strings.MinRunes(1)
+
+			// Value for the environment variable.
+			value?: strings.MaxRunes(2048)
+
+			// Source for the environment variable's value.
+			valueFrom?: "INLINE" | "HOST"
+		}]
+	}
+}

docs/examples/cue.mod/gen/external-secrets.io/secretstore/v1beta1/types_gen.cue

@@ -922,7 +922,7 @@ import (
 		kubernetes?: {
 			// Auth configures how secret-manager authenticates with a
 			// Kubernetes instance.
-			auth: struct.MaxFields(1) & {
+			auth: {
 				// has both clientCert and clientKey as secretKeySelector
 				cert?: {
 					// A reference to a specific 'key' within a Secret resource,

docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#IstioOperator: {
+	apiVersion: "install.istio.io/v1alpha1"
+	kind:       "IstioOperator"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	...
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue

@@ -3066,7 +3066,7 @@ import (
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
-	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
+	securityContext?: #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
@@ -3982,7 +3982,7 @@ import (
 	// SecurityContext holds pod-level security attributes and common container settings.
 	// Optional: Defaults to empty.  See type description for default values of each field.
 	// +optional
-	securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
+	securityContext?: #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
 
 	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue

@@ -0,0 +1,185 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#EnvoyFilter: {
+	// Customizing Envoy configuration generated by Istio. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/envoy-filter.html
+	spec!:      #EnvoyFilterSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "EnvoyFilter"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Customizing Envoy configuration generated by Istio. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/envoy-filter.html
+#EnvoyFilterSpec: {
+	// One or more patches with match conditions.
+	configPatches?: [...{
+		// Specifies where in the Envoy configuration, the patch should be
+		// applied.
+		applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
+
+		// Match on listener/route configuration/cluster.
+		match?: ({} | {
+			listener: _
+		} | {
+			routeConfiguration: _
+		} | {
+			cluster: _
+		}) & {
+			// Match on envoy cluster attributes.
+			cluster?: {
+				// The exact name of the cluster to match.
+				name?: string
+
+				// The service port for which this cluster was generated.
+				portNumber?: int
+
+				// The fully qualified service name for this cluster.
+				service?: string
+
+				// The subset associated with the service.
+				subset?: string
+			}
+
+			// The specific config generation context to match on.
+			context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
+
+			// Match on envoy listener attributes.
+			listener?: {
+				// Match a specific filter chain in a listener.
+				filterChain?: {
+					// Applies only to sidecars.
+					applicationProtocols?: string
+
+					// The destination_port value used by a filter chain's match
+					// condition.
+					destinationPort?: int
+
+					// The name of a specific filter to apply the patch to.
+					filter?: {
+						// The filter name to match on.
+						name?: string
+						subFilter?: {
+							// The filter name to match on.
+							name?: string
+						}
+					}
+
+					// The name assigned to the filter chain.
+					name?: string
+
+					// The SNI value used by a filter chain's match condition.
+					sni?: string
+
+					// Applies only to `SIDECAR_INBOUND` context.
+					transportProtocol?: string
+				}
+
+				// Match a specific listener filter.
+				listenerFilter?: string
+
+				// Match a specific listener by its name.
+				name?:     string
+				portName?: string
+
+				// The service port/gateway port to which traffic is being
+				// sent/received.
+				portNumber?: int
+			}
+
+			// Match on properties associated with a proxy.
+			proxy?: {
+				// Match on the node metadata supplied by a proxy when connecting
+				// to Istio Pilot.
+				metadata?: {
+					[string]: string
+				}
+
+				// A regular expression in golang regex format (RE2) that can be
+				// used to select proxies using a specific version of istio
+				// proxy.
+				proxyVersion?: string
+			}
+
+			// Match on envoy HTTP route configuration attributes.
+			routeConfiguration?: {
+				// The Istio gateway config's namespace/name for which this route
+				// configuration was generated.
+				gateway?: string
+
+				// Route configuration name to match on.
+				name?: string
+
+				// Applicable only for GATEWAY context.
+				portName?: string
+
+				// The service port number or gateway server port number for which
+				// this route configuration was generated.
+				portNumber?: int
+
+				// Match a specific virtual host in a route configuration and
+				// apply the patch to the virtual host.
+				vhost?: {
+					// The VirtualHosts objects generated by Istio are named as
+					// host:port, where the host typically corresponds to the
+					// VirtualService's host field or the hostname of a service in
+					// the registry.
+					name?: string
+
+					// Match a specific route within the virtual host.
+					route?: {
+						// Match a route with specific action type.
+						action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
+
+						// The Route objects generated by default are named as default.
+						name?: string
+					}
+				}
+			}
+		}
+
+		// The patch to apply along with the operation.
+		patch?: {
+			// Determines the filter insertion order.
+			filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
+
+			// Determines how the patch should be applied.
+			operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
+
+			// The JSON config of the object being patched.
+			value?: {}
+		}
+	}]
+
+	// Priority defines the order in which patch sets are applied
+	// within a context.
+	priority?: int
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue

@@ -0,0 +1,54 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ProxyConfig: {
+	// Provides configuration for individual workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/proxy-config.html
+	spec!:      #ProxyConfigSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ProxyConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Provides configuration for individual workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/proxy-config.html
+#ProxyConfigSpec: {
+	// The number of worker threads to run.
+	concurrency?: null | int
+
+	// Additional environment variables for the proxy.
+	environmentVariables?: {
+		[string]: string
+	}
+	image?: {
+		// The image type of the image.
+		imageType?: string
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue

@@ -0,0 +1,594 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -0,0 +1,584 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadGroup: {
+	// Describes a collection of workload instances. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/workload-group.html
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Describes a collection of workload instances. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/workload-group.html
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue

@@ -0,0 +1,138 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadGroup: {
+	// `WorkloadGroup` enables specifying the properties of a single
+	// workload for bootstrap and provides a template for
+	// `WorkloadEntry`, similar to how `Deployment` specifies
+	// properties of workloads via `Pod` templates.
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// `WorkloadGroup` enables specifying the properties of a single
+// workload for bootstrap and provides a template for
+// `WorkloadEntry`, similar to how `Deployment` specifies
+// properties of workloads via `Pod` templates.
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/peerauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,55 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#PeerAuthentication: {
+	// Peer authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/peer_authentication.html
+	spec!:      #PeerAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "PeerAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Peer authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/peer_authentication.html
+#PeerAuthenticationSpec: {
+	mtls?: {
+		// Defines the mTLS mode used for peer authentication.
+		mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+	}
+
+	// Port specific mutual TLS settings.
+	portLevelMtls?: {
+		[string]: {
+			// Defines the mTLS mode used for peer authentication.
+			mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+		}
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/telemetry.istio.io/telemetry/v1alpha1/types_gen.cue

@@ -0,0 +1,184 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#Telemetry: {
+	// Telemetry configuration for workloads. See more details at:
+	// https://istio.io/docs/reference/config/telemetry.html
+	spec!:      #TelemetrySpec
+	apiVersion: "telemetry.istio.io/v1alpha1"
+	kind:       "Telemetry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Telemetry configuration for workloads. See more details at:
+// https://istio.io/docs/reference/config/telemetry.html
+#TelemetrySpec: {
+	// Optional.
+	accessLogging?: [...{
+		// Controls logging.
+		disabled?: null | bool
+		filter?: {
+			// CEL expression for selecting when requests/connections should
+			// be logged.
+			expression?: string
+		}
+		match?: {
+			// This determines whether or not to apply the access logging
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+	}]
+
+	// Optional.
+	metrics?: [...{
+		// Optional.
+		overrides?: [...{
+			// Optional.
+			disabled?: null | bool
+
+			// Match allows provides the scope of the override.
+			match?: ({} | {
+				metric: _
+			} | {
+				customMetric: _
+			}) & {
+				// Allows free-form specification of a metric.
+				customMetric?: string
+
+				// One of the well-known Istio Standard Metrics.
+				metric?: "ALL_METRICS" | "REQUEST_COUNT" | "REQUEST_DURATION" | "REQUEST_SIZE" | "RESPONSE_SIZE" | "TCP_OPENED_CONNECTIONS" | "TCP_CLOSED_CONNECTIONS" | "TCP_SENT_BYTES" | "TCP_RECEIVED_BYTES" | "GRPC_REQUEST_MESSAGES" | "GRPC_RESPONSE_MESSAGES"
+
+				// Controls which mode of metrics generation is selected: CLIENT
+				// and/or SERVER.
+				mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+			}
+
+			// Optional.
+			tagOverrides?: {
+				[string]: {
+					// Operation controls whether or not to update/add a tag, or to
+					// remove it.
+					operation?: "UPSERT" | "REMOVE"
+
+					// Value is only considered if the operation is `UPSERT`.
+					value?: string
+				}
+			}
+		}]
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Optional.
+		reportingInterval?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	tracing?: [...{
+		// Optional.
+		customTags?: {
+			[string]: ({} | {
+				literal: _
+			} | {
+				environment: _
+			} | {
+				header: _
+			}) & {
+				// Environment adds the value of an environment variable to each
+				// span.
+				environment?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the environment variable from which to extract the tag
+					// value.
+					name?: string
+				}
+
+				// RequestHeader adds the value of an header from the request to
+				// each span.
+				header?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the header from which to extract the tag value.
+					name?: string
+				}
+				literal?: {
+					// The tag value to use.
+					value?: string
+				}
+			}
+		}
+
+		// Controls span reporting.
+		disableSpanReporting?: null | bool
+		match?: {
+			// This determines whether or not to apply the tracing
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Controls the rate at which traffic will be selected for tracing
+		// if no prior sampling decision has been made.
+		randomSamplingPercentage?:     null | number
+		useRequestIdForTraceSampling?: null | bool
+	}]
+}

docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue

@@ -0,0 +1,6 @@
+package v1
+
+#Deployment: {
+  apiVersion: "apps/v1"
+  kind: "Deployment"
+}

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -19,3 +19,8 @@ package v1
   apiVersion: "v1"
   kind: "Pod"
 }
+
+#Service: {
+  apiVersion: "v1"
+  kind: "Service"
+}

docs/examples/namespaces.cue

@@ -3,6 +3,8 @@ package holos
 // PlatformNamespace is a namespace to manage for Secret provisioning, SecretStore, etc...
 #PlatformNamespace: {
 	name: string
+	labels?: {[string]: string}
+	annotations?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/clusters/provisioner/components/eso-creds-refresher/component.cue

@@ -8,21 +8,24 @@ package holos
 // - Namespace
 // - ServiceAccount eso-reader, eso-writer
 
-import "list"
-
-// objects are kubernetes api objects to apply.
-objects: list.FlattenN(_objects, 1)
-
-_objects: [
-	#CredsRefresherIAM.role,
-	#CredsRefresherIAM.binding,
-	for ns in #PlatformNamespaces {(#PlatformNamespaceObjects & {_ns: ns}).objects},
-]
-
 // No flux kustomization
 ksObjects: []
 
-{} & #KubernetesObjects
+#KubernetesObjects & {
+	apiObjects: {
+		let role = #CredsRefresherIAM.role
+		let binding = #CredsRefresherIAM.binding
+		ClusterRole: "\(role.metadata.name)":           role
+		ClusterRoleBinding: "\(binding.metadata.name)": binding
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let Name = obj.metadata.name
+				"\(Kind)": "\(ns.name)/\(Name)": obj
+			}
+		}
+	}
+}
 
 #InputKeys: {
 	cluster:   "provisioner"

docs/examples/platforms/reference/clusters/provisioner/components/namespaces/component.cue

@@ -1,7 +1,5 @@
 package holos
 
-import "list"
-
 #TargetNamespace: "default"
 
 #InputKeys: {
@@ -20,12 +18,14 @@ import "list"
 	]
 }
 
-objects: list.FlattenN(_objects, 1)
-
-_objects: [
-	for ns in #PlatformNamespaces {
-		(#PlatformNamespaceObjects & {_ns: ns}).objects
-	},
-]
-
-{} & #KubernetesObjects
+#KubernetesObjects & {
+	apiObjects: {
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let Name = obj.metadata.name
+				"\(Kind)": "\(Name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue

@@ -0,0 +1,61 @@
+package holos
+
+// Lets Encrypt certificate issuers for public tls certs
+#InputKeys: component: "certissuers"
+#TargetNamespace: "cert-manager"
+
+let Name = "letsencrypt"
+
+// The cloudflare api token is platform scoped, not cluster scoped.
+#SecretName: "cloudflare-api-token-secret"
+
+// Depends on cert manager
+#DependsOn: _CertManager
+
+#KubernetesObjects & {
+	apiObjects: {
+		ClusterIssuer: {
+			letsencrypt: #ClusterIssuer & {
+				metadata: name: Name
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-istio"
+						solvers: [{http01: ingress: class: "istio"}]
+					}
+				}
+			}
+			letsencryptStaging: #ClusterIssuer & {
+				metadata: name: Name + "-staging"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-staging-istio"
+						solvers: [{http01: ingress: class: "istio"}]
+					}
+				}
+			}
+			letsencryptDns: #ClusterIssuer & {
+				metadata: name: Name + "-dns"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-istio"
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+		}
+		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
+			_name: #SecretName
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -0,0 +1,23 @@
+package holos
+
+// https://cert-manager.io/docs/
+
+#TargetNamespace: "cert-manager"
+
+#InputKeys: {
+	component: "certmanager"
+	service:   "cert-manager"
+}
+
+#HelmChart & {
+	values: installCRDs: true
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cert-manager"
+		version: "1.14.3"
+		repository: {
+			name: "jetstack"
+			url:  "https://charts.jetstack.io"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio-base/istiobase.cue

@@ -0,0 +1,17 @@
+package holos
+
+#InputKeys: component: "istio-base"
+#TargetNamespace: "istio-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "base"
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+	values: #IstioValues
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/cni/cni.cue

@@ -0,0 +1,10 @@
+package holos
+
+#InputKeys: component: "cni"
+#TargetNamespace: "kube-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: name: "cni"
+	values: #IstioValues
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/ingress/ingress.cue

@@ -0,0 +1,155 @@
+package holos
+
+import "encoding/json"
+
+#InputKeys: component: "ingress"
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IstioD
+
+#HelmChart & {
+	chart: name: "gateway"
+	namespace: #TargetNamespace
+	values: #GatewayValues & {
+		// This component expects the load balancer to send the PROXY protocol header.
+		// Refer to: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#proxy-protocol-v2
+		podAnnotations: "proxy.istio.io/config": json.Marshal(_ProxyProtocol)
+		// TODO This configuration is specific to the OIS Metal NLB, refactor it out to the metal collection.
+		service: {
+			type: "NodePort"
+			annotations: "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
+			externalTrafficPolicy: "Local"
+			// Add 30000 to the port to get the Nodeport
+			ports: [
+				{
+					name:       "status-port"
+					port:       15021
+					protocol:   "TCP"
+					targetPort: 15021
+					nodePort:   30021
+				},
+				{
+					name:       "http2"
+					port:       80
+					protocol:   "TCP"
+					targetPort: 80
+					nodePort:   30080
+				},
+				{
+					name:       "https"
+					port:       443
+					protocol:   "TCP"
+					targetPort: 443
+					nodePort:   30443
+				},
+			]
+		}
+	}
+	apiObjects: _APIObjects
+}
+
+_ProxyProtocol: gatewayTopology: proxyProtocol: {}
+
+// Additional holos specific API Objects
+let Name = #GatewayValues.name
+let GatewayLabels = {
+	app:   Name
+	istio: "ingressgateway"
+}
+let RedirectMetaName = {
+	name:      Name + "-https-redirect"
+	namespace: #TargetNamespace
+}
+
+// https-redirect
+_APIObjects: {
+	Gateway: {
+		httpsRedirect: #Gateway & {
+			metadata: RedirectMetaName
+			spec: selector: GatewayLabels
+			spec: servers: [{
+				port: {
+					number:   80
+					name:     "http2"
+					protocol: "HTTP2"
+				}
+				hosts: ["*"]
+				// handled by the VirtualService
+				tls: httpsRedirect: false
+			}]
+		}
+	}
+	VirtualService: {
+		httpsRedirect: #VirtualService & {
+			metadata: RedirectMetaName
+			spec: hosts: ["*"]
+			spec: gateways: [RedirectMetaName.name]
+			spec: http: [{
+				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+				redirect: {
+					scheme:       "https"
+					redirectCode: 302
+				}
+			}]
+		}
+	}
+}
+
+let LoopbackName = Name + "-loopback"
+let LoopbackDescription = "Allows in-cluster traffic to stay in cluster via traffic routing"
+let LoopbackLabels = {
+	app:   LoopbackName
+	istio: "ingressgateway"
+}
+let LoopbackMetaName = {
+	name:      LoopbackName
+	namespace: #TargetNamespace
+}
+
+// istio-ingressgateway-loopback
+_APIObjects: {
+	Deployment: {
+		loopback: #Deployment & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: {
+				selector: matchLabels: LoopbackLabels
+				template: {
+					metadata: {
+						annotations: "inject.istio.io/templates": "gateway"
+						annotations: #Description & {
+							_Description: LoopbackDescription
+						}
+						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
+					}
+					spec: {
+						serviceAccountName: "istio-ingressgateway"
+						// Allow binding to all ports (such as 80 and 443)
+						securityContext: {
+							runAsNonRoot: true
+							seccompProfile: type: "RuntimeDefault"
+							sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+						}
+						containers: [{
+							name:  "istio-proxy"
+							image: "auto" // Managed by istiod
+							securityContext: {
+								allowPrivilegeEscalation: false
+								capabilities: drop: ["ALL"]
+								runAsUser:  1337
+								runAsGroup: 1337
+							}
+						}]
+					}
+				}
+			}
+		}
+	}
+	Service: {
+		loopback: #Service & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: selector:      LoopbackLabels
+			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istio.cue

@@ -0,0 +1,13 @@
+package holos
+
+#DependsOn: _IstioBase
+
+#HelmChart: {
+	chart: {
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/istiod.cue

@@ -0,0 +1,34 @@
+package holos
+
+import "encoding/yaml"
+
+#InputKeys: component: "istiod"
+#TargetNamespace: "istio-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name: "istiod"
+	}
+	values: #IstioValues & {
+		pilot: {
+			// The istio meshconfig ConfigMap is handled in the holos component instead of
+			// the upstream chart so extension providers can be collected from holos data.
+			configMap: false
+			// Set to `type: RuntimeDefault` to use the default profile if available.
+			seccompProfile: type: "RuntimeDefault"
+		}
+	}
+	apiObjects: ConfigMap: istio: #IstioConfigMap
+}
+
+#IstioConfigMap: #ConfigMap & {
+	metadata: {
+		name:      "istio"
+		namespace: #TargetNamespace
+	}
+	data: {
+		mesh:         yaml.Marshal(_MeshConfig)
+		meshNetworks: "networks: {}"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/meshconfig.cue

@@ -0,0 +1,74 @@
+package holos
+
+// Istio meshconfig
+// TODO: Generate per-project extauthz providers.
+_MeshConfig: {
+	accessLogEncoding: "JSON"
+	accessLogFile:     "/dev/stdout"
+	defaultConfig: {
+		discoveryAddress: "istiod.istio-system.svc:15012"
+		tracing: zipkin: address: "zipkin.istio-system:9411"
+	}
+	defaultProviders: metrics: ["prometheus"]
+	enablePrometheusMerge: true
+	// For PROXY PROTOCOL at the ingress gateway.
+	gatewayTopology: {
+		numTrustedProxies: 2
+	}
+	rootNamespace: "istio-system"
+	trustDomain:   "cluster.local"
+	extensionProviders: [{
+		name: "cluster-trace"
+		zipkin: {
+			maxTagLength: 56
+			port:         9411
+			service:      "zipkin.istio-system.svc"
+		}
+	}, {
+		name: "cluster-gatekeeper"
+		envoyExtAuthzHttp: {
+			headersToDownstreamOnDeny: [
+				"content-type",
+				"set-cookie",
+			]
+			headersToUpstreamOnAllow: [
+				"authorization",
+				"path",
+				"x-auth-request-user",
+				"x-auth-request-email",
+				"x-auth-request-access-token",
+			]
+			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+			includeRequestHeadersInCheck: [
+				"authorization",
+				"cookie",
+				"x-forwarded-for",
+			]
+			port:    4180
+			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
+		}
+	}, {
+		name: "core-authorizer"
+		envoyExtAuthzHttp: {
+			headersToDownstreamOnDeny: [
+				"content-type",
+				"set-cookie",
+			]
+			headersToUpstreamOnAllow: [
+				"authorization",
+				"path",
+				"x-auth-request-user",
+				"x-auth-request-email",
+				"x-auth-request-access-token",
+			]
+			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+			includeRequestHeadersInCheck: [
+				"authorization",
+				"cookie",
+				"x-forwarded-for",
+			]
+			port:    4180
+			service: "oauth2-proxy.prod-core-system.svc.cluster.local"
+		}
+	}]
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.cni.cue

@@ -0,0 +1,161 @@
+package holos
+
+// Default values.yaml imported from the cni chart
+
+#CNIValues: {
+	cni: {
+		hub:        ""
+		tag:        ""
+		variant:    ""
+		image:      "install-cni"
+		pullPolicy: ""
+
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		enabled: #IstioValues.istio_cni.enabled
+
+		// Configuration log level of istio-cni binary
+		// by default istio-cni send all logs to UDS server
+		// if want to see them you need change global.logging.level with cni:debug
+		logLevel: "debug"
+
+		// Configuration file to insert istio-cni plugin configuration
+		// by default this will be the first file found in the cni-conf-dir
+		// Example
+		// cniConfFileName: 10-calico.conflist
+		// CNI bin and conf dir override settings
+		// defaults:
+		cniBinDir:       "" // Auto-detected based on version; defaults to /opt/cni/bin.
+		cniConfDir:      "/etc/cni/net.d"
+		cniConfFileName: ""
+		// This directory must exist on the node, if it does not, consult your container runtime
+		// documentation for the appropriate path.
+		cniNetnsDir: null // Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+
+		excludeNamespaces: [
+			"istio-system",
+			"kube-system",
+		]
+
+		// Allows user to set custom affinity for the DaemonSet
+		affinity: {}
+
+		// Custom annotations on pod level, if you need them
+		podAnnotations: {}
+
+		// If this value is set a RoleBinding will be created
+		// in the same namespace as the istio-cni DaemonSet is created.
+		// This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount
+		// e.g. if you use PodSecurityPolicies
+		psp_cluster_role: ""
+
+		// Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+		// Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+		chained: #IstioValues.istio_cni.chained
+
+		// Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) or features (repairPods)
+		privileged: false
+
+		// Custom configuration happens based on the CNI provider.
+		// Possible values: "default", "multus"
+		provider: "default"
+
+		// Configure ambient settings
+		ambient: {
+			// If enabled, ambient redirection will be enabled
+			enabled: false
+			// Set ambient redirection mode: "iptables" or "ebpf"
+			redirectMode: "iptables"
+			// Set ambient config dir path: defaults to /etc/ambient-config
+			configDir: ""
+		}
+
+		repair: {
+			enabled: true
+			hub:     ""
+			tag:     ""
+
+			// Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+			// This defines the action the controller will take when a pod is detected as broken.
+			// labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+			// This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+			labelPods: false
+			// deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+			deletePods: true
+			// repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+			// Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+			// This requires no RBAC privilege, but does require `securityContext.privileged`.
+			repairPods: false
+
+			initContainerName: "istio-validation"
+
+			brokenPodLabelKey:   "cni.istio.io/uninitialized"
+			brokenPodLabelValue: "true"
+		}
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		seccompProfile: {}
+
+		resources: requests: {
+			cpu:    "100m"
+			memory: "100Mi"
+		}
+
+		resourceQuotas: {
+			enabled: false
+			pods:    5000
+		}
+
+		// The number of pods that can be unavailable during rolling update (see
+		// `updateStrategy.rollingUpdate.maxUnavailable` here:
+		// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+		// May be specified as a number of pods or as a percent of the total number
+		// of pods at the start of the update.
+		rollingMaxUnavailable: 1
+	}
+
+	// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+	revision: ""
+
+	// For Helm compatibility.
+	ownerName: ""
+
+	global: {
+		// Default hub for Istio images.
+		// Releases are published to docker hub under 'istio' project.
+		// Dev builds from prow are on gcr.io
+		hub: "docker.io/istio"
+
+		// Default tag for Istio images.
+		tag: "1.20.3"
+
+		// Variant of the image to use.
+		// Currently supported are: [debug, distroless]
+		variant: ""
+
+		// Specify image pull policy if default behavior isn't desired.
+		// Default behavior: latest images will be Always else IfNotPresent.
+		imagePullPolicy: ""
+
+		// change cni scope level to control logging out of istio-cni-node DaemonSet
+		logging: {
+			level: "default:info,cni:info"
+		}
+
+		logAsJson: false
+
+		// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+		// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		// - private-registry-key
+		// Default resources allocated
+		defaultResources: {
+			requests: {
+				cpu:    "100m"
+				memory: "100Mi"
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.gateway.cue

@@ -0,0 +1,170 @@
+package holos
+
+// Gateway default values.yaml imported from the gateway chart.
+
+#GatewayValues: {
+
+	// Name allows overriding the release name. Generally this should not be set
+	name: "istio-ingressgateway"
+	// revision declares which revision this gateway is a part of
+	revision: ""
+
+	// Controls the spec.replicas setting for the Gateway deployment if set.
+	// Otherwise defaults to Kubernetes Deployment default (1).
+	replicaCount: null
+
+	kind: "Deployment"
+
+	rbac: {
+		// If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+		// when using http://gateway-api.org/.
+		enabled: true
+	}
+
+	serviceAccount: {
+		// If set, a service account will be created. Otherwise, the default is used
+		create: true
+		// Annotations to add to the service account
+		annotations: {}
+		// The name of the service account to use.
+		// If not set, the release name is used
+		name: ""
+	}
+
+	podAnnotations: {
+		"prometheus.io/port":        "15020"
+		"prometheus.io/scrape":      "true"
+		"prometheus.io/path":        "/stats/prometheus"
+		"inject.istio.io/templates": "gateway"
+		"sidecar.istio.io/inject":   "true"
+		...
+	}
+
+	// Define the security context for the pod.
+	// If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+	// On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+	securityContext: {
+		seccompProfile: type: "RuntimeDefault"
+		sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+	}
+	containerSecurityContext: null
+
+	service: {
+		// Type of service. Set to "None" to disable the service entirely
+		type: string | *"LoadBalancer"
+		ports: [...] | *[{
+			name:       "status-port"
+			port:       15021
+			protocol:   "TCP"
+			targetPort: 15021
+		}, {
+			name:       "http2"
+			port:       80
+			protocol:   "TCP"
+			targetPort: 80
+		}, {
+			name:       "https"
+			port:       443
+			protocol:   "TCP"
+			targetPort: 443
+		}]
+		annotations: {...}
+		loadBalancerIP: ""
+		loadBalancerSourceRanges: []
+		externalTrafficPolicy: string | *""
+		externalIPs: []
+		ipFamilyPolicy: ""
+		ipFamilies: []
+	}
+
+	resources: {
+		requests: {
+			cpu:    "100m"
+			memory: "128Mi"
+		}
+		limits: {
+			cpu:    "2000m"
+			memory: "1024Mi"
+		}
+	}
+
+	autoscaling: {
+		enabled:                        true
+		minReplicas:                    1
+		maxReplicas:                    5
+		targetCPUUtilizationPercentage: 80
+		autoscaleBehavior: {}
+	}
+
+	// Pod environment variables
+	env: {}
+
+	// Labels to apply to all resources
+	labels: {}
+
+	// Annotations to apply to all resources
+	annotations: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	topologySpreadConstraints: []
+
+	affinity: {}
+
+	// If specified, the gateway will act as a network gateway for the given network.
+	networkGateway: ""
+
+	// Specify image pull policy if default behavior isn't desired.
+	// Default behavior: latest images will be Always else IfNotPresent
+	imagePullPolicy: ""
+
+	imagePullSecrets: []
+
+	// This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+	//
+	// By default, the `podDisruptionBudget` is disabled (set to `{}`),
+	// which means that no PodDisruptionBudget resource will be created.
+	//
+	// To enable the PodDisruptionBudget, configure it by specifying the
+	// `minAvailable` or `maxUnavailable`. For example, to set the
+	// minimum number of available replicas to 1, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//
+	// Or, to allow a maximum of 1 unavailable replica, you can set:
+	//
+	// podDisruptionBudget:
+	//   maxUnavailable: 1
+	//
+	// You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+	// For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//   unhealthyPodEvictionPolicy: AlwaysAllow
+	//
+	// To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+	//
+	// podDisruptionBudget: {}
+	//
+	podDisruptionBudget: {}
+
+	terminationGracePeriodSeconds: 30
+
+	// A list of `Volumes` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumes: []
+
+	// A list of `VolumeMounts` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumeMounts: []
+
+	// Configure this to a higher priority class in order to make sure your Istio gateway pods
+	// will not be killed because of low priority class.
+	// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+	// for more detail.
+	priorityClassName: ""
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -0,0 +1,14 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "mesh"
+
+// Shared dependencies for all components in this collection.
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:     "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:           "\(#InstancePrefix)-istiod"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.cue

@@ -0,0 +1,547 @@
+package holos
+
+// Default istio values from the istiod chart using cue import values.yaml
+#IstioValues: {
+	// Discovery Settings
+	pilot: {
+		autoscaleEnabled: true
+		autoscaleMin:     1
+		autoscaleMax:     5
+		autoscaleBehavior: {}
+		replicaCount:          1
+		rollingMaxSurge:       "100%"
+		rollingMaxUnavailable: "25%"
+
+		hub:     string | *""
+		tag:     string | *""
+		variant: string | *""
+
+		// Can be a full hub/image:tag
+		image:         "pilot"
+		traceSampling: 1.0
+
+		// Resources for a small pilot install
+		resources: {
+			requests: {
+				cpu:    "500m"
+				memory: "2048Mi"
+			}
+		}
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		seccompProfile: {...}
+
+		// Additional container arguments
+		extraContainerArgs: []
+
+		env: {}
+
+		cpu: targetAverageUtilization: 80
+
+		// Additional volumeMounts to the istiod container
+		volumeMounts: []
+
+		// Additional volumes to the istiod pod
+		volumes: []
+
+		nodeSelector: {}
+		podAnnotations: {}
+		serviceAnnotations: {}
+
+		topologySpreadConstraints: []
+
+		// You can use jwksResolverExtraRootCA to provide a root certificate
+		// in PEM format. This will then be trusted by pilot when resolving
+		// JWKS URIs.
+		jwksResolverExtraRootCA: ""
+
+		// This is used to set the source of configuration for
+		// the associated address in configSource, if nothing is specified
+		// the default MCP is assumed.
+		configSource: {
+			subscribedResources: []
+		}
+
+		plugins: []
+
+		// The following is used to limit how long a sidecar can be connected
+		// to a pilot. It balances out load across pilot instances at the cost of
+		// increasing system churn.
+		keepaliveMaxServerConnectionAge: "30m"
+
+		// Additional labels to apply to the deployment.
+		deploymentLabels: {}
+
+		//# Mesh config settings
+		// Install the mesh config map, generated from values.yaml.
+		// If false, pilot wil use default values (by default) or user-supplied values.
+		configMap: *true | false
+
+		// Additional labels to apply on the pod level for monitoring and logging configuration.
+		podLabels: {}
+
+		// Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+		ipFamilyPolicy: ""
+		ipFamilies: []
+	}
+
+	sidecarInjectorWebhook: {
+		// You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+		// always skip the injection on pods that match that label selector, regardless of the global policy.
+		// See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+		neverInjectSelector: []
+		alwaysInjectSelector: []
+
+		// injectedAnnotations are additional annotations that will be added to the pod spec after injection
+		// This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+		//
+		// annotations:
+		//   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+		//   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+		//
+		// The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+		// the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+		// injectedAnnotations:
+		//   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+		//   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+		injectedAnnotations: {}
+
+		// This enables injection of sidecar in all namespaces,
+		// with the exception of namespaces with "istio-injection:disabled" annotation
+		// Only one environment should have this enabled.
+		enableNamespacesByDefault: false
+
+		// Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+		// once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+		// Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+		reinvocationPolicy: "Never"
+
+		rewriteAppHTTPProbe: true
+
+		// Templates defines a set of custom injection templates that can be used. For example, defining:
+		//
+		// templates:
+		//   hello: |
+		//     metadata:
+		//       labels:
+		//         hello: world
+		//
+		// Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+		// being injected with the hello=world labels.
+		// This is intended for advanced configuration only; most users should use the built in template
+		templates: {}
+
+		// Default templates specifies a set of default templates that are used in sidecar injection.
+		// By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+		// To inject other additional templates, define it using the `templates` option, and add it to
+		// the default templates list.
+		// For example:
+		//
+		// templates:
+		//   hello: |
+		//     metadata:
+		//       labels:
+		//         hello: world
+		//
+		// defaultTemplates: ["sidecar", "hello"]
+		defaultTemplates: []
+	}
+	istiodRemote: {
+		// Sidecar injector mutating webhook configuration clientConfig.url value.
+		// For example: https://$remotePilotAddress:15017/inject
+		// The host should not refer to a service running in the cluster; use a service reference by specifying
+		// the clientConfig.service field instead.
+		injectionURL: ""
+
+		// Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+		// Override to pass env variables, for example: /inject/cluster/remote/net/network2
+		injectionPath: "/inject"
+	}
+	telemetry: {
+		enabled: true
+		v2: {
+			// For Null VM case now.
+			// This also enables metadata exchange.
+			enabled: true
+			metadataExchange: {
+				// Indicates whether to enable WebAssembly runtime for metadata exchange filter.
+				wasmEnabled: false
+			}
+			// Indicate if prometheus stats filter is enabled or not
+			prometheus: {
+				enabled: true
+				// Indicates whether to enable WebAssembly runtime for stats filter.
+				wasmEnabled: false
+				// overrides stats EnvoyFilter configuration.
+				configOverride: {
+					gateway: {}
+					inboundSidecar: {}
+					outboundSidecar: {}
+				}
+			}
+			// stackdriver filter settings.
+			stackdriver: {
+				enabled:         false
+				logging:         false
+				monitoring:      false
+				topology:        false // deprecated. setting this to true will have no effect, as this option is no longer supported.
+				disableOutbound: false
+				//  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
+
+				configOverride: {}
+			}
+			//  e.g.
+			//  disable_server_access_logging: false
+			//  disable_host_header_fallback: true
+			// Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
+			accessLogPolicy: {
+				enabled: false
+				// To reduce the number of successful logs, default log window duration is
+				// set to 12 hours.
+				logWindowDuration: "43200s"
+			}
+		}
+	}
+	// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+	revision: ""
+
+	// Revision tags are aliases to Istio control plane revisions
+	revisionTags: []
+
+	// For Helm compatibility.
+	ownerName: ""
+
+	// meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+	// See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+	meshConfig: {
+		enablePrometheusMerge: true
+	}
+
+	global: {
+		// Used to locate istiod.
+		istioNamespace: "istio-system"
+		// List of cert-signers to allow "approve" action in the istio cluster role
+		//
+		// certSigners:
+		//   - clusterissuers.cert-manager.io/istio-ca
+		certSigners: []
+		// enable pod disruption budget for the control plane, which is used to
+		// ensure Istio control plane components are gradually upgraded or recovered.
+		defaultPodDisruptionBudget: {
+			enabled: true
+		}
+		// The values aren't mutable due to a current PodDisruptionBudget limitation
+		// minAvailable: 1
+		// A minimal set of requested resources to applied to all deployments so that
+		// Horizontal Pod Autoscaler will be able to function (if set).
+		// Each component can overwrite these default values by adding its own resources
+		// block in the relevant section below and setting the desired resources values.
+		defaultResources: {
+			requests: cpu: "10m"
+		}
+		//   memory: 128Mi
+		// limits:
+		//   cpu: 100m
+		//   memory: 128Mi
+		// Default hub for Istio images.
+		// Releases are published to docker hub under 'istio' project.
+		// Dev builds from prow are on gcr.io
+		hub: string | *"docker.io/istio"
+		// Default tag for Istio images.
+		tag: string | *"1.20.3"
+		// Variant of the image to use.
+		// Currently supported are: [debug, distroless]
+		variant: string | *""
+
+		// Specify image pull policy if default behavior isn't desired.
+		// Default behavior: latest images will be Always else IfNotPresent.
+		imagePullPolicy: string | *""
+
+		// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+		// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		// - private-registry-key
+		// Enabled by default in master for maximising testing.
+		istiod: {
+			enableAnalysis: false
+		}
+
+		// To output all istio components logs in json format by adding --log_as_json argument to each container argument
+		logAsJson: false
+
+		// Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+		// The control plane has different scopes depending on component, but can configure default log level across all components
+		// If empty, default scope and level will be used as configured in code
+		logging: {
+			level: "default:info"
+		}
+
+		omitSidecarInjectorConfigMap: false
+
+		// Whether to restrict the applications namespace the controller manages;
+		// If not set, controller watches all namespaces
+		oneNamespace: false
+
+		// Configure whether Operator manages webhook configurations. The current behavior
+		// of Istiod is to manage its own webhook configurations.
+		// When this option is set as true, Istio Operator, instead of webhooks, manages the
+		// webhook configurations. When this option is set as false, webhooks manage their
+		// own webhook configurations.
+		operatorManageWebhooks: false
+
+		// Custom DNS config for the pod to resolve names of services in other
+		// clusters. Use this to add additional search domains, and other settings.
+		// see
+		// https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+		// This does not apply to gateway pods as they typically need a different
+		// set of DNS settings than the normal application pods (e.g., in
+		// multicluster scenarios).
+		// NOTE: If using templates, follow the pattern in the commented example below.
+		//podDNSSearchNamespaces:
+		//- global
+		//- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+		// Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+		// system-node-critical, it is better to configure this in order to make sure your Istio pods
+		// will not be killed because of low priority class.
+		// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		// for more detail.
+		priorityClassName: ""
+
+		proxy: {
+			image: "proxyv2"
+
+			// This controls the 'policy' in the sidecar injector.
+			autoInject: "enabled"
+
+			// CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+			// cluster domain. Default value is "cluster.local".
+			clusterDomain: "cluster.local"
+
+			// Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+			// not set, then the global "logLevel" will be used.
+			componentLogLevel: "misc:error"
+
+			// If set, newly injected sidecars will have core dumps enabled.
+			enableCoreDump: false
+
+			// istio ingress capture allowlist
+			// examples:
+			//     Redirect only selected ports:            --includeInboundPorts="80,8080"
+			excludeInboundPorts: ""
+			includeInboundPorts: "*"
+
+			// istio egress capture allowlist
+			// https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+			// example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+			// would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+			// be allowed by the sidecar
+			includeIPRanges:      "*"
+			excludeIPRanges:      ""
+			includeOutboundPorts: ""
+			excludeOutboundPorts: ""
+
+			// Log level for proxy, applies to gateways and sidecars.
+			// Expected values are: trace|debug|info|warning|error|critical|off
+			logLevel: "warning"
+
+			//If set to true, istio-proxy container will have privileged securityContext
+			privileged: false
+
+			// The number of successive failed probes before indicating readiness failure.
+			readinessFailureThreshold: 4
+
+			// The initial delay for readiness probes in seconds.
+			readinessInitialDelaySeconds: 0
+
+			// The period between readiness probes.
+			readinessPeriodSeconds: 15
+
+			// Enables or disables a startup probe.
+			// For optimal startup times, changing this should be tied to the readiness probe values.
+			//
+			// If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+			// This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+			// and doesn't spam the readiness endpoint too much
+			//
+			// If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+			// This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+			startupProbe: {
+				enabled:          true
+				failureThreshold: 600
+			} // 10 minutes
+			// Resources for the sidecar.
+			resources: {
+				requests: {
+					cpu:    "100m"
+					memory: "128Mi"
+				}
+				limits: {
+					cpu:    "2000m"
+					memory: "1024Mi"
+				}
+			}
+
+			// Default port for Pilot agent health checks. A value of 0 will disable health checking.
+			statusPort: 15020
+
+			// Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+			// If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+			tracer: "zipkin"
+		}
+
+		proxy_init: {
+			// Base name for the proxy_init container, used to configure iptables.
+			image: "proxyv2"
+		}
+
+		// configure remote pilot and istiod service and endpoint
+		remotePilotAddress: ""
+
+		//#############################################################################################
+		// The following values are found in other charts. To effectively modify these values, make   #
+		// make sure they are consistent across your Istio helm charts                                #
+		//#############################################################################################
+		// The customized CA address to retrieve certificates for the pods in the cluster.
+		// CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+		// If not set explicitly, default to the Istio discovery address.
+		caAddress: ""
+
+		// Configure a remote cluster data plane controlled by an external istiod.
+		// When set to true, istiod is not deployed locally and only a subset of the other
+		// discovery charts are enabled.
+		externalIstiod: false
+
+		// Configure a remote cluster as the config cluster for an external istiod.
+		configCluster: false
+
+		// Configure the policy for validating JWT.
+		// Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+		jwtPolicy: "third-party-jwt"
+
+		// Mesh ID means Mesh Identifier. It should be unique within the scope where
+		// meshes will interact with each other, but it is not required to be
+		// globally/universally unique. For example, if any of the following are true,
+		// then two meshes must have different Mesh IDs:
+		// - Meshes will have their telemetry aggregated in one place
+		// - Meshes will be federated together
+		// - Policy will be written referencing one mesh from the other
+		//
+		// If an administrator expects that any of these conditions may become true in
+		// the future, they should ensure their meshes have different Mesh IDs
+		// assigned.
+		//
+		// Within a multicluster mesh, each cluster must be (manually or auto)
+		// configured to have the same Mesh ID value. If an existing cluster 'joins' a
+		// multicluster mesh, it will need to be migrated to the new mesh ID. Details
+		// of migration TBD, and it may be a disruptive operation to change the Mesh
+		// ID post-install.
+		//
+		// If the mesh admin does not specify a value, Istio will use the value of the
+		// mesh's Trust Domain. The best practice is to select a proper Trust Domain
+		// value.
+		meshID: ""
+
+		// Configure the mesh networks to be used by the Split Horizon EDS.
+		//
+		// The following example defines two networks with different endpoints association methods.
+		// For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+		// mapped to network1. The gateway for this network example is specified by its public IP
+		// address and port.
+		// The second network, `network2`, in this example is defined differently with all endpoints
+		// retrieved through the specified Multi-Cluster registry being mapped to network2. The
+		// gateway is also defined differently with the name of the gateway service on the remote
+		// cluster. The public IP for the gateway will be determined from that remote service (only
+		// LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+		// it still need to be configured manually).
+		//
+		// meshNetworks:
+		//   network1:
+		//     endpoints:
+		//     - fromCidr: "192.168.0.1/24"
+		//     gateways:
+		//     - address: 1.1.1.1
+		//       port: 80
+		//   network2:
+		//     endpoints:
+		//     - fromRegistry: reg1
+		//     gateways:
+		//     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+		//       port: 443
+		//
+		meshNetworks: {}
+
+		// Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+		mountMtlsCerts: false
+
+		multiCluster: {
+			// Set to true to connect two kubernetes clusters via their respective
+			// ingressgateway services when pods in each cluster cannot directly
+			// talk to one another. All clusters should be using Istio mTLS and must
+			// have a shared root CA for this model to work.
+			enabled: false
+			// Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+			// to properly label proxies
+			clusterName: ""
+		}
+
+		// Network defines the network this cluster belong to. This name
+		// corresponds to the networks in the map of mesh networks.
+		network: ""
+
+		// Configure the certificate provider for control plane communication.
+		// Currently, two providers are supported: "kubernetes" and "istiod".
+		// As some platforms may not have kubernetes signing APIs,
+		// Istiod is the default
+		pilotCertProvider: "istiod"
+
+		sds: {
+			// The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+			// When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+			// JWT is intended for the CA.
+			token: {
+				aud: "istio-ca"
+			}
+		}
+
+		sts: {
+			// The service port used by Security Token Service (STS) server to handle token exchange requests.
+			// Setting this port to a non-zero value enables STS server.
+			servicePort: 0
+		}
+
+		// The name of the CA for workload certificates.
+		// For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+		// will be used as the certificates for workloads.
+		// The default value is "" and when caName="", the CA will be configured by other
+		// mechanisms (e.g., environmental variable CA_PROVIDER).
+		caName: ""
+
+		// whether to use autoscaling/v2 template for HPA settings
+		// for internal usage only, not to be configured by users.
+		autoscalingv2API: true
+	}
+
+	base: {
+		// For istioctl usage to disable istio config crds in base
+		enableIstioConfigCRDs: true
+
+		// If enabled, gateway-api types will be validated using the standard upstream validation logic.
+		// This is an alternative to deploying the standalone validation server the project provides.
+		// This is disabled by default, as the cluster may already have a validation server; while technically
+		// it works to have multiple redundant validations, this adds complexity and operational risks.
+		// Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
+		validateGateway: false
+	}
+
+	// keep in sync with settings used when installing the Istio CNI chart
+	istio_cni: {
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		// values.istio_cni.enabled should be set to the same value as values.cni.enabled.
+		// values.istio_cni.chained should be set to the same value as values.cni.chained.
+		enabled: true
+		chained: true
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.holos.cue

@@ -0,0 +1,28 @@
+package holos
+
+#IstioValues: {
+	global: {
+		// Used to locate istiod.
+		istioNamespace: "istio-system"
+		// Switch the hub away from the default docker.io to avoid rate limits
+		hub: "gcr.io/istio-release"
+		// ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		istiod: enableAnalysis: false
+		configValidation:   true
+		externalIstiod:     false
+		remotePilotAddress: ""
+	}
+	base: {
+		// Include the CRDs in the helm template output
+		enableCRDTemplates: true
+		// Validation webhook configuration url
+		// For example: https://$remotePilotAddress:15017/validate
+		validationURL: ""
+		// For istioctl usage to disable istio config crds in base
+		enableIstioConfigCRDs: true
+	}
+	defaultRevision: "default"
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso-creds-refresher/component.cue

@@ -2,11 +2,16 @@ package holos
 
 import "encoding/json"
 
-// objects are kubernetes api objects to apply
-objects: #CredsRefresherService.objects
-
 // output kubernetes api objects for holos
-{} & #KubernetesObjects
+#KubernetesObjects & {
+	apiObjects: {
+		for obj in #CredsRefresherService.objects {
+			let Kind = obj.kind
+			let Name = obj.metadata.name
+			"\(Kind)": "\(Name)": obj
+		}
+	}
+}
 
 #InputKeys: {
 	project:   "secrets"
@@ -15,6 +20,8 @@ objects: #CredsRefresherService.objects
 
 #TargetNamespace: #CredsRefresher.namespace
 
+#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
+
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"
 let MOUNT = "/var/run/service-account"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso/eso.cue

@@ -0,0 +1,28 @@
+package holos
+
+// Manages the External Secrets Operator from the official upstream Helm chart.
+
+#TargetNamespace: "external-secrets"
+
+#InputKeys: component: "eso"
+
+#InputKeys: {
+	project: "secrets"
+	service: "eso"
+}
+
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          #InstancePrefix + "-namespaces"
+
+#HelmChart & {
+	values: installCrds: true
+	namespace: #TargetNamespace
+	chart: {
+		name:    "external-secrets"
+		version: "0.9.12"
+		repository: {
+			name: "external-secrets"
+			url:  "https://charts.external-secrets.io"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/namespaces/component.cue

@@ -1,7 +1,5 @@
 package holos
 
-import "list"
-
 #TargetNamespace: "default"
 
 #InputKeys: {
@@ -15,17 +13,23 @@ import "list"
 
 	objects: [
 		#Namespace & {
-			metadata: name: _ns.name
+			metadata: _ns
+		},
+		#SecretStore & {
+			_namespace: _ns.name
 		},
 	]
 }
 
-objects: list.FlattenN(_objects, 1)
-
-_objects: [
-	for ns in #PlatformNamespaces {
-		(#PlatformNamespaceObjects & {_ns: ns}).objects
-	},
-]
-
-{} & #KubernetesObjects
+#KubernetesObjects & {
+	apiObjects: {
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let NS = ns.name
+				let Name = obj.metadata.name
+				"\(Kind)": "\(NS)/\(Name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/validate/component.cue

@@ -0,0 +1,20 @@
+package holos
+
+// Validate ESO by syncing a secret with a SecretStore.
+
+#TargetNamespace: "holos-system"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "validate"
+}
+
+#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
+
+#KubernetesObjects & {
+	apiObjects: {
+		ExternalSecret: validate: #ExternalSecret & {
+			_name: "validate"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/metal/ceph/ceph.cue

@@ -0,0 +1,34 @@
+package holos
+
+// Manage Ceph CSI to provide PersistentVolumeClaims to a cluster.
+
+#TargetNamespace: "ceph-system"
+
+#SecretName: "\(#ClusterName)-ceph-csi-rbd"
+
+#InputKeys: {
+	project:   "metal"
+	service:   "ceph"
+	component: "ceph"
+}
+
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          "\(#StageName)-secrets-namespaces"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "ceph-csi-rbd"
+		version: "3.10.2"
+		repository: {
+			name: "ceph-csi"
+			url:  "https://ceph.github.io/csi-charts"
+		}
+	}
+
+	apiObjects: {
+		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
+			_name: #SecretName
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/metal/ceph/values.holos.cue

@@ -0,0 +1,177 @@
+package holos
+
+#Input: {
+	config: {
+		// (required) String representing a Ceph cluster to provision storage from.
+		// Should be unique across all Ceph clusters in use for provisioning,
+		// cannot be greater than 36 bytes in length, and should remain immutable for
+		// the lifetime of the StorageClass in use.
+		clusterID: string
+		// (required) []String list of ceph monitor "address:port" values.
+		monitors: [...string]
+	}
+}
+
+// Imported from https://github.com/holos-run/holos-infra/blob/0ae58858f5583d25fa7543e47b5f5e9f0b2f3c83/components/core/metal/ceph-csi-rbd/values.holos.yaml
+
+#ChartValues: {
+	// Necessary for Talos see https://github.com/siderolabs/talos/discussions/8163
+	selinuxMount: false
+
+	csiConfig: [#Input.config]
+
+	storageClass: {
+		annotations: "storageclass.kubernetes.io/is-default-class": "true"
+
+		// Specifies whether the storageclass should be created
+		create: true
+		name:   "ceph-ssd"
+
+		// (optional) Prefix to use for naming RBD images.
+		// If omitted, defaults to "csi-vol-".
+		// NOTE: Set this to a cluster specific value, e.g. vol-k1-
+		volumeNamePrefix: "vol-\(#ClusterName)-"
+
+		// (required) String representing a Ceph cluster to provision storage from.
+		// Should be unique across all Ceph clusters in use for provisioning,
+		// cannot be greater than 36 bytes in length, and should remain immutable for
+		// the lifetime of the StorageClass in use.
+		clusterID: #Input.config.clusterID
+
+		// (optional) If you want to use erasure coded pool with RBD, you need to
+		// create two pools. one erasure coded and one replicated.
+		// You need to specify the replicated pool here in the `pool` parameter, it is
+		// used for the metadata of the images.
+		// The erasure coded pool must be set as the `dataPool` parameter below.
+		// dataPool: <ec-data-pool>
+		dataPool: ""
+
+		// (required) Ceph pool into which the RBD image shall be created
+		// eg: pool: replicapool
+		pool: "k8s-dev"
+
+		// (optional) RBD image features, CSI creates image with image-format 2 CSI
+		// RBD currently supports `layering`, `journaling`, `exclusive-lock`,
+		// `object-map`, `fast-diff`, `deep-flatten` features.
+		// Refer https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features
+		// for image feature dependencies.
+		// imageFeatures: layering,journaling,exclusive-lock,object-map,fast-diff
+		imageFeatures: "layering"
+
+		// (optional) Specifies whether to try other mounters in case if the current
+		// mounter fails to mount the rbd image for any reason. True means fallback
+		// to next mounter, default is set to false.
+		// Note: tryOtherMounters is currently useful to fallback from krbd to rbd-nbd
+		// in case if any of the specified imageFeatures is not supported by krbd
+		// driver on node scheduled for application pod launch, but in the future this
+		// should work with any mounter type.
+		// tryOtherMounters: false
+		// (optional) uncomment the following to use rbd-nbd as mounter
+		// on supported nodes
+		// mounter: rbd-nbd
+		mounter: ""
+
+		// (optional) ceph client log location, eg: rbd-nbd
+		// By default host-path /var/log/ceph of node is bind-mounted into
+		// csi-rbdplugin pod at /var/log/ceph mount path. This is to configure
+		// target bindmount path used inside container for ceph clients logging.
+		// See docs/rbd-nbd.md for available configuration options.
+		// cephLogDir: /var/log/ceph
+		cephLogDir: ""
+
+		// (optional) ceph client log strategy
+		// By default, log file belonging to a particular volume will be deleted
+		// on unmap, but you can choose to just compress instead of deleting it
+		// or even preserve the log file in text format as it is.
+		// Available options `remove` or `compress` or `preserve`
+		// cephLogStrategy: remove
+		cephLogStrategy: ""
+
+		// (optional) Instruct the plugin it has to encrypt the volume
+		// By default it is disabled. Valid values are "true" or "false".
+		// A string is expected here, i.e. "true", not true.
+		// encrypted: "true"
+		encrypted: ""
+
+		// (optional) Use external key management system for encryption passphrases by
+		// specifying a unique ID matching KMS ConfigMap. The ID is only used for
+		// correlation to configmap entry.
+		encryptionKMSID: ""
+
+		// Add topology constrained pools configuration, if topology based pools
+		// are setup, and topology constrained provisioning is required.
+		// For further information read TODO<doc>
+		// topologyConstrainedPools: |
+		//   [{"poolName":"pool0",
+		//     "dataPool":"ec-pool0" # optional, erasure-coded pool for data
+		//     "domainSegments":[
+		//       {"domainLabel":"region","value":"east"},
+		//       {"domainLabel":"zone","value":"zone1"}]},
+		//    {"poolName":"pool1",
+		//     "dataPool":"ec-pool1" # optional, erasure-coded pool for data
+		//     "domainSegments":[
+		//       {"domainLabel":"region","value":"east"},
+		//       {"domainLabel":"zone","value":"zone2"}]},
+		//    {"poolName":"pool2",
+		//     "dataPool":"ec-pool2" # optional, erasure-coded pool for data
+		//     "domainSegments":[
+		//       {"domainLabel":"region","value":"west"},
+		//       {"domainLabel":"zone","value":"zone1"}]}
+		//   ]
+		topologyConstrainedPools: []
+
+		// (optional) mapOptions is a comma-separated list of map options.
+		// For krbd options refer
+		// https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options
+		// For nbd options refer
+		// https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options
+		// Format:
+		// mapOptions: "<mounter>:op1,op2;<mounter>:op1,op2"
+		// An empty mounter field is treated as krbd type for compatibility.
+		// eg:
+		// mapOptions: "krbd:lock_on_read,queue_depth=1024;nbd:try-netlink"
+		mapOptions: ""
+
+		// (optional) unmapOptions is a comma-separated list of unmap options.
+		// For krbd options refer
+		// https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options
+		// For nbd options refer
+		// https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options
+		// Format:
+		// unmapOptions: "<mounter>:op1,op2;<mounter>:op1,op2"
+		// An empty mounter field is treated as krbd type for compatibility.
+		// eg:
+		// unmapOptions: "krbd:force;nbd:force"
+		unmapOptions: ""
+
+		// The secrets have to contain Ceph credentials with required access
+		// to the 'pool'.
+		provisionerSecret: #SecretName
+		// If Namespaces are left empty, the secrets are assumed to be in the
+		// Release namespace.
+		provisionerSecretNamespace:      ""
+		controllerExpandSecret:          #SecretName
+		controllerExpandSecretNamespace: ""
+		nodeStageSecret:                 #SecretName
+		nodeStageSecretNamespace:        ""
+		// Specify the filesystem type of the volume. If not specified,
+		// csi-provisioner will set default as `ext4`.
+		fstype:               "ext4"
+		reclaimPolicy:        "Delete"
+		allowVolumeExpansion: true
+		mountOptions: []
+	}
+
+	secret: {
+		// Specifies whether the secret should be created
+		create: false
+		name:   #SecretName
+		// Key values correspond to a user name and its key, as defined in the
+		// ceph cluster. User ID should have required access to the 'pool'
+		// specified in the storage class
+		userID:  "admin"
+		userKey: "$(ceph auth get-key client.admin)"
+		// Encryption passphrase
+		encryptionPassphrase: "$(python -c 'import secrets; print(secrets.token_hex(32));')"
+	}
+}

docs/examples/platforms/reference/clusters/workload/metal/ceph/values.input.cue

@@ -0,0 +1,8 @@
+package holos
+
+#Input: {
+	config: {
+		clusterID: "a6de32ab-c84f-49a6-b97e-e31dc2a70931"
+		monitors: ["10.64.1.21:6789", "10.64.1.31:6789", "10.64.1.41:6789"]
+	}
+}

docs/examples/platforms/reference/clusters/workload/metal/readme.md

@@ -0,0 +1,23 @@
+# Metal Clusters
+
+This cluster type is overlaid onto other cluster types to add services necessary outside of a cloud like GKE or EKS.  Ceph for PersistenVolumeClaim support on a Talos Proxmox cluster is the primary use case.
+
+## Test Script
+
+Test ceph is working with:
+
+```bash
+apply -n default -f-<<EOF
+heredoc> apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: test
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+EOF
+```

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/eso.cue

@@ -1,3 +0,0 @@
-package holos
-
-#InputKeys: component: "eso"

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/inputkeys.cue

@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "external-secrets"
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}

docs/examples/platforms/reference/clusters/workload/projects/secrets/components/eso/output.cue

@@ -1,16 +0,0 @@
-package holos
-
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-
-#HelmChart & {
-	values: installCrds: true
-	namespace: #TargetNamespace
-	chart: {
-		name:    "external-secrets"
-		version: "0.9.12"
-		repository: {
-			name: "external-secrets"
-			url:  "https://charts.external-secrets.io"
-		}
-	}
-}

docs/examples/platforms/reference/namespaces.cue

@@ -1,11 +1,24 @@
 package holos
 
+// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
+let Restricted = {
+	labels: "pod-security.kubernetes.io/enforce":         "restricted"
+	labels: "pod-security.kubernetes.io/enforce-version": "latest"
+}
+let Privileged = {
+	labels: "pod-security.kubernetes.io/enforce":         "privileged"
+	labels: "pod-security.kubernetes.io/enforce-version": "latest"
+}
+
+// #PlatformNamespaces is the union of all namespaces across all cluster types.  Namespaces are created in all clusters regardless of if they're
+// used within the cluster or not.  The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
 #PlatformNamespaces: [
+	{name: "external-secrets"},
 	{name: "holos-system"},
 	{name: "flux-system"},
-	{name: "ceph-system"},
-	{name: "istio-system"},
-	{name: "istio-ingress"},
+	{name: "ceph-system"} & Privileged,
+	{name: "istio-system"} & Privileged,
+	{name: "istio-ingress"} & Restricted,
 	{name: "cert-manager"},
 	{name: "argocd"},
 ]

docs/examples/platforms/reference/projects/secrets/components/validate/component.cue

@@ -1,13 +0,0 @@
-package holos
-
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]
-
-objects: [
-	#SecretStore,
-	#ExternalSecret & {
-		_name: "validate"
-		spec: dataFrom: [{extract: key: "ns/" + #TargetNamespace + "/test"}]
-	},
-]
-
-{} & #KubernetesObjects

docs/examples/platforms/reference/projects/secrets/components/validate/inputkeys.cue

@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "default"
-
-#InputKeys: {
-	project:   "secrets"
-	component: "validate"
-}

docs/examples/schema.cue

@@ -3,46 +3,72 @@ package holos
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	es "external-secrets.io/externalsecret/v1beta1"
 	ss "external-secrets.io/secretstore/v1beta1"
+	ci "cert-manager.io/clusterissuer/v1"
+	gw "networking.istio.io/gateway/v1beta1"
+	vs "networking.istio.io/virtualservice/v1beta1"
 	"encoding/yaml"
 )
 
+// _apiVersion is the version of this schema.  Defines the interface between CUE output and the holos cli.
 _apiVersion: "holos.run/v1alpha1"
 
-// #Name defines the name: string key value pair used all over the place.
-#Name: name: string
+// #ClusterName is the cluster name for cluster scoped resources.
+#ClusterName: #InputKeys.cluster
+
+// #StageName is prod, dev, stage, etc...  Usually prod for platform components.
+#StageName: #InputKeys.stage
+
+// #CollectionName is the preferred handle to the collection element of the instance name.  A collection name mapes to an "application name" as described in the kubernetes recommended labels documentation.  Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
+#CollectionName: #InputKeys.project
+
+// #ComponentName is the name of the holos component.
+#ComponentName: #InputKeys.component
+
+// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
+#InstanceName: "\(#StageName)-\(#CollectionName)-\(#ComponentName)"
+
+// #InstancePrefix is the stage and project without the component name.  Useful for dependency management among multiple components for a project stage.
+#InstancePrefix: "\(#StageName)-\(#CollectionName)"
 
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
-// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
-#InstanceName: "\(#InputKeys.stage)-\(#InputKeys.project)-\(#InputKeys.component)"
-
-// #InstancePrefix is the stage and project without the component name.  Useful for dependency management among multiple components for a project stage.
-#InstancePrefix: "\(#InputKeys.stage)-\(#InputKeys.project)"
-
-// TypeMeta indicates a kubernetes api object
-#TypeMeta: metav1.#TypeMeta
-
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":     #InputKeys.stage
-	"holos.run/project.name":   #InputKeys.project
-	"holos.run/component.name": #InputKeys.component
+	"holos.run/stage.name":        #StageName
+	"holos.run/project.name":      #CollectionName
+	"holos.run/component.name":    #ComponentName
+	"app.kubernetes.io/part-of":   #StageName
+	"app.kubernetes.io/name":      #CollectionName
+	"app.kubernetes.io/component": #ComponentName
+	"app.kubernetes.io/instance":  #InstanceName
 	...
 }
 
 #ClusterObject: {
+	_description: string | *""
 	metadata: metav1.#ObjectMeta & {
 		labels: #CommonLabels
+		annotations: #Description & {
+			_Description: _description
+			...
+		}
 	}
 	...
 }
 
+#Description: {
+	_Description:            string | *""
+	"holos.run/description": _Description
+	...
+}
+
 #NamespaceObject: #ClusterObject & {
 	metadata: namespace: string
 }
@@ -56,13 +82,18 @@ _apiVersion: "holos.run/v1alpha1"
 }
 #ClusterRole:        #ClusterObject & rbacv1.#ClusterRole
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
-#Role:               #NamespaceObject & rbacv1.#Role
-#RoleBinding:        #NamespaceObject & rbacv1.#RoleBinding
-#ConfigMap:          #NamespaceObject & corev1.#ConfigMap
-#ServiceAccount:     #NamespaceObject & corev1.#ServiceAccount
-#Pod:                #NamespaceObject & corev1.#Pod
-#Job:                #NamespaceObject & batchv1.#Job
-#CronJob:            #NamespaceObject & batchv1.#CronJob
+#ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
+#Role:           #NamespaceObject & rbacv1.#Role
+#RoleBinding:    #NamespaceObject & rbacv1.#RoleBinding
+#ConfigMap:      #NamespaceObject & corev1.#ConfigMap
+#ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
+#Pod:            #NamespaceObject & corev1.#Pod
+#Service:        #NamespaceObject & corev1.#Service
+#Job:            #NamespaceObject & batchv1.#Job
+#CronJob:        #NamespaceObject & batchv1.#CronJob
+#Deployment:     #NamespaceObject & appsv1.#Deployment
+#Gateway:        #NamespaceObject & gw.#Gateway
+#VirtualService: #NamespaceObject & vs.#VirtualService
 
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -79,17 +110,28 @@ _apiVersion: "holos.run/v1alpha1"
 			kind: string | *"GitRepository"
 			name: string | *"flux-system"
 		}
-		timeout: string | *"3m0s"
-		wait:    bool | *true
+		suspend?:         bool
+		targetNamespace?: string
+		timeout:          string | *"3m0s"
+		wait:             bool | *true
+		dependsOn: [for k, v in #DependsOn {v}]
 	}
 }
 
+// #DependsOn stores all of the dependencies between components.  It's a struct to support merging across levels in the tree.
+#DependsOn: {
+	[NAME=_]: {
+		name: string
+	}
+	...
+}
+
 // External Secrets CRDs
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
 	metadata: {
-		namespace: string | *"default"
 		name:      _name
+		namespace: #TargetNamespace
 	}
 	spec: {
 		refreshInterval: string | *"1h"
@@ -98,26 +140,32 @@ _apiVersion: "holos.run/v1alpha1"
 			name: string | *"default"
 		}
 		target: {
+			name:           _name
 			creationPolicy: string | *"Owner"
+			deletionPolicy: string | *"Retain"
 		}
+		// Copy fields 1:1 from external Secret to target Secret.
+		dataFrom: [{extract: key: _name}]
 	}
 }
 
 #SecretStore: #NamespaceObject & ss.#SecretStore & {
+	_namespace: string
 	metadata: {
 		name:      string | *"default"
-		namespace: string | *#TargetNamespace
+		namespace: _namespace
 	}
 	spec: provider: {
-		vault: {
-			auth: kubernetes: {
-				mountPath: #InputKeys.cluster
-				role:      string | *"default"
-				serviceAccountRef: name: string | *"default"
+		kubernetes: {
+			remoteNamespace: _namespace
+			auth: token: bearerToken: {
+				name: string | *"eso-reader"
+				key:  string | *"token"
+			}
+			server: {
+				caBundle: #InputKeys.provisionerCABundle
+				url:      #InputKeys.provisionerURL
 			}
-			path:    string | *"kv/k8s"
-			server:  "https://vault.core." + #Platform.org.domain
-			version: string | *"v2"
 		}
 	}
 }
@@ -128,16 +176,19 @@ _apiVersion: "holos.run/v1alpha1"
 	cluster: string @tag(cluster, type=string)
 	// stage is usually set by the platform or project.
 	stage: *"prod" | string @tag(stage, type=string)
-	// project is usually set by the platform or project.
-	project: string @tag(project, type=string)
 	// service is usually set by the component.
-	service: string @tag(service, type=string)
+	service: *component | string @tag(service, type=string)
 	// component is the name of the component
 	component: string @tag(component, type=string)
 
 	// GCP Project Info used for the Provisioner Cluster
 	gcpProjectID:     string @tag(gcpProjectID, type=string)
 	gcpProjectNumber: int    @tag(gcpProjectNumber, type=int)
+
+	// Same as cluster certificate-authority-data field in ~/.holos/kubeconfig.provisioner
+	provisionerCABundle: string @tag(provisionerCABundle, type=string)
+	// Same as the cluster server field in ~/.holos/kubeconfig.provisioner
+	provisionerURL: string @tag(provisionerURL, type=string)
 }
 
 // #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
@@ -146,6 +197,8 @@ _apiVersion: "holos.run/v1alpha1"
 	org: {
 		name:   string
 		domain: string
+		contact: email:    string
+		cloudflare: email: string
 	}
 	clusters: [ID=_]: {
 		name:    string & ID
@@ -153,7 +206,7 @@ _apiVersion: "holos.run/v1alpha1"
 	}
 	stages: [ID=_]: {
 		name: string & ID
-		environments: [...#Name]
+		environments: [...{name: string}]
 	}
 	projects: [ID=_]: {
 		name: string & ID
@@ -163,36 +216,58 @@ _apiVersion: "holos.run/v1alpha1"
 	}
 }
 
+// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[Name=_]: metav1.#TypeMeta & {
+				kind: Kind
+			}
+		}
+	}
+
+	// apiObjectsContent holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+					"\(name)": yaml.Marshal(obj)
+				}
+			}
+		}
+		...
+	}
+}
+
 // #OutputTypeMeta is shared among all output types
 #OutputTypeMeta: {
 	// apiVersion is the output api version
 	apiVersion: _apiVersion
 	// kind is a discriminator of the type of output
-	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind
+	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind | #NoOutput.kind
 	// name holds a unique name suitable for a filename
 	metadata: name: string
-	// contentType is the standard MIME type indicating the content type of the content field
-	contentType: *"application/yaml" | "application/json"
-	// content holds the content text output
-	content: string | *""
 	// debug returns arbitrary debug output.
 	debug?: _
 }
 
+#NoOutput: {
+	#OutputTypeMeta
+	kind: string | *"Skip"
+	metadata: name: string | *"skipped"
+}
+
 // #KubernetesObjectOutput is the output schema of a single component.
 #KubernetesObjects: {
 	#OutputTypeMeta
-
-	// kind KubernetesObjects provides a yaml text stream of kubernetes api objects in the out field.
+	#APIObjects
 	kind: "KubernetesObjects"
-	// objects holds a list of the kubernetes api objects to configure.
-	objects: [...metav1.#TypeMeta] | *[]
-	// out holds the rendered yaml text stream of kubernetes api objects.
-	content: yaml.MarshalStream(objects)
+	metadata: name: #InstanceName
 	// ksObjects holds the flux Kustomization objects for gitops
 	ksObjects: [...#Kustomization] | *[#Kustomization]
 	// ksContent is the yaml representation of kustomization
-	ksContent: yaml.MarshalStream(ksObjects)
+	ksContent: yaml.Marshal(#Kustomization)
 	// platform returns the platform data structure for visibility / troubleshooting.
 	platform: #Platform
 }
@@ -207,10 +282,15 @@ _apiVersion: "holos.run/v1alpha1"
 	}
 }
 
+// #ChartValues represent the values provided to a helm chart.  Existing values may be imorted using cue import values.yaml -p holos then wrapping the values.cue content in #Values: {}
+#ChartValues: {...}
+
 // #HelmChart is a holos component which produces kubernetes api objects from cue values provided to the helm template command.
 #HelmChart: {
 	#OutputTypeMeta
+	#APIObjects
 	kind: "HelmChart"
+	metadata: name: #InstanceName
 	// ksObjects holds the flux Kustomization objects for gitops.
 	ksObjects: [...#Kustomization] | *[#Kustomization]
 	// ksContent is the yaml representation of kustomization.
@@ -220,7 +300,7 @@ _apiVersion: "holos.run/v1alpha1"
 	// chart defines the upstream helm chart to process.
 	chart: #Chart
 	// values represents the helm values to provide to the chart.
-	values: {...}
+	values: #ChartValues
 	// valuesContent holds the values yaml
 	valuesContent: yaml.Marshal(values)
 	// platform returns the platform data structure for visibility / troubleshooting.
@@ -235,7 +315,10 @@ _apiVersion: "holos.run/v1alpha1"
 	kind: "PlatformSpec"
 }
 
-#Output: #PlatformSpec | #KubernetesObjects | #HelmChart
+// #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
+#SecretName: string
 
-// Holos component name
-metadata: name: #InstanceName
+// By default, render kind: Skipped so holos knows to skip over intermediate cue files.
+// This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
+// Holos skips over these intermediary cue instances.
+{} & #NoOutput

docs/provisioner/readme.md

@@ -49,7 +49,7 @@ PROJECT_NUMBER="$(gcloud projects describe $PROJECT_ID --format='value(projectNu
 ORG_DOMAIN="example.com"
 ```
 
-## Seed Cluster
+## Provisioner Cluster
 
 ```shell
 gcloud container clusters create-auto provisioner \

go.mod

@@ -6,6 +6,9 @@ require (
 	cuelang.org/go v0.7.0
 	github.com/mattn/go-isatty v0.0.20
 	github.com/spf13/cobra v1.7.0
+	golang.org/x/tools v0.18.0
+	k8s.io/apimachinery v0.29.2
+	k8s.io/client-go v0.29.2
 )
 
 require (
@@ -14,6 +17,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emicklei/proto v1.10.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -21,7 +25,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
@@ -36,27 +39,25 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc4 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/term v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.29.2 // indirect
-	k8s.io/apimachinery v0.29.2 // indirect
-	k8s.io/client-go v0.29.2 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/kubectl v0.29.2 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

go.sum

@@ -13,6 +13,8 @@ github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxER
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw=
 github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
@@ -23,6 +25,8 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -38,6 +42,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
@@ -76,15 +82,24 @@ github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9
 github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de/go.mod h1:kJun4WP5gFuHZgRjZUWWuH1DTxCtxbHDOIJsudS8jzY=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
 github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4=
 github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c h1:fPpdjePK1atuOg28PXfNSqgwf9I/qD1Hlo39JFwKBXk=
 github.com/rogpeppe/go-internal v1.11.1-0.20231026093722-fa6a31e0812c/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
@@ -97,6 +112,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -106,15 +123,15 @@ golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
 golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -124,10 +141,10 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -139,8 +156,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
+golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -172,6 +189,8 @@ k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/kubectl v0.29.2 h1:uaDYaBhumvkwz0S2XHt36fK0v5IdNgL7HyUniwb2IUo=
+k8s.io/kubectl v0.29.2/go.mod h1:BhizuYBGcKaHWyq+G7txGw2fXg576QbPrrnQdQDZgqI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

pkg/cli/build/build.go

@@ -1,8 +1,9 @@
-package cli
+package build
 
 import (
 	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/internal/builder"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
@@ -10,7 +11,7 @@ import (
 )
 
 // makeBuildRunFunc returns the internal implementation of the build cli command
-func makeBuildRunFunc(cfg *config.Config) runFunc {
+func makeBuildRunFunc(cfg *holos.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
 		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 		results, err := build.Run(cmd.Context())
@@ -19,7 +20,10 @@ func makeBuildRunFunc(cfg *config.Config) runFunc {
 		}
 		outs := make([]string, 0, len(results))
 		for _, result := range results {
-			outs = append(outs, result.Content)
+			if result.Skip {
+				continue
+			}
+			outs = append(outs, result.FinalOutput())
 		}
 		out := strings.Join(outs, "---\n")
 		if _, err := fmt.Fprintln(cmd.OutOrStdout(), out); err != nil {
@@ -29,9 +33,9 @@ func makeBuildRunFunc(cfg *config.Config) runFunc {
 	}
 }
 
-// newBuildCmd returns the build subcommand for the root command
-func newBuildCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("build [directory...]")
+// New returns the build subcommand for the root command
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("build [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "build kubernetes api objects from a directory"
 	cmd.RunE = makeBuildRunFunc(cfg)

pkg/cli/command/cmd.go

@@ -0,0 +1,29 @@
+package command
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/version"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+)
+
+// RunFunc is a cobra.Command RunE function.
+type RunFunc func(c *cobra.Command, args []string) error
+
+// New returns a new subcommand
+func New(name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     name,
+		Version: version.Version,
+		Args:    cobra.NoArgs,
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
+		RunE: func(c *cobra.Command, args []string) error {
+			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
+		},
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+	return cmd
+}

pkg/cli/create/create.go

@@ -0,0 +1,23 @@
+package create
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/spf13/cobra"
+)
+
+// New returns the create command for the cli
+func New(hc *holos.Config) *cobra.Command {
+	cmd := command.New("create")
+	cmd.Short = "create resources"
+	cmd.Flags().SortFlags = false
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		return c.Usage()
+	}
+	// flags
+	cmd.PersistentFlags().SortFlags = false
+	// commands
+	cmd.AddCommand(secret.NewCreateCmd(hc))
+	return cmd
+}

pkg/cli/get/get.go

@@ -0,0 +1,23 @@
+package get
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/spf13/cobra"
+)
+
+// New returns the get command for the cli.
+func New(hc *holos.Config) *cobra.Command {
+	cmd := command.New("get")
+	cmd.Short = "get resources"
+	cmd.Flags().SortFlags = false
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		return c.Usage()
+	}
+	// flags
+	cmd.PersistentFlags().SortFlags = false
+	// commands
+	cmd.AddCommand(secret.NewGetCmd(hc))
+	return cmd
+}

pkg/cli/kv.go

@@ -1,97 +0,0 @@
-package cli
-
-import (
-	"github.com/holos-run/holos/pkg/config"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/wrapper"
-	"github.com/spf13/cobra"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
-	"sort"
-)
-
-const NameLabel = "holos.run/secret.name"
-
-// newKVRootCmd returns the kv root command for the cli
-func newKVRootCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("kv")
-	cmd.Short = "work with secrets in the provisioner cluster"
-	cmd.Flags().SortFlags = false
-	cmd.RunE = func(c *cobra.Command, args []string) error {
-		return c.Usage()
-	}
-	// flags
-	cmd.PersistentFlags().SortFlags = false
-	cmd.PersistentFlags().AddGoFlagSet(cfg.KVFlagSet())
-	// subcommands
-	cmd.AddCommand(newKVGetCmd(cfg))
-	return cmd
-}
-
-func newKVGetCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("get")
-	cmd.Args = cobra.MinimumNArgs(1)
-	cmd.Short = "print secret data in txtar format"
-	cmd.Flags().SortFlags = false
-	cmd.RunE = makeKVGetRunFunc(cfg)
-
-	return cmd
-}
-
-func makeKVGetRunFunc(cfg *config.Config) runFunc {
-	return func(cmd *cobra.Command, args []string) error {
-		ctx := cmd.Context()
-		log := logger.FromContext(ctx)
-		kcfg, err := clientcmd.BuildConfigFromFlags("", cfg.KVKubeconfig())
-		if err != nil {
-			return wrapper.Wrap(err)
-		}
-		clientset, err := kubernetes.NewForConfig(kcfg)
-		if err != nil {
-			return wrapper.Wrap(err)
-		}
-
-		for _, name := range args {
-			nlog := log.With(NameLabel, name)
-			opts := metav1.ListOptions{
-				LabelSelector: NameLabel + "=" + name,
-			}
-			list, err := clientset.CoreV1().Secrets("secrets").List(ctx, opts)
-			if err != nil {
-				return wrapper.Wrap(err)
-			}
-			nlog.DebugContext(ctx, "results", "len", len(list.Items))
-			if len(list.Items) < 1 {
-				continue
-			}
-
-			sort.Slice(list.Items, func(i, j int) bool {
-				return list.Items[i].CreationTimestamp.Before(&list.Items[j].CreationTimestamp)
-			})
-
-			// most recent secret is the one we want.
-			secret := list.Items[len(list.Items)-1]
-
-			for k, v := range secret.Data {
-				nlog.DebugContext(ctx, "data", "name", secret.Name, "key", k, "len", len(v))
-			}
-
-			if len(secret.Data) > 0 {
-				cfg.Println(secret.Name)
-			}
-			for k, v := range secret.Data {
-				cfg.Printf("-- %s --\n", k)
-				cfg.Write(ensureNewline(v))
-			}
-		}
-		return nil
-	}
-}
-
-func ensureNewline(b []byte) []byte {
-	if len(b) > 0 && b[len(b)-1] != '\n' {
-		b = append(b, '\n')
-	}
-	return b
-}

pkg/cli/kv/get.go

@@ -0,0 +1,98 @@
+package kv
+
+import (
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sort"
+)
+
+type getConfig struct {
+	file *string
+}
+
+func newGetCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("get")
+	cmd.Args = cobra.MinimumNArgs(1)
+	cmd.Short = "print secret data in txtar format"
+
+	cf := getConfig{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	cf.file = flagSet.String("file", "", "file to print to stdout")
+
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makeGetRunFunc(cfg, cf)
+
+	return cmd
+}
+
+func makeGetRunFunc(cfg *holos.Config, cf getConfig) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx)
+
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return err
+		}
+
+		for _, name := range args {
+			nlog := log.With(secret.NameLabel, name)
+			opts := metav1.ListOptions{
+				LabelSelector: secret.NameLabel + "=" + name,
+			}
+			if name := cfg.ClusterName(); name != "" {
+				opts.LabelSelector += fmt.Sprintf(",%s=%s", secret.ClusterLabel, name)
+			}
+			list, err := cs.CoreV1().Secrets(cfg.KVNamespace()).List(ctx, opts)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			nlog.DebugContext(ctx, "results", "len", len(list.Items))
+			if len(list.Items) < 1 {
+				continue
+			}
+
+			sort.Slice(list.Items, func(i, j int) bool {
+				return list.Items[i].CreationTimestamp.Before(&list.Items[j].CreationTimestamp)
+			})
+
+			// most recent secret is the one we want.
+			secret := list.Items[len(list.Items)-1]
+
+			keys := make([]string, 0, len(secret.Data))
+			for k, v := range secret.Data {
+				keys = append(keys, k)
+				nlog.DebugContext(ctx, "data", "name", secret.Name, "key", k, "len", len(v))
+			}
+
+			//  Print one file to stdout
+			if key := *cf.file; key != "" {
+				if data, found := secret.Data[key]; found {
+					cfg.Write(util.EnsureNewline(data))
+					return nil
+				}
+				return wrapper.Wrap(fmt.Errorf("not found: %s have %#v", key, keys))
+			}
+
+			if len(secret.Data) > 0 {
+				cfg.Println(secret.Name)
+			}
+
+			for k, v := range secret.Data {
+				cfg.Printf("-- %s --\n", k)
+				cfg.Write(util.EnsureNewline(v))
+			}
+		}
+		return nil
+	}
+}

pkg/cli/kv/kv.go

@@ -0,0 +1,40 @@
+package kv
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// New returns the kv root command for the cli
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("kv")
+	cmd.Short = "work with secrets in the provisioner cluster"
+	cmd.Flags().SortFlags = false
+	cmd.RunE = func(c *cobra.Command, args []string) error {
+		return c.Usage()
+	}
+	// flags
+	cmd.PersistentFlags().SortFlags = false
+	cmd.PersistentFlags().AddGoFlagSet(cfg.KVFlagSet())
+	// subcommands
+	cmd.AddCommand(newGetCmd(cfg))
+	cmd.AddCommand(newListCmd(cfg))
+	cmd.AddCommand(newPutCmd(cfg))
+	return cmd
+}
+
+func newClientSet(cfg *holos.Config) (*kubernetes.Clientset, error) {
+	kcfg, err := clientcmd.BuildConfigFromFlags("", cfg.KVKubeconfig())
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	clientset, err := kubernetes.NewForConfig(kcfg)
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	return clientset, nil
+}

pkg/cli/kv/list.go

@@ -0,0 +1,46 @@
+package kv
+
+import (
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func newListCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("list")
+	cmd.Args = cobra.NoArgs
+	cmd.Short = "list secrets"
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.RunE = makeListRunFunc(cfg)
+
+	return cmd
+}
+
+func makeListRunFunc(cfg *holos.Config) command.RunFunc {
+	return func(cmd *cobra.Command, _ []string) error {
+		ctx := cmd.Context()
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return err
+		}
+		selector := metav1.ListOptions{LabelSelector: secret.NameLabel}
+		secrets, err := cs.CoreV1().Secrets(cfg.KVNamespace()).List(ctx, selector)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+		labels := make(map[string]bool)
+		for _, s := range secrets.Items {
+			if value, ok := s.Labels[secret.NameLabel]; ok {
+				labels[value] = true
+			}
+		}
+		for label := range labels {
+			cfg.Println(label)
+		}
+		return nil
+	}
+}

pkg/cli/kv/put.go

@@ -0,0 +1,200 @@
+package kv
+
+import (
+	"bytes"
+	"context"
+	"flag"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/cli/secret"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"golang.org/x/tools/txtar"
+	"io"
+	"io/fs"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubectl/pkg/util/hash"
+	"os"
+	"path/filepath"
+	"sigs.k8s.io/yaml"
+	"strings"
+)
+
+type putConfig struct {
+	secretName *string
+	file       *string
+	dryRun     *bool
+}
+
+func newPutCmd(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("put")
+	cmd.Args = cobra.MinimumNArgs(0)
+	cmd.Short = "put a secret from stdin or file args"
+	cmd.Flags().SortFlags = false
+
+	pcfg := putConfig{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	pcfg.secretName = flagSet.String("name", "", "secret name to use instead of txtar comment")
+	pcfg.file = flagSet.String("file", "", "file name to use instead of txtar path")
+	pcfg.dryRun = flagSet.Bool("dry-run", false, "print to standard output instead of creating")
+
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
+	cmd.RunE = makePutRunFunc(cfg, pcfg)
+
+	return cmd
+}
+
+func makePutRunFunc(cfg *holos.Config, pcfg putConfig) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		a := &txtar.Archive{}
+
+		// Add stdin to the archive.
+		if len(args) == 0 {
+			data, err := io.ReadAll(cfg.Stdin())
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+
+			if *pcfg.file != "" {
+				file := txtar.File{
+					Name: *pcfg.file,
+					Data: data,
+				}
+				a.Files = append(a.Files, file)
+			} else {
+				a = txtar.Parse(data)
+			}
+		}
+
+		// Do we have a secret name?
+		if *pcfg.secretName != "" {
+			a.Comment = []byte(*pcfg.secretName)
+		}
+		if len(a.Comment) == 0 {
+			// Use the first argument if not
+			if len(args) > 0 {
+				a.Comment = []byte(filepath.Base(args[0]))
+			} else {
+				err := fmt.Errorf("missing secret name from name, args, or txtar comment")
+				return wrapper.Wrap(err)
+			}
+		}
+
+		head, _, _ := bytes.Cut(a.Comment, []byte("\n"))
+		secretName := string(head)
+
+		// Add files from the filesystem to the archive
+		for _, name := range args {
+			if err := filepath.WalkDir(name, makeWalkFunc(a, name)); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		log := logger.FromContext(cmd.Context())
+		ctx := cmd.Context()
+
+		// Nothing to do?
+		if len(a.Files) == 0 {
+			log.WarnContext(ctx, "nothing to do")
+			return nil
+		}
+
+		// Create the secret.
+		secret, err := createSecret(ctx, cfg, pcfg, a, secretName)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		if *pcfg.dryRun {
+			data, err := yaml.Marshal(secret)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			cfg.Println(string(data))
+			return nil
+		}
+
+		// Make the API call
+		cs, err := newClientSet(cfg)
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		secret, err = cs.CoreV1().Secrets(cfg.KVNamespace()).Create(ctx, secret, metav1.CreateOptions{})
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		log.InfoContext(ctx, "created: "+secret.Name, "secret", secret.Name, "name", secretName, "namespace", secret.Namespace)
+		return nil
+	}
+}
+
+func createSecret(ctx context.Context, cfg *holos.Config, pcfg putConfig, a *txtar.Archive, secretName string) (*v1.Secret, error) {
+	secretData := make(map[string][]byte)
+	for _, file := range a.Files {
+		secretData[file.Name] = file.Data
+	}
+
+	labels := map[string]string{secret.NameLabel: secretName}
+	if owner := os.Getenv("USER"); owner != "" {
+		labels[secret.OwnerLabel] = owner
+	}
+	if cluster := cfg.ClusterName(); cluster != "" {
+		labels[secret.ClusterLabel] = cluster
+	}
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   secretName,
+			Labels: labels,
+		},
+		Data: secretData,
+	}
+
+	secretHash, err := hash.SecretHash(secret)
+	if err != nil {
+		return nil, wrapper.Wrap(err)
+	}
+	secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+
+	return secret, nil
+}
+
+func makeWalkFunc(a *txtar.Archive, rootDir string) fs.WalkDirFunc {
+	return func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Depth is the count of path separators from the root
+		depth := strings.Count(path[len(rootDir):], string(filepath.Separator))
+
+		if depth > 1 {
+			if d.IsDir() {
+				return filepath.SkipDir
+			}
+		}
+
+		if !d.IsDir() {
+			if file, err := file(path); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				file.Name = filepath.Base(path)
+				a.Files = append(a.Files, file)
+			}
+		}
+
+		return nil
+	}
+}
+
+func file(path string) (file txtar.File, err error) {
+	file.Name = path
+	file.Data, err = os.ReadFile(path)
+	return
+}

pkg/cli/main.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"context"
+	"cuelang.org/go/cue/errors"
+	"fmt"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"log/slog"
+)
+
+// MakeMain makes a main function for the cli or tests.
+func MakeMain(options ...holos.Option) func() int {
+	return func() (exitCode int) {
+		cfg := holos.New(options...)
+		slog.SetDefault(cfg.Logger())
+		ctx := context.Background()
+		if err := New(cfg).ExecuteContext(ctx); err != nil {
+			return HandleError(ctx, err, cfg)
+		}
+		return 0
+	}
+}
+
+// HandleError is the top level error handler that unwraps and logs errors.
+func HandleError(ctx context.Context, err error, hc *holos.Config) (exitCode int) {
+	log := hc.NewTopLevelLogger()
+	var cueErr errors.Error
+	var errAt *wrapper.ErrorAt
+	const msg = "could not execute"
+	if errors.As(err, &errAt) {
+		log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
+	} else {
+		log.ErrorContext(ctx, msg, "err", err)
+	}
+	// cue errors are bundled up as a list and refer to multiple files / lines.
+	if errors.As(err, &cueErr) {
+		msg := errors.Details(cueErr, nil)
+		_, _ = fmt.Fprint(hc.Stderr(), msg)
+	}
+	return 1
+}

pkg/cli/render/render.go

@@ -1,15 +1,16 @@
-package cli
+package render
 
 import (
 	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/internal/builder"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
 )
 
-func makeRenderRunFunc(cfg *config.Config) runFunc {
+func makeRenderRunFunc(cfg *holos.Config) command.RunFunc {
 	return func(cmd *cobra.Command, args []string) error {
 		if cfg.ClusterName() == "" {
 			return wrapper.Wrap(fmt.Errorf("missing cluster name"))
@@ -26,9 +27,12 @@ func makeRenderRunFunc(cfg *config.Config) runFunc {
 		// the same file path. Write files into a blank temporary directory, error if a
 		// file exists, then move the directory into place.
 		for _, result := range results {
+			if result.Skip {
+				continue
+			}
 			// API Objects
 			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path, result.Content); err != nil {
+			if err := result.Save(ctx, path, result.FinalOutput()); err != nil {
 				return wrapper.Wrap(err)
 			}
 			// Kustomization
@@ -42,9 +46,9 @@ func makeRenderRunFunc(cfg *config.Config) runFunc {
 	}
 }
 
-// newRenderCmd returns the render subcommand for the root command
-func newRenderCmd(cfg *config.Config) *cobra.Command {
-	cmd := newCmd("render [directory...]")
+// New returns the render subcommand for the root command
+func New(cfg *holos.Config) *cobra.Command {
+	cmd := command.New("render [directory...]")
 	cmd.Args = cobra.MinimumNArgs(1)
 	cmd.Short = "write kubernetes api objects to the filesystem"
 	cmd.Flags().SortFlags = false

pkg/cli/root.go

@@ -1,19 +1,21 @@
 package cli
 
 import (
-	"fmt"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/cli/build"
+	"github.com/holos-run/holos/pkg/cli/create"
+	"github.com/holos-run/holos/pkg/cli/get"
+	"github.com/holos-run/holos/pkg/cli/kv"
+	"github.com/holos-run/holos/pkg/cli/render"
+	"github.com/holos-run/holos/pkg/cli/txtar"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/version"
-	"github.com/holos-run/holos/pkg/wrapper"
 	"github.com/spf13/cobra"
 	"log/slog"
 )
 
-type runFunc func(c *cobra.Command, args []string) error
-
 // New returns a new root *cobra.Command for command line execution.
-func New(cfg *config.Config) *cobra.Command {
+func New(cfg *holos.Config) *cobra.Command {
 	rootCmd := &cobra.Command{
 		Use:     "holos",
 		Short:   "holos manages a holistic integrated software development platform",
@@ -45,27 +47,16 @@ func New(cfg *config.Config) *cobra.Command {
 	rootCmd.PersistentFlags().AddGoFlagSet(cfg.LogFlagSet())
 
 	// subcommands
-	rootCmd.AddCommand(newBuildCmd(cfg))
-	rootCmd.AddCommand(newRenderCmd(cfg))
-	rootCmd.AddCommand(newKVRootCmd(cfg))
+	rootCmd.AddCommand(build.New(cfg))
+	rootCmd.AddCommand(render.New(cfg))
+	rootCmd.AddCommand(get.New(cfg))
+	rootCmd.AddCommand(create.New(cfg))
+
+	// Maybe not needed?
+	rootCmd.AddCommand(txtar.New(cfg))
+
+	// Deprecated, remove?
+	rootCmd.AddCommand(kv.New(cfg))
 
 	return rootCmd
 }
-
-// newCmd returns a new subcommand
-func newCmd(name string) *cobra.Command {
-	cmd := &cobra.Command{
-		Use:     name,
-		Version: version.Version,
-		Args:    cobra.NoArgs,
-		CompletionOptions: cobra.CompletionOptions{
-			HiddenDefaultCmd: true,
-		},
-		RunE: func(c *cobra.Command, args []string) error {
-			return wrapper.Wrap(fmt.Errorf("could not run %v: not implemented", c.Name()))
-		},
-		SilenceUsage:  true,
-		SilenceErrors: true,
-	}
-	return cmd
-}

pkg/cli/root_test.go

@@ -2,7 +2,7 @@ package cli
 
 import (
 	"bytes"
-	"github.com/holos-run/holos/pkg/config"
+	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/version"
 	"github.com/spf13/cobra"
@@ -13,7 +13,7 @@ import (
 func newCommand() (*cobra.Command, *bytes.Buffer) {
 	var b1, b2 bytes.Buffer
 	// discard stdout for now, it's a bunch of usage messages.
-	cmd := New(config.New(config.Stdout(&b1), config.Stderr(&b2)))
+	cmd := New(holos.New(holos.Stdout(&b1), holos.Stderr(&b2)))
 	return cmd, &b2
 }
 
@@ -89,7 +89,7 @@ func TestInvalidArgs(t *testing.T) {
 	}
 	for _, args := range invalidArgs {
 		var b bytes.Buffer
-		cmd := New(config.New(config.Stdout(&b)))
+		cmd := New(holos.New(holos.Stdout(&b)))
 		cmd.SetArgs(args)
 		err := cmd.Execute()
 		if err == nil {
@@ -114,7 +114,7 @@ func TestLoggerFromContext(t *testing.T) {
 
 func TestVersion(t *testing.T) {
 	var b bytes.Buffer
-	cmd := New(config.New(config.Stdout(&b)))
+	cmd := New(holos.New(holos.Stdout(&b)))
 	cmd.SetOut(&b)
 	cmd.SetArgs([]string{"--version"})
 	if err := cmd.Execute(); err != nil {

pkg/cli/secret/create.go

@@ -0,0 +1,150 @@
+package secret
+
+import (
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	"io"
+	"io/fs"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubectl/pkg/util/hash"
+	"os"
+	"path/filepath"
+	"sigs.k8s.io/yaml"
+	"strings"
+)
+
+func NewCreateCmd(hc *holos.Config) *cobra.Command {
+	cmd := command.New("secret NAME [--from-file=source]")
+	cmd.Aliases = []string{"secrets", "sec"}
+	cmd.Args = cobra.ExactArgs(1)
+	cmd.Short = "Create a holos secret from files or directories"
+
+	cfg, flagSet := newConfig()
+	flagSet.Var(&cfg.files, "from-file", "store files as keys in the secret")
+	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
+	cfg.appendHash = flagSet.Bool("append-hash", true, "append hash to kubernetes secret name")
+	cfg.dataStdin = flagSet.Bool("data-stdin", false, "read data field as json from stdin if")
+
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makeCreateRunFunc(hc, cfg)
+	return cmd
+
+}
+
+func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx)
+		secretName := args[0]
+		secret := &v1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      secretName,
+				Namespace: *cfg.namespace,
+				Labels:    map[string]string{NameLabel: secretName},
+			},
+			Data: make(secretData),
+		}
+
+		if *cfg.cluster != "" {
+			clusterPrefix := fmt.Sprintf("%s-", *cfg.cluster)
+			if !strings.HasPrefix(secretName, clusterPrefix) {
+				const msg = "missing cluster name prefix"
+				log.WarnContext(ctx, msg, "have", secretName, "want", clusterPrefix)
+			}
+		}
+
+		if *cfg.dataStdin {
+			log.InfoContext(ctx, "reading data keys from stdin...")
+			var obj map[string]string
+			data, err := io.ReadAll(hc.Stdin())
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			err = yaml.Unmarshal(data, &obj)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			for k, v := range obj {
+				secret.Data[k] = []byte(v)
+			}
+		}
+
+		for _, file := range cfg.files {
+			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file)); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		if owner := os.Getenv("USER"); owner != "" {
+			secret.Labels[OwnerLabel] = owner
+		}
+		if *cfg.cluster != "" {
+			secret.Labels[ClusterLabel] = *cfg.cluster
+		}
+
+		if *cfg.appendHash {
+			if secretHash, err := hash.SecretHash(secret); err != nil {
+				return wrapper.Wrap(err)
+			} else {
+				secret.Name = fmt.Sprintf("%s-%s", secret.Name, secretHash)
+			}
+		}
+
+		if *cfg.dryRun {
+			out, err := yaml.Marshal(secret)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+			hc.Write(out)
+			return nil
+		}
+
+		cs, err := hc.ProvisionerClientset()
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+		secret, err = cs.CoreV1().
+			Secrets(*cfg.namespace).
+			Create(ctx, secret, metav1.CreateOptions{})
+		if err != nil {
+			return wrapper.Wrap(err)
+		}
+
+		log.InfoContext(ctx, "created: "+secret.Name, "secret", secret.Name, "name", secretName, "namespace", secret.Namespace)
+		return nil
+	}
+}
+
+func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
+	return func(path string, d os.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Depth is the count of path separators from the root
+		depth := strings.Count(path[len(root):], string(filepath.Separator))
+
+		if depth > 1 {
+			return filepath.SkipDir
+		}
+
+		if !d.IsDir() {
+			key := filepath.Base(path)
+			if data[key], err = os.ReadFile(path); err != nil {
+				return wrapper.Wrap(err)
+			}
+		}
+
+		return nil
+	}
+}

pkg/cli/secret/get.go

@@ -0,0 +1,147 @@
+package secret
+
+import (
+	"context"
+	"fmt"
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/wrapper"
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"os"
+	"path/filepath"
+	"sort"
+)
+
+const printFlagName = "print-key"
+
+func NewGetCmd(hc *holos.Config) *cobra.Command {
+	cmd := command.New("secrets NAME [--to-file=destination]")
+	cmd.Aliases = []string{"secret"}
+	cmd.Args = cobra.MinimumNArgs(0)
+	cmd.Short = "Get holos secrets from the provisioner cluster"
+
+	cfg, flagSet := newConfig()
+	flagSet.Var(&cfg.files, "to-file", "extract files from the secret")
+	cfg.printFile = flagSet.String(printFlagName, "", "print one key from the secret")
+	cfg.extract = flagSet.Bool("extract-all", false, "extract all files from the secret")
+	cfg.extractTo = flagSet.String("extract-to", ".", "extract to directory")
+
+	cmd.Flags().SortFlags = false
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makeGetRunFunc(hc, cfg)
+	return cmd
+}
+
+func makeGetRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
+	return func(cmd *cobra.Command, args []string) error {
+		namespace := *cfg.namespace
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx).With("namespace", namespace)
+
+		cs, err := hc.ProvisionerClientset()
+		if err != nil {
+			return err
+		}
+
+		// List secrets if no arguments.
+		if len(args) == 0 {
+			return listSecrets(cmd.Context(), hc, namespace)
+		}
+
+		// Get each secret.
+		for _, secretName := range args {
+			log := log.With(NameLabel, secretName)
+			opts := metav1.ListOptions{
+				LabelSelector: fmt.Sprintf("%s=%s", NameLabel, secretName),
+			}
+			list, err := cs.CoreV1().Secrets(namespace).List(ctx, opts)
+			if err != nil {
+				return wrapper.Wrap(err)
+			}
+
+			log.DebugContext(ctx, "results", "len", len(list.Items))
+			if len(list.Items) < 1 {
+				return wrapper.Wrap(fmt.Errorf("not found: %v", secretName))
+			}
+
+			// Sort oldest first.
+			sort.Slice(list.Items, func(i, j int) bool {
+				return list.Items[i].CreationTimestamp.Before(&list.Items[j].CreationTimestamp)
+			})
+
+			// Get the most recent.
+			secret := list.Items[len(list.Items)-1]
+			log = log.With("secret", secret.Name)
+
+			// Extract the data keys (file names).
+			keys := make([]string, 0, len(secret.Data))
+			for k, v := range secret.Data {
+				keys = append(keys, k)
+				log.DebugContext(ctx, "data", "name", secret.Name, "key", k, "len", len(v))
+			}
+
+			// Extract specified files or all files.
+			toExtract := cfg.files
+			if *cfg.extract {
+				toExtract = keys
+			}
+
+			printFile := *cfg.printFile
+			if len(toExtract) == 0 {
+				if printFile == "" {
+					printFile = secretName
+				}
+			}
+
+			if printFile != "" {
+				if data, found := secret.Data[printFile]; found {
+					hc.Write(data)
+				} else {
+					err := fmt.Errorf("cannot print: want %s have %v: did you mean --extract-all or --%s=name", printFile, keys, printFlagName)
+					return wrapper.Wrap(err)
+				}
+			}
+
+			// Iterate over --to-file values.
+			for _, name := range toExtract {
+				data, found := secret.Data[name]
+				if !found {
+					err := fmt.Errorf("%s not found in %v", name, keys)
+					return wrapper.Wrap(err)
+				}
+				path := filepath.Join(*cfg.extractTo, name)
+				if err := os.WriteFile(path, data, 0666); err != nil {
+					return wrapper.Wrap(fmt.Errorf("could not write %s: %w", path, err))
+				}
+				log.InfoContext(ctx, "wrote: "+path, "name", name, "bytes", len(data))
+			}
+		}
+
+		return nil
+	}
+}
+
+// listSecrets lists holos secrets in the provisioner cluster
+func listSecrets(ctx context.Context, hc *holos.Config, namespace string) error {
+	cs, err := hc.ProvisionerClientset()
+	if err != nil {
+		return err
+	}
+	selector := metav1.ListOptions{LabelSelector: NameLabel}
+	secrets, err := cs.CoreV1().Secrets(namespace).List(ctx, selector)
+	if err != nil {
+		return wrapper.Wrap(err)
+	}
+	secretNames := make(map[string]bool)
+	for _, secret := range secrets.Items {
+		if labelValue, ok := secret.Labels[NameLabel]; ok {
+			secretNames[labelValue] = true
+		}
+	}
+	for secretName := range secretNames {
+		hc.Println(secretName)
+	}
+	return nil
+}

pkg/cli/secret/secret.go

@@ -0,0 +1,32 @@
+package secret
+
+import (
+	"flag"
+	"github.com/holos-run/holos/pkg/holos"
+)
+
+const NameLabel = "holos.run/secret.name"
+const OwnerLabel = "holos.run/owner.name"
+const ClusterLabel = "holos.run/cluster.name"
+
+type secretData map[string][]byte
+
+type config struct {
+	files      holos.StringSlice
+	printFile  *string
+	extract    *bool
+	dryRun     *bool
+	appendHash *bool
+	dataStdin  *bool
+	cluster    *string
+	namespace  *string
+	extractTo  *string
+}
+
+func newConfig() (*config, *flag.FlagSet) {
+	cfg := &config{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	cfg.namespace = flagSet.String("namespace", holos.DefaultProvisionerNamespace, "namespace in the provisioner cluster")
+	cfg.cluster = flagSet.String("cluster-name", "", "cluster name selector")
+	return cfg, flagSet
+}

pkg/cli/secret/secret_test.go

@@ -0,0 +1,82 @@
+package secret_test
+
+import (
+	"github.com/holos-run/holos/pkg/cli"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/rogpeppe/go-internal/testscript"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"testing"
+	"time"
+)
+
+const clientsetKey = "clientset"
+
+var secret = v1.Secret{
+	TypeMeta: metav1.TypeMeta{
+		Kind:       "Secret",
+		APIVersion: "v1",
+	},
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "k2-talos",
+		Namespace: "secrets",
+		Labels: map[string]string{
+			"holos.run/owner.name":  "jeff",
+			"holos.run/secret.name": "k2-talos",
+		},
+		CreationTimestamp: metav1.Time{
+			Time: time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC),
+		},
+	},
+	Data: map[string][]byte{
+		"secrets.yaml": []byte("content: secret\n"),
+	},
+	Type: "Opaque",
+}
+
+// cmdHolos executes the holos root command with a kubernetes.Interface that
+// persists for the duration of the testscript. holos is NOT executed in a
+// subprocess, the current working directory is not and should not be changed.
+// Take care to read and write to $WORK in the test scripts using flags.
+func cmdHolos(ts *testscript.TestScript, neg bool, args []string) {
+	clientset, ok := ts.Value(clientsetKey).(kubernetes.Interface)
+	if clientset == nil || !ok {
+		ts.Fatalf("missing kubernetes.Interface")
+	}
+
+	cfg := holos.New(
+		holos.ProvisionerClientset(clientset),
+		holos.Stdout(ts.Stdout()),
+		holos.Stderr(ts.Stderr()),
+	)
+
+	cmd := cli.New(cfg)
+	cmd.SetArgs(args)
+	err := cmd.Execute()
+
+	if neg {
+		if err == nil {
+			ts.Fatalf("\nwant: error\nhave: %v", err)
+		} else {
+			cli.HandleError(cmd.Context(), err, cfg)
+		}
+	} else {
+		ts.Check(err)
+	}
+}
+
+func TestSecrets(t *testing.T) {
+	// Add TestWork: true to the Params to keep the $WORK directory around.
+	testscript.Run(t, testscript.Params{
+		Dir: "testdata",
+		Setup: func(env *testscript.Env) error {
+			env.Values[clientsetKey] = fake.NewSimpleClientset(&secret)
+			return nil
+		},
+		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
+			"holos": cmdHolos,
+		},
+	})
+}

pkg/cli/secret/testdata/create_secret_dry_run.txt

@@ -0,0 +1,21 @@
+# Create the secret
+holos create secret directory --from-file=$WORK/fixture --dry-run
+
+# Want no warnings.
+! stderr 'WRN'
+
+# Want the data keys
+stdout 'one.yaml: Y29udGVudDogb25lCg=='
+stdout 'two.yaml: Y29udGVudDogdHdvCg=='
+
+# Want the secret name label.
+stdout 'holos.run/secret.name: directory'
+
+# Want the TypeMeta
+stdout 'kind: Secret'
+stdout 'apiVersion: v1'
+
+-- fixture/one.yaml --
+content: one
+-- fixture/two.yaml --
+content: two

pkg/cli/secret/testdata/create_secret_from_dir.txt

@@ -0,0 +1,22 @@
+# Create the secret
+holos create secret directory --from-file=$WORK/want
+stderr 'created: directory-..........'
+stderr 'secret=directory-..........'
+stderr 'name=directory'
+stderr 'namespace=secrets'
+! stderr 'WRN'
+
+# Get the secret back
+mkdir have
+holos get secret directory --extract-all --extract-to=$WORK/have
+stderr 'wrote: .*/have/one.yaml'
+stderr 'wrote: .*/have/two.yaml'
+
+# Compare the secrets
+cmp want/one.yaml have/one.yaml
+cmp want/two.yaml have/two.yaml
+
+-- want/one.yaml --
+content: one
+-- want/two.yaml --
+content: two

pkg/cli/secret/testdata/create_secret_from_file.txt

@@ -0,0 +1,14 @@
+# Create the secret.
+holos create secret k3-talos --from-file $WORK/secrets.yaml
+
+# Want info log attributes.
+stderr 'created: k3-talos-..........'
+stderr 'secret=k3-talos-..........'
+stderr 'name=k3-talos'
+stderr 'namespace=secrets'
+
+# Want no warnings.
+! stderr 'WRN'
+
+-- secrets.yaml --
+content: hello

pkg/cli/secret/testdata/create_secret_namespace.txt

@@ -0,0 +1,14 @@
+# Create the secret.
+holos create secret k3-talos --namespace=jeff --from-file $WORK/secrets.yaml
+stderr 'created: k3-talos-..........'
+stderr 'secret=k3-talos-..........'
+stderr 'name=k3-talos'
+
+# Want specified namespace.
+stderr 'namespace=jeff'
+
+# Want no warnings.
+! stderr 'WRN'
+
+-- secrets.yaml --
+content: hello