starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-12 15:59:01 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

Compare commits

base: starred:v0.43.2
Branches Tags
starred:main starred:dependabot/go_modules/go_modules-a258281abc starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-495cad6dbb starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-31e1e7acf6 starred:jeff/v1alpha6-executor starred:jeff/435-examples starred:jeff/gemini-compare starred:jeff/compile-backup starred:jeff/xcue starred:jeff/command starred:kubeslice starred:jeff/406-unify-values starred:gl/embed-timoni-for-tests starred:jeff/378-kargo-topic starred:gl/helm-values-test-fixes starred:test starred:jeff/370-private-helm-repositories starred:jeff/371-helm-sdk starred:jeff/readme starred:jeff/327-brew-install starred:release starred:gl/311-setup-and-hello-holos starred:301-docs-structure-refactor starred:jeff/225-ko-release starred:jeff/try-holos
starred:v0.106.0 starred:v0.105.1 starred:v0.105.0 starred:v0.104.3 starred:v0.104.2 starred:v0.104.1 starred:v0.104.0 starred:v0.103.0 starred:v0.102.5 starred:v0.102.4 starred:v0.102.3 starred:v0.102.2 starred:v0.102.1 starred:v0.102.0 starred:v0.1.1 starred:v0.1.0 starred:v0.101.8 starred:v0.101.7 starred:v0.101.6 starred:v0.101.5 starred:v0.101.4 starred:v0.101.3 starred:v0.101.2 starred:v0.101.1 starred:v0.101.0 starred:v0.100.1 starred:v0.100.0 starred:v0.99.3 starred:v0.99.2 starred:v0.99.1 starred:v0.99.0 starred:v0.98.2 starred:v0.98.1 starred:v0.98.0 starred:v0.97.3 starred:v0.97.2 starred:v0.97.1 starred:v0.97.0 starred:v0.96.0 starred:v0.95.3 starred:v0.95.2 starred:v0.95.1 starred:v0.95.0 starred:v0.94.0 starred:v0.93.4 starred:v0.93.3 starred:v0.93.2 starred:v0.93.1 starred:v0.93.0 starred:v0.92.0 starred:v0.91.1 starred:v0.91.0 starred:v0.90.0 starred:v0.89.1 starred:v0.89.0 starred:v0.87.2 starred:v0.87.1 starred:v0.87.0 starred:v0.86.0 starred:v0.85.1 starred:v0.85.0 starred:v0.84.1 starred:v0.84.0 starred:v0.83.1 starred:v0.83.0 starred:v0.82.2 starred:v0.82.1 starred:v0.81.2 starred:v0.81.0 starred:v0.80.2 starred:v0.80.1 starred:v0.80.0 starred:v0.79.0 starred:v0.78.0 starred:v0.77.0 starred:v0.76.1 starred:v0.76.0 starred:v0.75.1 starred:v0.75.0 starred:v0.74.0 starred:v0.73.3 starred:v0.73.1 starred:v0.73.0 starred:v0.72.1 starred:v0.70.4 starred:v0.70.1 starred:v0.70.0 starred:v0.69.0 starred:v0.68.1 starred:v0.68.0 starred:v0.67.0 starred:v0.66.0 starred:v0.65.2 starred:v0.65.1 starred:v0.65.0 starred:v0.64.5 starred:v0.64.4 starred:v0.64.3 starred:v0.64.2 starred:v0.64.1 starred:v0.64.0 starred:v0.63.5 starred:v0.63.4 starred:v0.63.3 starred:v0.63.2 starred:v0.63.1 starred:v0.63.0 starred:v0.62.1 starred:v0.62.0 starred:v0.61.7 starred:v0.61.6 starred:v0.61.5 starred:v0.61.4 starred:v0.61.3 starred:v0.61.1 starred:v0.61.0 starred:v0.60.4 starred:v0.60.3 starred:v0.60.2 starred:v0.60.1 starred:v0.60.0 starred:v0.59.0 starred:v0.58.3 starred:v0.58.2 starred:v0.58.1 starred:v0.58.0 starred:v0.57.0 starred:v0.56.0 starred:v0.55.4 starred:v0.55.3 starred:v0.55.2 starred:v0.55.1 starred:v0.55.0 starred:v0.54.1 starred:v0.53.4 starred:v0.53.3 starred:v0.53.2 starred:v0.53.1 starred:v0.52.0 starred:v0.51.2 starred:v0.51.1 starred:v0.51.0 starred:v0.50.2 starred:v0.50.1 starred:v0.50.0 starred:v0.49.7 starred:v0.49.6 starred:v0.49.5 starred:v0.49.4 starred:v0.49.3 starred:v0.49.2 starred:v0.49.1 starred:v0.49.0 starred:v0.48.3 starred:v0.48.2 starred:v0.48.1 starred:v0.48.0 starred:v0.47.2 starred:v0.47.1 starred:v0.47.0 starred:v0.46.3 starred:v0.46.2 starred:v0.46.1 starred:v0.46.0 starred:v0.45.3 starred:v0.45.2 starred:v0.45.1 starred:v0.45.0 starred:v0.44.0 starred:v0.43.2 starred:v0.43.1 starred:v0.43.0 starred:v0.42.1 starred:v0.42.0 starred:v0.41.0 starred:v0.40.4 starred:v0.40.3 starred:v0.40.2 starred:v0.40.1 starred:v0.40.0
...
compare: starred:v0.53.3
Branches Tags
starred:dependabot/go_modules/go_modules-a258281abc starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-495cad6dbb starred:main starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-31e1e7acf6 starred:jeff/v1alpha6-executor starred:jeff/435-examples starred:jeff/gemini-compare starred:jeff/compile-backup starred:jeff/xcue starred:jeff/command starred:kubeslice starred:jeff/406-unify-values starred:gl/embed-timoni-for-tests starred:jeff/378-kargo-topic starred:gl/helm-values-test-fixes starred:test starred:jeff/370-private-helm-repositories starred:jeff/371-helm-sdk starred:jeff/readme starred:jeff/327-brew-install starred:release starred:gl/311-setup-and-hello-holos starred:301-docs-structure-refactor starred:jeff/225-ko-release starred:jeff/try-holos
starred:v0.106.0 starred:v0.105.1 starred:v0.105.0 starred:v0.104.3 starred:v0.104.2 starred:v0.104.1 starred:v0.104.0 starred:v0.103.0 starred:v0.102.5 starred:v0.102.4 starred:v0.102.3 starred:v0.102.2 starred:v0.102.1 starred:v0.102.0 starred:v0.1.1 starred:v0.1.0 starred:v0.101.8 starred:v0.101.7 starred:v0.101.6 starred:v0.101.5 starred:v0.101.4 starred:v0.101.3 starred:v0.101.2 starred:v0.101.1 starred:v0.101.0 starred:v0.100.1 starred:v0.100.0 starred:v0.99.3 starred:v0.99.2 starred:v0.99.1 starred:v0.99.0 starred:v0.98.2 starred:v0.98.1 starred:v0.98.0 starred:v0.97.3 starred:v0.97.2 starred:v0.97.1 starred:v0.97.0 starred:v0.96.0 starred:v0.95.3 starred:v0.95.2 starred:v0.95.1 starred:v0.95.0 starred:v0.94.0 starred:v0.93.4 starred:v0.93.3 starred:v0.93.2 starred:v0.93.1 starred:v0.93.0 starred:v0.92.0 starred:v0.91.1 starred:v0.91.0 starred:v0.90.0 starred:v0.89.1 starred:v0.89.0 starred:v0.87.2 starred:v0.87.1 starred:v0.87.0 starred:v0.86.0 starred:v0.85.1 starred:v0.85.0 starred:v0.84.1 starred:v0.84.0 starred:v0.83.1 starred:v0.83.0 starred:v0.82.2 starred:v0.82.1 starred:v0.81.2 starred:v0.81.0 starred:v0.80.2 starred:v0.80.1 starred:v0.80.0 starred:v0.79.0 starred:v0.78.0 starred:v0.77.0 starred:v0.76.1 starred:v0.76.0 starred:v0.75.1 starred:v0.75.0 starred:v0.74.0 starred:v0.73.3 starred:v0.73.1 starred:v0.73.0 starred:v0.72.1 starred:v0.70.4 starred:v0.70.1 starred:v0.70.0 starred:v0.69.0 starred:v0.68.1 starred:v0.68.0 starred:v0.67.0 starred:v0.66.0 starred:v0.65.2 starred:v0.65.1 starred:v0.65.0 starred:v0.64.5 starred:v0.64.4 starred:v0.64.3 starred:v0.64.2 starred:v0.64.1 starred:v0.64.0 starred:v0.63.5 starred:v0.63.4 starred:v0.63.3 starred:v0.63.2 starred:v0.63.1 starred:v0.63.0 starred:v0.62.1 starred:v0.62.0 starred:v0.61.7 starred:v0.61.6 starred:v0.61.5 starred:v0.61.4 starred:v0.61.3 starred:v0.61.1 starred:v0.61.0 starred:v0.60.4 starred:v0.60.3 starred:v0.60.2 starred:v0.60.1 starred:v0.60.0 starred:v0.59.0 starred:v0.58.3 starred:v0.58.2 starred:v0.58.1 starred:v0.58.0 starred:v0.57.0 starred:v0.56.0 starred:v0.55.4 starred:v0.55.3 starred:v0.55.2 starred:v0.55.1 starred:v0.55.0 starred:v0.54.1 starred:v0.53.4 starred:v0.53.3 starred:v0.53.2 starred:v0.53.1 starred:v0.52.0 starred:v0.51.2 starred:v0.51.1 starred:v0.51.0 starred:v0.50.2 starred:v0.50.1 starred:v0.50.0 starred:v0.49.7 starred:v0.49.6 starred:v0.49.5 starred:v0.49.4 starred:v0.49.3 starred:v0.49.2 starred:v0.49.1 starred:v0.49.0 starred:v0.48.3 starred:v0.48.2 starred:v0.48.1 starred:v0.48.0 starred:v0.47.2 starred:v0.47.1 starred:v0.47.0 starred:v0.46.3 starred:v0.46.2 starred:v0.46.1 starred:v0.46.0 starred:v0.45.3 starred:v0.45.2 starred:v0.45.1 starred:v0.45.0 starred:v0.44.0 starred:v0.43.2 starred:v0.43.1 starred:v0.43.0 starred:v0.42.1 starred:v0.42.0 starred:v0.41.0 starred:v0.40.4 starred:v0.40.3 starred:v0.40.2 starred:v0.40.1 starred:v0.40.0

62 Commits
v0.43.2 ... v0.53.3

Author SHA1 Message Date
Jeff McCune
d831070f53 Trim trailing newlines from files when creating secrets 
Without this patch, the pattern of echoing data (without -n) or editing
files in a directory to represent the keys of a secret results in a
trailing newline in the kubernetes Secret.

This patch trims off the trailing newline by default, with the option to
preserve it with the --trim-trailing-newlines=false flag.
 2024-03-06 11:21:32 -08:00
Jeff McCune
340715f76c (#36) Provide certs to Cockroach DB and Zitadel with ExternalSecrets 
This patch switches CockroachDB to use certs provided by ExternalSecrets
instead of managing Certificate resources in-cluster from the upstream
helm chart.

This paves the way for multi-cluster replication by moving certificates
outside of the lifecycle of the workload cluster cockroach db operates
within.

Closes: #36
 2024-03-06 10:38:47 -08:00
Jeff McCune
64ffacfc7a (#36) Add Cockroach Issuer for Zitadel to provisioner cluster 
Issuing mtls certs for cockroach db moves to the provisioner cluster so
we can more easily support cross cluster replication in the future.
crdb certs will be synced same as public tls certs, using ExternalSecret
resources.
 2024-03-06 09:36:20 -08:00
Nate McCurdy
54acea42cb Merge pull request #37 from holos-run/nate/preflight 
Add 'holos preflight' command, check for GitHub CLI
 2024-03-06 09:32:54 -08:00
Nate McCurdy
5ef8e75194 Fix Actions warning during Lint by updating golangci-lint-action 
Warning:
> Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: golangci/golangci-lint-action@v3. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
 2024-03-05 17:42:30 -08:00
Nate McCurdy
cb2b5c0f49 Add the 'preflight' subcommand; check for GitHub access 
This adds a new holos subcommand: preflight

Initially, this just checks that the GitHub CLI is installed and
authenticated.

The preflight command will be used to validate that the user has the
neccessary CLI tools, access, and authorization to start using Holos and
setup a Holos cluster.
 2024-03-05 17:40:08 -08:00
Jeff McCune
fd5a2fdbc1 (#36) Sync certs as ExternalSecrets from workload clusters 
This patch replaces the httpbin and login cert on the workload clusters
with an ExternalSecret to sync the tls cert from the provisioner
cluster.
 2024-03-05 17:05:10 -08:00
Jeff McCune
eb3e272612 (#36) Dynamically generate cluster certs from Platform spec 
Each cluster should be more or less identical, configure certs from the
dynamic list of platform clusters.
 2024-03-05 16:44:35 -08:00
Nate McCurdy
9f2a51bde8 Move the RunCmd function to the util package 
More than one Holos package needs to execute commands, so pull out the
runCmd from builder and move it to the util package.

This commits adds the following to the util package:
* util.RunCmd func
* util.runResult struct
 2024-03-05 15:12:14 -08:00
Jeff McCune
2b3b5a4887 (#36) Issue login and httpbin certs 
This patch uses cert manager in the provisioner cluster to provision tls
certs for https://login.example.com and https://httpbin.k2.example.com

The certs are not yet synced to the clusters.  Next step is to replace
the Certificate resources with ExternalSecret resources, then remove
cert manager from the workload clusters.
 2024-03-05 14:27:37 -08:00
Jeff McCune
7426e8f867 (#36) Move cert-manager to the provisioner cluster 
This patch moves certificate management to the provisioner cluster to
centralize all secrets into the highly secured cluster.  This change
also simplifies the architecture in a number of ways:

1. Certificate lives are now completely independent of cluster
   lifecycle.
2. Remove the need for bi-directional sync to save cert secrets.
3. Workload clusters no longer need access to DNS.
 2024-03-05 12:51:58 -08:00
Jeff McCune
cf0c455aa2 (#34) Add test for print secret data 2024-03-05 11:14:37 -08:00
Jeff McCune
752a3f912d (#34) Remove debug info logs 2024-03-05 11:05:51 -08:00
Jeff McCune
7d5852d675 (#34) Print secret data as json 
Closes: #34
 2024-03-05 11:03:47 -08:00
Jeff McCune
66b4ca0e6c (#31) Fix helm missing in actions workflow 
Causing test failures that should pass.
 2024-03-05 10:11:43 -08:00
Jeff McCune
b3f682453d (#31) Inject istio sidecar into Deployment zitadel using Kustomize 
Multiple holos components rely on kustomize to modify the output of the
upstream helm chart, for example patching a Deployment to inject the
istio sidecar.

The new holos cue based component system did not support running
kustomize after helm template.  This patch adds the kustomize execution
if two fields are defined in the helm chart kind of cue output.

The API spec is pretty loose in this patch but I'm proceeding for
expedience and to inform the final API with more use cases as more
components are migrated to cue.
 2024-03-05 09:56:39 -08:00
Jeff McCune
0c3181ae05 (#31) Add VirtualService for Zitadel 
Also import the Kustomize types using:

    cue get go sigs.k8s.io/kustomize/api/types/...
 2024-03-04 17:18:46 -08:00
Jeff McCune
18cbff0c13 (#31) Add tls cert for zitadel to connect to cockroach db 
Cockroach DB uses tls certs for client authentication.  Issue one for
Zitadel.

With this patch Zitadel starts up bit is not yet exposted with a
VirtualService.

Refer to https://zitadel.com/docs/self-hosting/manage/configure
 2024-03-04 14:46:49 -08:00
Jeff McCune
b4fca0929c (#31) ExternalSecret for zitadel-masterkey 2024-03-04 14:31:27 -08:00
Jeff McCune
911d65bdc6 (#31) Setup login.ois.run with basic istio default Gateway 
The istio default Gateway is the basis for what will become a dynamic
set of server entries specified from cue project data integrated with
extauthz.

For now we simply need to get the identity provider up and running as
the first step toward identity and access management.
 2024-03-04 13:59:17 -08:00
Jeff McCune
2a5eccf0c1 (#33) Helm stderr logging 
Log error messages from helm when building and rendering holos
components.

Closes: #33
 2024-03-04 13:16:51 -08:00
Jeff McCune
9db4873205 (#31) Add Cockroach DB for Zitadel 
Following https://github.com/zitadel/zitadel-charts/blob/main/examples/4-cockroach-secure/README.md
 2024-03-04 10:31:39 -08:00
Jeff McCune
f90e83e142 (#30) Add httpbin Gateway and VirtualService 
There isn't a default Gateway yet, so use a specific `httpbin` gateway
to test istio instead.
 2024-03-02 21:12:03 -08:00
Jeff McCune
bdd2964edb (#30) Add httpbin Service for ns istio-ingress 2024-03-02 20:39:55 -08:00
Jeff McCune
56375b82d8 (#30) Fix httpbin Deployment selector match labels 
Without this patch the deployment fails with:

```
Deployment/istio-ingress/httpbin dry-run failed, reason: Invalid:
Deployment.apps "httpbin" is invalid: spec.template.metadata.labels:
Invalid value:
map[string]string{"app.kubernetes.io/component":"httpbin",
"app.kubernetes.io/instance":"prod-mesh-httpbin",
"app.kubernetes.io/name":"mesh", "app .kubernetes.io/part-of":"prod",
"holos.run/component.name":"httpbin", "holos.run/project.name":"mesh",
"holos.run/stage.name":"prod", "sidecar.istio.io/inject":"true"}:
`selector` does not match template `labels`
```
 2024-03-02 20:23:23 -08:00
Jeff McCune
dc27489249 (#30) Add httpbin Deployment in istio-ingress namespace 
This patch gets the Deployment running with a restricted seccomp
profile.
 2024-03-02 20:17:16 -08:00
Jeff McCune
7d8a618e25 (#30) Add httpbin Certificate to verify the mesh 
Also fix certmanager which was not installing role bindings correctly
because the flux kustomization was writing over the metadata namespace
field.
 2024-03-02 17:16:42 -08:00
Jeff McCune
646f6fcdb0 (#30) Add https redirect overlay resources 
This patch migrates the https redirect and the
istio-ingressgateway-loopback Service from
`holos-infra/components/core/istio/ingress/templates/deployment`
 2024-03-02 15:01:58 -08:00
Jeff McCune
4ce39db745 (#30) Enforce restricted pod security profile on istio-ingress namespace 
This patch enforces the restricted pod security profile on the istio
ingress namespace. The istio cni to move the traffic redirection from
the init container to a cni daemon set pod.

Refer to:

 - https://istio.io/latest/docs/setup/additional-setup/pod-security-admission/
 - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 2024-03-02 11:16:55 -08:00
Jeff McCune
eba58d1639 (#30) Add ingress component and istio-ingressgateway Deployment 
Migrated from holos-infra/components/core/istio/ingress
 2024-03-02 10:22:21 -08:00
Jeff McCune
765832d90d (#30) Trim istiod 2024-03-01 16:27:49 -08:00
Jeff McCune
d1163d689a (#30) Add istiod istio controller and meshconfig 
This patch adds the standard istiod controller, which depends on
istio-base.

The holos reference platform heavily customizes the meshconfig, so the
upstream istio ConfigMap is disabled in the helm chart values.  The mesh
config is generated from cue data defined in the controller holos
component.

Note: This patch adds a static configuration for the istio meshconfig in
the meshconfig.cue file.  The extauthz providers are a core piece of
functionality in the holos reference platform and a key motivation of
moving to CUE from Helm is the need to dynamically generate the
meshconfig from a platform scoped set of projects and services across
multiple clusters.

For expedience this dynamic generation is not part of this patch but is
expected to replace the static meshconfig once the cluster is more fully
configured with the new cue based holos command line interface.
 2024-03-01 16:13:19 -08:00
Jeff McCune
63009ba419 (#30) Fix cue formatting 2024-03-01 10:35:32 -08:00
Jeff McCune
9c42cf9109 (#30) Import istio crds into cue definitions 
❯ timoni mod vendor crds -f ~/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
10:30AM INF schemas vendored: extensions.istio.io/wasmplugin/v1alpha1
10:30AM INF schemas vendored: install.istio.io/istiooperator/v1alpha1
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1beta1
10:30AM INF schemas vendored: networking.istio.io/envoyfilter/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1beta1
10:30AM INF schemas vendored: networking.istio.io/proxyconfig/v1beta1
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1beta1
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1beta1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1beta1
10:30AM INF schemas vendored: security.istio.io/peerauthentication/v1beta1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1beta1
10:30AM INF schemas vendored: telemetry.istio.io/telemetry/v1alpha1
 2024-03-01 10:31:52 -08:00
Jeff McCune
3fce5188a2 (#30) Add holos cue instance prod-mesh-istio-base 
This patch installs the istio base helm chart from upstream which
includes the custom resource definitions.
 2024-03-01 10:28:54 -08:00
Jeff McCune
fde88ad5eb (#30) Add #DependsOn struct to unify dependencies 
Using a list to merge dependencies through the tree from root to leaf is
challenging.  This patch uses a #DependsOn struct instead then builds
the list of dependencies for flux from the struct field values.
 2024-03-01 10:13:55 -08:00
Jeff McCune
7a8d30f833 (#30) Mesh istio-system istio-ingress namespaces 
Need to be in place with privileged pod security policies.
 2024-03-01 09:35:57 -08:00
Jeff McCune
8987442b91 (#27) Add cert-manager ExternalSecret cloudflare-api-token-secret 
This enables the dns01 letsencrypt acme solver and is heavily used in
the reference platform.

Secret migrated from Vault using:

```bash
vault kv get -format=json -field data kv/k8s/ns/cert-manager/cloudflare-api-token-secret \
  | holos create secret --namespace cert-manager cloudflare-api-token-secret --data-stdin --append-hash=false
```
 2024-03-01 08:44:06 -08:00
Jeff McCune
a6af3a46cf (#27) Manage SecretStore with platform namespaces 
It makes sense to manage the SecretStore along with the Namespace in the
platform namespaces holos component.  Otherwise, the first component
that needs an ExternalSecret also needs to manage a SecretStore, which
creates an artificial dependency for subesequent components that also
need a SecretStore in the same namespace.

Best to just have all components depend on the namespaces component.
 2024-03-01 08:05:00 -08:00
Jeff McCune
71d545a883 (#27) Add cert-manager LetsEncrypt issuers 
This patch partially adds the Let's Encrypt issuers.  The platform data
expands to take a contact email and a cloudflare login email.

The external secret needs to be added next.
 2024-02-29 21:40:55 -08:00
Jeff McCune
044d3082d9 (#27) Add cert-manager custom resource definitions 
Without this patch the cert-manager component is missing the custom
resource definitions.

This patch adds them using the helm installCRDs value.
 2024-02-29 20:46:42 -08:00
Jeff McCune
c2d5c4ad36 (#27) Add cert-manager to the mesh collection 
Straight-forward helm install with no customization.

This patch also adds a "Skip" output kind which allows intermediate cue
files in the tree to signal holos to skip over the instance.  This
enables constraints to be added at intermediate layers without build
errors.
 2024-02-29 16:50:27 -08:00
Jeff McCune
ab03ef1052 (#27) Refactor top level schema 
Remove content and contentType top level keys, deprecated in favor of
apiObjects.

Clarify toward the use of #CollectionName instead of project name.
 2024-02-29 15:48:54 -08:00
Jeff McCune
8c76061b0d (#27) Add recommended labels and sort output 
Add the recommended labels mapping to holos stage, project, and
component names.  Project will eventually be renamed to "collection" or
something.

Example:

    app.kubernetes.io/part-of: prod
    app.kubernetes.io/name: secrets
    app.kubernetes.io/component: validate
    app.kubernetes.io/instance: prod-secrets-validate

Also sort the api objects produced from cue so the output of the `holos
render` command is stable for git commits.
 2024-02-29 15:12:19 -08:00
Jeff McCune
f60db8fa1f (#25) Show name of api object in errors 
This patch changes the interface between CUE and Holos to remove the
content field and replace it with an api object map.  The map is a
`map[string]map[string]string` with the rendered yaml as the value of a
kind/name nesting.

This structure enables better error messages, cue disjunction errors
indicate the type and the name of the resource instead of just the list
index number.
 2024-02-29 11:23:49 -08:00
Jeff McCune
eefc092ea9 (#22) Copy external secret data files one for one 
Without this patch the secret data was nested under a key with the same
name as the secret name.  This caused the ceph controller to not find
the values.

This patch changes the golden path for #ExternalSecret to copy all data
keys 1:1 from the external to the target in the cluster.
 2024-02-28 16:51:26 -08:00
Jeff McCune
0860ac3409 (#22) Rename ceph secret to include ClusterName 
Without this patch all clusters would use the same ceph secret from the
provisioner cluster.  This is a problem because ceph credentials are
unique per cluster.

This patch renames the ceph secret to have a cluster name prefix.

The secret is created with:

```bash
vault kv get -format=json -field data kv/k2/kube-namespace/ceph-csi-rbd/csi-rbd-secret \
  | holos create secret --namespace ceph-system k2-ceph-csi-rbd --cluster-name=k2 --data-stdin --append-hash=false
```
 2024-02-28 16:14:22 -08:00
Jeff McCune
6b156e9883 (#22) Label ns ceph-system with pod-security enforce: privileged 
This patch adds the `pod-security.kubernetes.io/enforce: privileged`
label to the ceph-system namespace.

The Namespace resources are managed all over the map, it would be a good
idea to consolidate the PlatformNamespaces data into one well known
place for the entire platform.  Eschewing for now.
 2024-02-28 15:57:01 -08:00
Jeff McCune
4de9f77fbf (#22) Add holos create secret --data-stdin flag 
This patch enables quickly copying secrets from vault to the provisioner
cluster.  For example:

    vault kv get -format=json -field data kv/k2/kube-namespace/ceph-csi-rbd/csi-rbd-secret \
      | holos create secret --namespace ceph-system csi-rbd-secret --data-stdin --append-hash=false
 2024-02-28 15:29:32 -08:00
Jeff McCune
4c5429b64a (#22) Ceph CSI for Metal clusters 
This patch adds the ceph-csi-rbd helm chart component to the metal
cluster type.  The purpose is to enable PersistentVolumeClaims on ois
metal clusters.

Cloud clusters like GKE and EKS are expected to skip rendering the metal
type.

Helm values are handled with CUE.  The ceph secret is managed as an
ExternalSecret resource, appended to the rendered output by cue and the
holos cli.

Use:

    ❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/metal/...
    2:45PM INF render.go:40 rendered prod-metal-ceph version=0.47.0 status=ok action=rendered name=prod-metal-ceph
 2024-02-28 14:46:03 -08:00
Jeff McCune
ac5bff4b32 (#20) Error if secret is not found 
Without this patch scripts incorrectly proceeded without detecting a
secret was not fetched.

    holos get secret notfound

    8:34AM ERR could not execute version=0.46.3 err="not found: notfound" loc=get.go:66
 2024-02-28 08:33:55 -08:00
Jeff McCune
6090ab224e (#14) Validate secrets fetched from provisioner cluster 
This patch validates secrets are synced from the provisioner cluster to
a workload cluster.  This verifies the eso-creds-refresher job, external
secrets operator, etc...

Refer to
0ae58858f5
for the corresponding commit on the k2 cluster.
 2024-02-27 15:55:17 -08:00
Jeff McCune
10e140258d (#15) Report multiple cue errors 
This patch prints out the cue file and line numbers when a cue error
contains multiple go errors to unwrap.

For example:

```
❯ holos render --cluster-name=k2 ~/workspace/holos-run/holos/docs/examples/platforms/reference/clusters/workload/...
3:31PM ERR could not execute version=0.46.0 err="could not decode: content: error in call to encoding/yaml.MarshalStream: incomplete value string (and 1 more errors)" loc=builder.go:212
content: error in call to encoding/yaml.MarshalStream: incomplete value string:
    /home/jeff/workspace/holos-run/holos/docs/examples/schema.cue:199:11
    /home/jeff/workspace/holos-run/holos/docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue:83:14
```
 2024-02-27 15:32:11 -08:00
Jeff McCune
40ac705f0d (#16) Add create secret --append-hash=false 
So we can easily create secrets for use with ExternalSecret resources.
 2024-02-27 12:04:00 -08:00
Jeff McCune
b4ad6425e5 (#14) Validate SecretStore works 
This patch validates a SecretStore in the holos-system namespace works
after provisioner credentials are refreshed.
 2024-02-27 11:25:00 -08:00
Jeff McCune
3343d226e5 (#14) Fix namespaces "external-secrets" not found 
Needed for the `prod-secrets-eso` component to reconcile with flux.

NAME                                    REVISION                SUSPENDED       READY   MESSAGE
flux-system                             main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-eso                        main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-eso-creds-refresher        main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
prod-secrets-namespaces                 main@sha1:28b9ab6b      False           True    Applied revision: main@sha1:28b9ab6b
 2024-02-26 20:53:43 -08:00
Jeff McCune
f3a9b7cfbc (#10) Additional test coverage for secrets 
Also fix a bug, secrets were created with keys that have a sub-directory
which is not a valid kubernetes secret.
 2024-02-26 16:58:38 -08:00
Jeff McCune
53b7246d5e (#10) Add tests for holos get secrets command 
This patch adds basic test data to run integration level tests on the
holos cli command.  Tests are structured similar to how the go and cue
maintainers test their own cli tools using the testscripts package.

Fixture data is loaded into a fake kubernetes.Clientset.

The holos root command is executed without using a full sub-process so
the fake kubernetes interface persists across multiple holos commands in
the same test case.

The fake kubernetes interface is reset after the testcase script
concludes and a new one starts.

Take care to read and write absolute paths from the test scripts, the
current working directory of the test runner is not set to $WORK when
executing the custom holos command.
 2024-02-26 16:16:27 -08:00
Jeff McCune
c20872c92f v0.45.1 2024-02-24 11:37:03 -08:00
Jeff McCune
ecce1f797e (#8) Get secret subcommand 
This patch adds a get secret subcommand.  With no args, lists holos
secrets.  With args, gets each argument.

The use cases are:

 1. Extract specified keys to files with --to-file
 2. Extract all keys to files with --extract-all
 3. Print one key to stdout with --print-key

If no key is specified, the key is implicitly set to the holos secret
name.  This behavior should be preserved as part of the api.
 2024-02-24 11:32:48 -08:00
Jeff McCune
0d7033d063 (#8) Create secret subcommand 
This patch adds a holos create secret command that behaves like kubectl
create secret, but for the specific use case of provisioning holos
clusters.

```
❯ holos create secret k2-talos --cluster-name=k2 --from-file=secrets.yaml
4:48PM INF secret.go:104 created: k2-talos-49546d9fd7 version=0.45.0 secret=k2-talos-49546d9fd7 name=k2-talos namespace=secrets
```

Once the corresponding `holos get secret` subcommands are implemented
the kv subcommand may be removed.
 2024-02-23 16:49:13 -08:00
Jeff McCune
84bf0c8945 (#6) Holos kv put command to create secrets 
A "holos secret" is a Secret in the secrets namespace of the provisioner
cluster.  The put command creates a unique secret from files and
directories listed as arguments, or from a txtar archive provided on
standard input.

Secret data may come from any or all of the following sources:

1. Create a secret from raw data on standard input.  --name and --file
   must be specified.
2. Create a secret from txtar data on standard input.  The secret name
   is taken from the --name flag if provided, otherwise is taken from
   the first line of the txtar comment.
3. Create a secret from files and directories specified as arguments.
   The secret name is the base name of the first argument unless it is
   overridden by the --name flag.

This is likely doing too much, really all we care about is this use
case:

holos kv put talosconfig

holos kv get talosconfig | holos txtar

Additionally, I want to get get one command without writing a file:

DATA="$(holos kv get talosconfig --file talosconfig)
 2024-02-23 12:03:47 -08:00
178 changed files with 18391 additions and 326 deletions
Expand all files Collapse all files

5
.github/workflows/lint.yaml vendored
View File

@@ -1,6 +1,7 @@
---
# https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
name: Lint
on:
"on":
push:
branches:
- main
@@ -22,6 +23,6 @@ jobs:
go-version: stable
cache: false
- name: golangci-lint
uses: golangci/golangci-lint-action@v3
uses: golangci/golangci-lint-action@v4
with:
version: latest

5
.github/workflows/test.yaml vendored
View File

@@ -23,5 +23,10 @@ jobs:
with:
go-version: stable
- name: Set up Helm
uses: azure/setup-helm@v4.1.0
with:
version: 'latest'
- name: Test
run: ./scripts/test

2
.golangci.yaml Normal file
View File

@@ -0,0 +1,2 @@
run:
timeout: 5m

20
cmd/holos/main.go
View File

@@ -1,28 +1,10 @@
package main
import (
"context"
"errors"
"github.com/holos-run/holos/pkg/cli"
"github.com/holos-run/holos/pkg/config"
"github.com/holos-run/holos/pkg/wrapper"
"log/slog"
"os"
)
func main() {
cfg := config.New()
slog.SetDefault(cfg.Logger())
ctx := context.Background()
if err := cli.New(cfg).ExecuteContext(ctx); err != nil {
log := cfg.NewTopLevelLogger()
var errAt *wrapper.ErrorAt
const msg = "could not execute"
if ok := errors.As(err, &errAt); ok {
log.ErrorContext(ctx, msg, "err", errAt.Unwrap(), "loc", errAt.Source.Loc())
} else {
log.ErrorContext(ctx, msg, "err", err)
}
os.Exit(1)
}
os.Exit(cli.MakeMain()())
}

20
cmd/holos/main_test.go Normal file
View File

@@ -0,0 +1,20 @@
package main
import (
"github.com/holos-run/holos/pkg/cli"
"github.com/rogpeppe/go-internal/testscript"
"os"
"testing"
)
func TestMain(m *testing.M) {
os.Exit(testscript.RunMain(m, map[string]func() int{
"holos": cli.MakeMain(),
}))
}
func TestGetSecrets(t *testing.T) {
testscript.Run(t, testscript.Params{
Dir: "testdata",
})
}

42
cmd/holos/testdata/constraints.txt vendored Normal file
View File

@@ -0,0 +1,42 @@
# Want support for intermediary constraints
exec holos build ./foo/... --log-level debug
stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
stderr 'processing holos component kind Skip'
-- cue.mod --
package holos
-- foo/constraints.cue --
package holos
metadata: name: "jeff"
-- foo/bar/bar.cue --
package holos
#KubernetesObjects & {
apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
}
-- schema.cue --
package holos
cluster: string @tag(cluster, string)
// #OutputTypeMeta is shared among all output types
#OutputTypeMeta: {
apiVersion: "holos.run/v1alpha1"
kind: #KubernetesObjects.kind | #NoOutput.kind
metadata: name: string
}
#KubernetesObjects: {
#OutputTypeMeta
kind: "KubernetesObjects"
apiObjectMap: {...}
}
#NoOutput: {
#OutputTypeMeta
kind: string | *"Skip"
metadata: name: string | *"skipped"
}
#NoOutput & {}

16
cmd/holos/testdata/issue15_cue_errors.txt vendored Normal file
View File

@@ -0,0 +1,16 @@
# Want cue errors to show files and lines
! exec holos build .
stderr '^apiObjectMap.foo.bar: cannot convert non-concrete value string'
stderr '/component.cue:7:20$'
-- cue.mod --
package holos
-- component.cue --
package holos
apiVersion: "holos.run/v1alpha1"
kind: "KubernetesObjects"
cluster: string @tag(cluster, string)
apiObjectMap: foo: bar: baz
baz: string

57
cmd/holos/testdata/issue25_apiobjects_cue.txt vendored Normal file
View File

@@ -0,0 +1,57 @@
# Want kube api objects in the apiObjects output.
exec holos build .
stdout '^kind: SecretStore$'
stdout '# Source: CUE apiObjects.SecretStore.default'
-- cue.mod --
package holos
-- component.cue --
package holos
apiVersion: "holos.run/v1alpha1"
kind: "KubernetesObjects"
cluster: string @tag(cluster, string)
#SecretStore: {
kind: string
metadata: name: string
}
#APIObjects & {
apiObjects: {
SecretStore: {
default: #SecretStore & { metadata: name: "default" }
}
}
}
-- schema.cue --
package holos
// #APIObjects is the output type for api objects produced by cue. A map is used to aid debugging and clarity.
import "encoding/yaml"
#APIObjects: {
// apiObjects holds each the api objects produced by cue.
apiObjects: {
[Kind=_]: {
[Name=_]: {
kind: Kind
metadata: name: Name
}
}
}
// apiObjectsContent holds the marshalled representation of apiObjects
apiObjectMap: {
for kind, v in apiObjects {
"\(kind)": {
for name, obj in v {
"\(name)": yaml.Marshal(obj)
}
}
}
}
}

58
cmd/holos/testdata/issue25_apiobjects_helm.txt vendored Normal file
View File

@@ -0,0 +1,58 @@
# Want kube api objects in the apiObjects output.
exec holos build .
stdout '^kind: SecretStore$'
stdout '# Source: CUE apiObjects.SecretStore.default'
stderr 'skipping helm: no chart name specified'
-- cue.mod --
package holos
-- component.cue --
package holos
apiVersion: "holos.run/v1alpha1"
kind: "HelmChart"
cluster: string @tag(cluster, string)
#SecretStore: {
kind: string
metadata: name: string
}
#APIObjects & {
apiObjects: {
SecretStore: {
default: #SecretStore & { metadata: name: "default" }
}
}
}
-- schema.cue --
package holos
// #APIObjects is the output type for api objects produced by cue. A map is used to aid debugging and clarity.
import "encoding/yaml"
#APIObjects: {
// apiObjects holds each the api objects produced by cue.
apiObjects: {
[Kind=_]: {
[Name=_]: {
kind: Kind
metadata: name: Name
}
}
}
// apiObjectsContent holds the marshalled representation of apiObjects
apiObjectMap: {
for kind, v in apiObjects {
"\(kind)": {
for name, obj in v {
"\(name)": yaml.Marshal(obj)
}
}
}
}
}

22
cmd/holos/testdata/issue25_show_object_names.txt vendored Normal file
View File

@@ -0,0 +1,22 @@
# Want api object kind and name in errors
! exec holos build .
stderr 'apiObjects.secretstore.default.foo: field not allowed'
-- cue.mod --
package holos
-- component.cue --
package holos
apiVersion: "holos.run/v1alpha1"
kind: "KubernetesObjects"
cluster: string @tag(cluster, string)
#SecretStore: {
metadata: name: string
}
apiObjects: {
secretstore: {
default: #SecretStore & { foo: "not allowed" }
}
}

280
cmd/holos/testdata/issue33_helm_stderr.txt vendored Normal file
View File

@@ -0,0 +1,280 @@
# Want helm errors to show up
! exec holos build .
stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
-- cue.mod --
package holos
-- zitadel.cue --
package holos
cluster: string @tag(cluster, string)
apiVersion: "holos.run/v1alpha1"
kind: "HelmChart"
metadata: name: "zitadel"
namespace: "zitadel"
chart: {
name: "zitadel"
version: "7.9.0"
repository: {
name: "zitadel"
url: "https://charts.zitadel.com"
}
}
-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
{{- end }}
{{- if .Values.zitadel.masterkey -}}
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: zitadel-masterkey
{{- with .Values.zitadel.masterkeyAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "zitadel.labels" . | nindent 4 }}
stringData:
masterkey: {{ .Values.zitadel.masterkey }}
{{- end -}}
-- vendor/zitadel/Chart.yaml --
apiVersion: v2
appVersion: v2.46.0
description: A Helm chart for ZITADEL
icon: https://zitadel.com/zitadel-logo-dark.svg
kubeVersion: '>= 1.21.0-0'
maintainers:
- email: support@zitadel.com
name: zitadel
url: https://zitadel.com
name: zitadel
type: application
version: 7.9.0
-- vendor/zitadel/values.yaml --
# Default values for zitadel.
zitadel:
# The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
# See all defaults here:
# https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
configmapConfig:
ExternalSecure: true
Machine:
Identification:
Hostname:
Enabled: true
Webhook:
Enabled: false
# The ZITADEL config under secretConfig is written to a Kubernetes Secret
# See all defaults here:
# https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
secretConfig:
# Annotations set on secretConfig secret
secretConfigAnnotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "0"
# Reference the name of a secret that contains ZITADEL configuration.
configSecretName:
# The key under which the ZITADEL configuration is located in the secret.
configSecretKey: config-yaml
# ZITADEL uses the masterkey for symmetric encryption.
# You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
masterkey: ""
# Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
# Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
masterkeySecretName: ""
# Annotations set on masterkey secret
masterkeyAnnotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "0"
# The CA Certificate needed for establishing secure database connections
dbSslCaCrt: ""
# The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
dbSslCaCrtSecret: ""
# The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
dbSslAdminCrtSecret: ""
# The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
dbSslUserCrtSecret: ""
# Generate a self-signed certificate using an init container
# This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
# E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
# By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
selfSignedCert:
enabled: false
additionalDnsName:
replicaCount: 3
image:
repository: ghcr.io/zitadel/zitadel
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
chownImage:
repository: alpine
pullPolicy: IfNotPresent
tag: "3.19"
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# Annotations to add to the deployment
annotations: {}
# Annotations to add to the configMap
configMap:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "0"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "0"
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podAdditionalLabels: {}
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
securityContext: {}
# Additional environment variables
env:
[]
# - name: ZITADEL_DATABASE_POSTGRES_HOST
# valueFrom:
# secretKeyRef:
# name: postgres-pguser-postgres
# key: host
service:
type: ClusterIP
# If service type is "ClusterIP", this can optionally be set to a fixed IP address.
clusterIP: ""
port: 8080
protocol: http2
annotations: {}
scheme: HTTP
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: localhost
paths:
- path: /
pathType: Prefix
tls: []
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
initJob:
# Once ZITADEL is installed, the initJob can be disabled.
enabled: true
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "1"
resources: {}
backoffLimit: 5
activeDeadlineSeconds: 300
extraContainers: []
podAnnotations: {}
# Available init commands :
# "": initialize ZITADEL instance (without skip anything)
# database: initialize only the database
# grant: set ALL grant to user
# user: initialize only the database user
# zitadel: initialize ZITADEL internals (skip "create user" and "create database")
command: ""
setupJob:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: before-hook-creation
helm.sh/hook-weight: "2"
resources: {}
activeDeadlineSeconds: 300
extraContainers: []
podAnnotations: {}
additionalArgs:
- "--init-projections=true"
machinekeyWriter:
image:
repository: bitnami/kubectl
tag: ""
resources: {}
readinessProbe:
enabled: true
initialDelaySeconds: 0
periodSeconds: 5
failureThreshold: 3
livenessProbe:
enabled: true
initialDelaySeconds: 0
periodSeconds: 5
failureThreshold: 3
startupProbe:
enabled: true
periodSeconds: 1
failureThreshold: 30
metrics:
enabled: false
serviceMonitor:
# If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
# https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
# The Prometheus community Helm chart installs this operator
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
enabled: false
honorLabels: false
honorTimestamps: true
pdb:
enabled: false
# these values are used for the PDB and are mutally exclusive
minAvailable: 1
# maxUnavailable: 1
annotations: {}

5
cmd/holos/testdata/version.txt vendored Normal file
View File

@@ -0,0 +1,5 @@
exec holos --version
# want version with no v on stdout
stdout -count=1 '^\d+\.\d+\.\d+$'
# want nothing on stderr
! stderr .

1310
docs/examples/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

82
docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,82 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// Order is a type to represent an Order with an ACME server
#Order: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "acme.cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "Order"
metadata: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
spec!: #OrderSpec
}
#OrderSpec: {
// CommonName is the common name as specified on the DER encoded
// CSR. If specified, this value must also be present in
// `dnsNames` or `ipAddresses`. This field must match the
// corresponding field on the DER encoded CSR.
commonName?: string
// DNSNames is a list of DNS names that should be included as part
// of the Order validation process. This field must match the
// corresponding field on the DER encoded CSR.
dnsNames?: [...string]
// Duration is the duration for the not after date for the
// requested certificate. this is set on order creation as pe the
// ACME spec.
duration?: string
// IPAddresses is a list of IP addresses that should be included
// as part of the Order validation process. This field must match
// the corresponding field on the DER encoded CSR.
ipAddresses?: [...string]
// IssuerRef references a properly configured ACME-type Issuer
// which should be used to create this Order. If the Issuer does
// not exist, processing will be retried. If the Issuer is not an
// 'ACME' Issuer, an error will be returned and the Order will be
// marked as failed.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// Certificate signing request bytes in DER encoding. This will be
// used when finalizing the order. This field must be set on the
// order.
request: string
}

422
docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,422 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// A Certificate resource should be created to ensure an up to
// date and signed X.509 certificate is stored in the Kubernetes
// Secret resource named in `spec.secretName`.
// The stored certificate will be renewed before it expires (as
// configured by `spec.renewBefore`).
#Certificate: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "Certificate"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
// Specification of the desired state of the Certificate resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
spec!: #CertificateSpec
}
// Specification of the desired state of the Certificate resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#CertificateSpec: {
// Defines extra output formats of the private key and signed
// certificate chain to be written to this Certificate's target
// Secret.
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=AdditionalCertificateOutputFormats=true`
// option set on both the controller and webhook components.
additionalOutputFormats?: [...{
// Type is the name of the format type that should be written to
// the Certificate's target Secret.
type: "DER" | "CombinedPEM"
}]
// Requested common name X509 certificate subject attribute. More
// info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
// NOTE: TLS clients will ignore this value when any subject
// alternative name is set (see
// https://tools.ietf.org/html/rfc6125#section-6.4.4).
// Should have a length of 64 characters or fewer to avoid
// generating invalid CSRs. Cannot be set if the `literalSubject`
// field is set.
commonName?: string
// Requested DNS subject alternative names.
dnsNames?: [...string]
// Requested 'duration' (i.e. lifetime) of the Certificate. Note
// that the issuer may choose to ignore the requested duration,
// just like any other requested attribute.
// If unset, this defaults to 90 days. Minimum accepted duration
// is 1 hour. Value must be in units accepted by Go
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
duration?: string
// Requested email subject alternative names.
emailAddresses?: [...string]
// Whether the KeyUsage and ExtKeyUsage extensions should be set
// in the encoded CSR.
// This option defaults to true, and should only be disabled if
// the target issuer does not support CSRs with these X509
// KeyUsage/ ExtKeyUsage extensions.
encodeUsagesInRequest?: bool
// Requested IP address subject alternative names.
ipAddresses?: [...string]
// Requested basic constraints isCA value. The isCA value is used
// to set the `isCA` field on the created CertificateRequest
// resources. Note that the issuer may choose to ignore the
// requested isCA value, just like any other requested attribute.
// If true, this will automatically add the `cert sign` usage to
// the list of requested `usages`.
isCA?: bool
// Reference to the issuer responsible for issuing the
// certificate. If the issuer is namespace-scoped, it must be in
// the same namespace as the Certificate. If the issuer is
// cluster-scoped, it can be used from any namespace.
// The `name` field of the reference must always be specified.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// Additional keystore output formats to be stored in the
// Certificate's Secret.
keystores?: {
// JKS configures options for storing a JKS keystore in the
// `spec.secretName` Secret resource.
jks?: {
// Create enables JKS keystore creation for the Certificate. If
// true, a file named `keystore.jks` will be created in the
// target Secret resource, encrypted using the password stored in
// `passwordSecretRef`. The keystore file will be updated
// immediately. If the issuer provided a CA certificate, a file
// named `truststore.jks` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate
// Authority
create: bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the JKS keystore.
passwordSecretRef: {
// The key of the entry in the Secret resource's `data` field to
// be used. Some instances of this field may be defaulted, in
// others it may be required.
key?: string
// Name of the resource being referred to. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
name: string
}
}
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
pkcs12?: {
// Create enables PKCS12 keystore creation for the Certificate. If
// true, a file named `keystore.p12` will be created in the
// target Secret resource, encrypted using the password stored in
// `passwordSecretRef`. The keystore file will be updated
// immediately. If the issuer provided a CA certificate, a file
// named `truststore.p12` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate
// Authority
create: bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the PKCS12 keystore.
passwordSecretRef: {
// The key of the entry in the Secret resource's `data` field to
// be used. Some instances of this field may be defaulted, in
// others it may be required.
key?: string
// Name of the resource being referred to. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
name: string
}
// Profile specifies the key and certificate encryption algorithms
// and the HMAC algorithm used to create the PKCS12 keystore.
// Default value is `LegacyRC2` for backward compatibility.
// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
// Less secure algorithm. Use this option for maximal
// compatibility. `Modern2023`: Secure algorithm. Use this option
// in case you have to always use secure algorithms (eg. because
// of company policy). Please note that the security of the
// algorithm is not that important in reality, because the
// unencrypted certificate and private key are also stored in the
// Secret.
profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
}
}
// Requested X.509 certificate subject, represented using the LDAP
// "String Representation of a Distinguished Name" [1].
// Important: the LDAP string format also specifies the order of
// the attributes in the subject, this is important when issuing
// certs for LDAP authentication. Example:
// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
// https://datatracker.ietf.org/doc/html/rfc4514 More info:
// https://github.com/cert-manager/cert-manager/issues/3203 More
// info: https://github.com/cert-manager/cert-manager/issues/4424
// Cannot be set if the `subject` or `commonName` field is set.
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=LiteralCertificateSubject=true` option set on
// both the controller and webhook components.
literalSubject?: string
// x.509 certificate NameConstraint extension which MUST NOT be
// used in a non-CA certificate. More Info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=NameConstraints=true` option set on both the
// controller and webhook components.
nameConstraints?: {
// if true then the name constraints are marked critical.
critical?: bool
// Excluded contains the constraints which must be disallowed. Any
// name matching a restriction in the excluded field is invalid
// regardless of information appearing in the permitted
excluded?: {
// DNSDomains is a list of DNS domains that are permitted or
// excluded.
dnsDomains?: [...string]
// EmailAddresses is a list of Email Addresses that are permitted
// or excluded.
emailAddresses?: [...string]
// IPRanges is a list of IP Ranges that are permitted or excluded.
// This should be a valid CIDR notation.
ipRanges?: [...string]
// URIDomains is a list of URI domains that are permitted or
// excluded.
uriDomains?: [...string]
}
// Permitted contains the constraints in which the names must be
// located.
permitted?: {
// DNSDomains is a list of DNS domains that are permitted or
// excluded.
dnsDomains?: [...string]
// EmailAddresses is a list of Email Addresses that are permitted
// or excluded.
emailAddresses?: [...string]
// IPRanges is a list of IP Ranges that are permitted or excluded.
// This should be a valid CIDR notation.
ipRanges?: [...string]
// URIDomains is a list of URI domains that are permitted or
// excluded.
uriDomains?: [...string]
}
}
// `otherNames` is an escape hatch for SAN that allows any type.
// We currently restrict the support to string like otherNames,
// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
// passed with by setting the keys oid: x.x.x.x and UTF8Value:
// somevalue for `otherName`. Most commonly this would be UPN set
// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
// OID passed is valid for the UTF8String type as we do not
// explicitly validate this.
otherNames?: [...{
// OID is the object identifier for the otherName SAN. The object
// identifier must be expressed as a dotted string, for example,
// "1.2.840.113556.1.4.221".
oid?: string
// utf8Value is the string value of the otherName SAN. The
// utf8Value accepts any valid UTF8 string to set as value for
// the otherName SAN.
utf8Value?: string
}]
// Private key options. These include the key algorithm and size,
// the used encoding and the rotation policy.
privateKey?: {
// Algorithm is the private key algorithm of the corresponding
// private key for this certificate.
// If provided, allowed values are either `RSA`, `ECDSA` or
// `Ed25519`. If `algorithm` is specified and `size` is not
// provided, key size of 2048 will be used for `RSA` key
// algorithm and key size of 256 will be used for `ECDSA` key
// algorithm. key size is ignored when using the `Ed25519` key
// algorithm.
algorithm?: "RSA" | "ECDSA" | "Ed25519"
// The private key cryptography standards (PKCS) encoding for this
// certificate's private key to be encoded in.
// If provided, allowed values are `PKCS1` and `PKCS8` standing
// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
// not specified.
encoding?: "PKCS1" | "PKCS8"
// RotationPolicy controls how private keys should be regenerated
// when a re-issuance is being processed.
// If set to `Never`, a private key will only be generated if one
// does not already exist in the target `spec.secretName`. If one
// does exists but it does not have the correct algorithm or
// size, a warning will be raised to await user intervention. If
// set to `Always`, a private key matching the specified
// requirements will be generated whenever a re-issuance occurs.
// Default is `Never` for backward compatibility.
rotationPolicy?: "Never" | "Always"
// Size is the key bit size of the corresponding private key for
// this certificate.
// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
// or `8192`, and will default to `2048` if not specified. If
// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
// or `521`, and will default to `256` if not specified. If
// `algorithm` is set to `Ed25519`, Size is ignored. No other
// values are allowed.
size?: int
}
// How long before the currently issued certificate's expiry
// cert-manager should renew the certificate. For example, if a
// certificate is valid for 60 minutes, and `renewBefore=10m`,
// cert-manager will begin to attempt to renew the certificate 50
// minutes after it was issued (i.e. when there are 10 minutes
// remaining until the certificate is no longer valid).
// NOTE: The actual lifetime of the issued certificate is used to
// determine the renewal time. If an issuer returns a certificate
// with a different lifetime than the one requested, cert-manager
// will use the lifetime of the issued certificate.
// If unset, this defaults to 1/3 of the issued certificate's
// lifetime. Minimum accepted value is 5 minutes. Value must be
// in units accepted by Go time.ParseDuration
// https://golang.org/pkg/time/#ParseDuration.
renewBefore?: string
// The maximum number of CertificateRequest revisions that are
// maintained in the Certificate's history. Each revision
// represents a single `CertificateRequest` created by this
// Certificate, either when it was created, renewed, or Spec was
// changed. Revisions will be removed by oldest first if the
// number of revisions exceeds this number.
// If set, revisionHistoryLimit must be a value of `1` or greater.
// If unset (`nil`), revisions will not be garbage collected.
// Default value is `nil`.
revisionHistoryLimit?: int
// Name of the Secret resource that will be automatically created
// and managed by this Certificate resource. It will be populated
// with a private key and certificate, signed by the denoted
// issuer. The Secret resource lives in the same namespace as the
// Certificate resource.
secretName: string
// Defines annotations and labels to be copied to the
// Certificate's Secret. Labels and annotations on the Secret
// will be changed as they appear on the SecretTemplate when
// added or removed. SecretTemplate annotations are added in
// conjunction with, and cannot overwrite, the base set of
// annotations cert-manager sets on the Certificate's Secret.
secretTemplate?: {
// Annotations is a key value map to be copied to the target
// Kubernetes Secret.
annotations?: {
[string]: string
}
// Labels is a key value map to be copied to the target Kubernetes
// Secret.
labels?: {
[string]: string
}
}
// Requested set of X509 certificate subject attributes. More
// info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
// The common name attribute is specified separately in the
// `commonName` field. Cannot be set if the `literalSubject`
// field is set.
subject?: {
// Countries to be used on the Certificate.
countries?: [...string]
// Cities to be used on the Certificate.
localities?: [...string]
// Organizational Units to be used on the Certificate.
organizationalUnits?: [...string]
// Organizations to be used on the Certificate.
organizations?: [...string]
// Postal codes to be used on the Certificate.
postalCodes?: [...string]
// State/Provinces to be used on the Certificate.
provinces?: [...string]
// Serial number to be used on the Certificate.
serialNumber?: string
// Street addresses to be used on the Certificate.
streetAddresses?: [...string]
}
// Requested URI subject alternative names.
uris?: [...string]
// Requested key usages and extended key usages. These usages are
// used to set the `usages` field on the created
// CertificateRequest resources. If `encodeUsagesInRequest` is
// unset or set to `true`, the usages will additionally be
// encoded in the `request` field which contains the CSR blob.
// If unset, defaults to `digital signature` and `key
// encipherment`.
usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
}

127
docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,127 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// A CertificateRequest is used to request a signed certificate
// from one of the configured issuers.
// All fields within the CertificateRequest's `spec` are immutable
// after creation. A CertificateRequest will either succeed or
// fail, as denoted by its `Ready` status condition and its
// `status.failureTime` field.
// A CertificateRequest is a one-shot resource, meaning it
// represents a single point in time request for a certificate
// and cannot be re-used.
#CertificateRequest: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "CertificateRequest"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
// Specification of the desired state of the CertificateRequest
// resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
spec!: #CertificateRequestSpec
}
// Specification of the desired state of the CertificateRequest
// resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#CertificateRequestSpec: {
// Requested 'duration' (i.e. lifetime) of the Certificate. Note
// that the issuer may choose to ignore the requested duration,
// just like any other requested attribute.
duration?: string
// Extra contains extra attributes of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
extra?: {
[string]: [...string]
}
// Groups contains group membership of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
groups?: [...string]
// Requested basic constraints isCA value. Note that the issuer
// may choose to ignore the requested isCA value, just like any
// other requested attribute.
// NOTE: If the CSR in the `Request` field has a BasicConstraints
// extension, it must have the same isCA value as specified here.
// If true, this will automatically add the `cert sign` usage to
// the list of requested `usages`.
isCA?: bool
// Reference to the issuer responsible for issuing the
// certificate. If the issuer is namespace-scoped, it must be in
// the same namespace as the Certificate. If the issuer is
// cluster-scoped, it can be used from any namespace.
// The `name` field of the reference must always be specified.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// The PEM-encoded X.509 certificate signing request to be
// submitted to the issuer for signing.
// If the CSR has a BasicConstraints extension, its isCA attribute
// must match the `isCA` value of this CertificateRequest. If the
// CSR has a KeyUsage extension, its key usages must match the
// key usages in the `usages` field of this CertificateRequest.
// If the CSR has a ExtKeyUsage extension, its extended key
// usages must match the extended key usages in the `usages`
// field of this CertificateRequest.
request: string
// UID contains the uid of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
uid?: string
// Requested key usages and extended key usages.
// NOTE: If the CSR in the `Request` field has uses the KeyUsage
// or ExtKeyUsage extension, these extensions must have the same
// values as specified here without any additional values.
// If unset, defaults to `digital signature` and `key
// encipherment`.
usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
// Username contains the name of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
username?: string
}

1590
docs/examples/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

1589
docs/examples/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

123
docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,123 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import (
"strings"
"list"
)
#WasmPlugin: {
// Extend the functionality provided by the Istio proxy through
// WebAssembly filters. See more details at:
// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
spec!: #WasmPluginSpec
apiVersion: "extensions.istio.io/v1alpha1"
kind: "WasmPlugin"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Extend the functionality provided by the Istio proxy through
// WebAssembly filters. See more details at:
// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
#WasmPluginSpec: {
// Specifies the failure behavior for the plugin due to fatal
// errors.
failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
// The pull behaviour to be applied when fetching Wasm module by
// either OCI image or http/https.
imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
// Credentials to use for OCI image pulling.
imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
// Specifies the criteria to determine which traffic is passed to
// WasmPlugin.
match?: [...{
// Criteria for selecting traffic by their direction.
mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
// Criteria for selecting traffic by their destination port.
ports?: [...{
number: uint16 & >=1
}]
}]
// Determines where in the filter chain this `WasmPlugin` is to be
// injected.
phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
// The configuration that will be passed on to the plugin.
pluginConfig?: {
...
}
// The plugin name to be used in the Envoy configuration (used to
// be called `rootID`).
pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
// Determines ordering of `WasmPlugins` in the same `phase`.
priority?: null | int
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// SHA256 checksum that will be used to verify Wasm module or OCI
// container.
sha256?: =~"(^$|^[a-f0-9]{64}$)"
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
// Specifies the type of Wasm Extension to be used.
type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
// URL of a Wasm module or OCI container.
url: strings.MinRunes(1)
verificationKey?: string
vmConfig?: {
// Specifies environment variables to be injected to this VM.
env?: list.MaxItems(256) & [...{
// Name of the environment variable.
name: strings.MaxRunes(256) & strings.MinRunes(1)
// Value for the environment variable.
value?: strings.MaxRunes(2048)
// Source for the environment variable's value.
valueFrom?: "INLINE" | "HOST"
}]
}
}

2
docs/examples/cue.mod/gen/external-secrets.io/secretstore/v1beta1/types_gen.cue
View File

@@ -922,7 +922,7 @@ import (
kubernetes?: {
// Auth configures how secret-manager authenticates with a
// Kubernetes instance.
auth: struct.MaxFields(1) & {
auth: {
// has both clientCert and clientKey as secretKeySelector
cert?: {
// A reference to a specific 'key' within a Secret resource,

27
docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,27 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import "strings"
#IstioOperator: {
apiVersion: "install.istio.io/v1alpha1"
kind: "IstioOperator"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
...
}

4
docs/examples/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue
View File

@@ -3066,7 +3066,7 @@ import (
// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
// +optional
securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
securityContext?: #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
// Whether this container should allocate a buffer for stdin in the container runtime. If this
// is not set, reads from stdin in the container will always result in EOF.
@@ -3982,7 +3982,7 @@ import (
// SecurityContext holds pod-level security attributes and common container settings.
// Optional: Defaults to empty. See type description for default values of each field.
// +optional
securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
securityContext?: #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
// If specified, these secrets will be passed to individual puller implementations for them to use.

967
docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,967 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#DestinationRule: {
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
spec!: #DestinationRuleSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
#DestinationRuleSpec: {
// A list of namespaces to which this destination rule is
// exported.
exportTo?: [...string]
// The name of a service from the service registry.
host: string
// One or more named sets that represent individual versions of a
// service.
subsets?: [...{
// Labels apply a filter over the endpoints of a service in the
// service registry.
labels?: {
[string]: string
}
// Name of the subset.
name: string
// Traffic policies that apply to this subset.
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
}]
// Traffic policies to apply (load balancing policy, connection
// pool sizes, outlier detection).
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

967
docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,967 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#DestinationRule: {
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
spec!: #DestinationRuleSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "DestinationRule"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
#DestinationRuleSpec: {
// A list of namespaces to which this destination rule is
// exported.
exportTo?: [...string]
// The name of a service from the service registry.
host: string
// One or more named sets that represent individual versions of a
// service.
subsets?: [...{
// Labels apply a filter over the endpoints of a service in the
// service registry.
labels?: {
[string]: string
}
// Name of the subset.
name: string
// Traffic policies that apply to this subset.
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
}]
// Traffic policies to apply (load balancing policy, connection
// pool sizes, outlier detection).
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

185
docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,185 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#EnvoyFilter: {
// Customizing Envoy configuration generated by Istio. See more
// details at:
// https://istio.io/docs/reference/config/networking/envoy-filter.html
spec!: #EnvoyFilterSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "EnvoyFilter"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Customizing Envoy configuration generated by Istio. See more
// details at:
// https://istio.io/docs/reference/config/networking/envoy-filter.html
#EnvoyFilterSpec: {
// One or more patches with match conditions.
configPatches?: [...{
// Specifies where in the Envoy configuration, the patch should be
// applied.
applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
// Match on listener/route configuration/cluster.
match?: ({} | {
listener: _
} | {
routeConfiguration: _
} | {
cluster: _
}) & {
// Match on envoy cluster attributes.
cluster?: {
// The exact name of the cluster to match.
name?: string
// The service port for which this cluster was generated.
portNumber?: int
// The fully qualified service name for this cluster.
service?: string
// The subset associated with the service.
subset?: string
}
// The specific config generation context to match on.
context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
// Match on envoy listener attributes.
listener?: {
// Match a specific filter chain in a listener.
filterChain?: {
// Applies only to sidecars.
applicationProtocols?: string
// The destination_port value used by a filter chain's match
// condition.
destinationPort?: int
// The name of a specific filter to apply the patch to.
filter?: {
// The filter name to match on.
name?: string
subFilter?: {
// The filter name to match on.
name?: string
}
}
// The name assigned to the filter chain.
name?: string
// The SNI value used by a filter chain's match condition.
sni?: string
// Applies only to `SIDECAR_INBOUND` context.
transportProtocol?: string
}
// Match a specific listener filter.
listenerFilter?: string
// Match a specific listener by its name.
name?: string
portName?: string
// The service port/gateway port to which traffic is being
// sent/received.
portNumber?: int
}
// Match on properties associated with a proxy.
proxy?: {
// Match on the node metadata supplied by a proxy when connecting
// to Istio Pilot.
metadata?: {
[string]: string
}
// A regular expression in golang regex format (RE2) that can be
// used to select proxies using a specific version of istio
// proxy.
proxyVersion?: string
}
// Match on envoy HTTP route configuration attributes.
routeConfiguration?: {
// The Istio gateway config's namespace/name for which this route
// configuration was generated.
gateway?: string
// Route configuration name to match on.
name?: string
// Applicable only for GATEWAY context.
portName?: string
// The service port number or gateway server port number for which
// this route configuration was generated.
portNumber?: int
// Match a specific virtual host in a route configuration and
// apply the patch to the virtual host.
vhost?: {
// The VirtualHosts objects generated by Istio are named as
// host:port, where the host typically corresponds to the
// VirtualService's host field or the hostname of a service in
// the registry.
name?: string
// Match a specific route within the virtual host.
route?: {
// Match a route with specific action type.
action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
// The Route objects generated by default are named as default.
name?: string
}
}
}
}
// The patch to apply along with the operation.
patch?: {
// Determines the filter insertion order.
filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
// Determines how the patch should be applied.
operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
// The JSON config of the object being patched.
value?: {}
}
}]
// Priority defines the order in which patch sets are applied
// within a context.
priority?: int
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

115
docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,115 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#Gateway: {
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
spec!: #GatewaySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "Gateway"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
#GatewaySpec: {
// One or more labels that indicate a specific set of pods/VMs on
// which this gateway configuration should be applied.
selector?: {
[string]: string
}
// A list of server specifications.
servers?: [...{
// The ip or the Unix domain socket to which the listener should
// be bound to.
bind?: string
defaultEndpoint?: string
// One or more hosts exposed by this gateway.
hosts: [...string]
// An optional name of the server, when set must be unique across
// all servers.
name?: string
// The Port on which the proxy should listen for incoming
// connections.
port: {
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol: string
targetPort?: int
}
// Set of TLS related options that govern the server's behavior.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
}

115
docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,115 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#Gateway: {
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
spec!: #GatewaySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "Gateway"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
#GatewaySpec: {
// One or more labels that indicate a specific set of pods/VMs on
// which this gateway configuration should be applied.
selector?: {
[string]: string
}
// A list of server specifications.
servers?: [...{
// The ip or the Unix domain socket to which the listener should
// be bound to.
bind?: string
defaultEndpoint?: string
// One or more hosts exposed by this gateway.
hosts: [...string]
// An optional name of the server, when set must be unique across
// all servers.
name?: string
// The Port on which the proxy should listen for incoming
// connections.
port: {
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol: string
targetPort?: int
}
// Set of TLS related options that govern the server's behavior.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
}

54
docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,54 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#ProxyConfig: {
// Provides configuration for individual workloads. See more
// details at:
// https://istio.io/docs/reference/config/networking/proxy-config.html
spec!: #ProxyConfigSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "ProxyConfig"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Provides configuration for individual workloads. See more
// details at:
// https://istio.io/docs/reference/config/networking/proxy-config.html
#ProxyConfigSpec: {
// The number of worker threads to run.
concurrency?: null | int
// Additional environment variables for the proxy.
environmentVariables?: {
[string]: string
}
image?: {
// The image type of the image.
imageType?: string
}
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

107
docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,107 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#ServiceEntry: {
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
spec!: #ServiceEntrySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "ServiceEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
#ServiceEntrySpec: {
// The virtual IP addresses associated with the service.
addresses?: [...string]
// One or more endpoints associated with the service.
endpoints?: [...{
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}]
// A list of namespaces to which this service is exported.
exportTo?: [...string]
// The hosts associated with the ServiceEntry.
hosts: [...string]
// Specify whether the service should be considered external to
// the mesh or part of the mesh.
location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
// The ports associated with the external service.
ports?: [...{
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol?: string
// The port number on the endpoint where the traffic will be
// received.
targetPort?: int
}]
// Service resolution mode for the hosts.
resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
// If specified, the proxy will verify that the server
// certificate's subject alternate name matches one of the
// specified values.
subjectAltNames?: [...string]
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

107
docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,107 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#ServiceEntry: {
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
spec!: #ServiceEntrySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "ServiceEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
#ServiceEntrySpec: {
// The virtual IP addresses associated with the service.
addresses?: [...string]
// One or more endpoints associated with the service.
endpoints?: [...{
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}]
// A list of namespaces to which this service is exported.
exportTo?: [...string]
// The hosts associated with the ServiceEntry.
hosts: [...string]
// Specify whether the service should be considered external to
// the mesh or part of the mesh.
location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
// The ports associated with the external service.
ports?: [...{
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol?: string
// The port number on the endpoint where the traffic will be
// received.
targetPort?: int
}]
// Service resolution mode for the hosts.
resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
// If specified, the proxy will verify that the server
// certificate's subject alternate name matches one of the
// specified values.
subjectAltNames?: [...string]
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

280
docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#Sidecar: {
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
spec!: #SidecarSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "Sidecar"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
#SidecarSpec: {
// Egress specifies the configuration of the sidecar for
// processing outbound traffic from the attached workload
// instance to other services in the mesh.
egress?: [...{
// The IP(IPv4 or IPv6) or the Unix domain socket to which the
// listener should be bound to.
bind?: string
// When the bind address is an IP, the captureMode option dictates
// how traffic to the listener is expected to be captured (or
// not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// One or more service hosts exposed by the listener in
// `namespace/dnsName` format.
hosts: [...string]
// The port associated with the listener.
port?: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
}]
// Settings controlling the volume of connections Envoy will
// accept from the network.
inboundConnectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Ingress specifies the configuration of the sidecar for
// processing inbound traffic to the attached workload instance.
ingress?: [...{
// The IP(IPv4 or IPv6) to which the listener should be bound.
bind?: string
// The captureMode option dictates how traffic to the listener is
// expected to be captured (or not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// Settings controlling the volume of connections Envoy will
// accept from the network.
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// The IP endpoint or Unix domain socket to which traffic should
// be forwarded to.
defaultEndpoint?: string
// The port associated with the listener.
port: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
// Set of TLS related options that will enable TLS termination on
// the sidecar for requests originating from outside the mesh.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
// Configuration for the outbound traffic policy.
outboundTrafficPolicy?: {
egressProxy?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

280
docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#Sidecar: {
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
spec!: #SidecarSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "Sidecar"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
#SidecarSpec: {
// Egress specifies the configuration of the sidecar for
// processing outbound traffic from the attached workload
// instance to other services in the mesh.
egress?: [...{
// The IP(IPv4 or IPv6) or the Unix domain socket to which the
// listener should be bound to.
bind?: string
// When the bind address is an IP, the captureMode option dictates
// how traffic to the listener is expected to be captured (or
// not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// One or more service hosts exposed by the listener in
// `namespace/dnsName` format.
hosts: [...string]
// The port associated with the listener.
port?: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
}]
// Settings controlling the volume of connections Envoy will
// accept from the network.
inboundConnectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Ingress specifies the configuration of the sidecar for
// processing inbound traffic to the attached workload instance.
ingress?: [...{
// The IP(IPv4 or IPv6) to which the listener should be bound.
bind?: string
// The captureMode option dictates how traffic to the listener is
// expected to be captured (or not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// Settings controlling the volume of connections Envoy will
// accept from the network.
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// The IP endpoint or Unix domain socket to which traffic should
// be forwarded to.
defaultEndpoint?: string
// The port associated with the listener.
port: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
// Set of TLS related options that will enable TLS termination on
// the sidecar for requests originating from outside the mesh.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
// Configuration for the outbound traffic policy.
outboundTrafficPolicy?: {
egressProxy?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

594
docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,594 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#VirtualService: {
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
spec!: #VirtualServiceSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "VirtualService"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
#VirtualServiceSpec: {
// A list of namespaces to which this virtual service is exported.
exportTo?: [...string]
// The names of gateways and sidecars that should apply these
// routes.
gateways?: [...string]
// The destination hosts to which traffic is being sent.
hosts?: [...string]
// An ordered list of route rules for HTTP traffic.
http?: [...{
// Cross-Origin Resource Sharing policy (CORS).
corsPolicy?: {
// Indicates whether the caller is allowed to send the actual
// request (not the preflight) using credentials.
allowCredentials?: null | bool
// List of HTTP headers that can be used when requesting the
// resource.
allowHeaders?: [...string]
// List of HTTP methods allowed to access the resource.
allowMethods?: [...string]
allowOrigin?: [...string]
// String patterns that match allowed origins.
allowOrigins?: [...({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}]
// A list of HTTP headers that the browsers are allowed to access.
exposeHeaders?: [...string]
// Specifies how long the results of a preflight request can be
// cached.
maxAge?: string
}
// Delegate is used to specify the particular VirtualService which
// can be used to define delegate HTTPRoute.
delegate?: {
// Name specifies the name of the delegate VirtualService.
name?: string
// Namespace specifies the namespace where the delegate
// VirtualService resides.
namespace?: string
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
directResponse?: {
// Specifies the content of the response body.
body?: ({} | {
string: _
} | {
bytes: _
}) & {
// response body as base64 encoded bytes.
bytes?: string
string?: string
}
// Specifies the HTTP response status to be returned.
status: int
}
// Fault injection policy to apply on HTTP traffic at the client
// side.
fault?: {
// Abort Http request attempts and return error codes back to
// downstream service, giving the impression that the upstream
// service is faulty.
abort?: ({} | {
httpStatus: _
} | {
grpcStatus: _
} | {
http2Error: _
}) & {
// GRPC status code to use to abort the request.
grpcStatus?: string
http2Error?: string
// HTTP status code to use to abort the Http request.
httpStatus?: int
percentage?: {
value?: number
}
}
// Delay requests before forwarding, emulating various failures
// such as network issues, overloaded upstream service, etc.
delay?: ({} | {
fixedDelay: _
} | {
exponentialDelay: _
}) & {
exponentialDelay?: string
// Add a fixed delay before forwarding the request.
fixedDelay?: string
// Percentage of requests on which the delay will be injected
// (0-100).
percent?: int
percentage?: {
value?: number
}
}
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// HTTP Authority values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
authority?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// Names of gateways where the rule should be applied.
gateways?: [...string]
// The header keys must be lowercase and use hyphen as the
// separator, e.g.
headers?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// Flag to specify whether the URI matching should be
// case-insensitive.
ignoreUriCase?: bool
// HTTP Method values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
method?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// The name assigned to a match.
name?: string
// Specifies the ports on the host that is being addressed.
port?: int
// Query parameters for matching.
queryParams?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// URI Scheme values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
scheme?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// One or more labels that constrain the applicability of a rule
// to source (client) workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
// The human readable prefix to use when emitting statistics for
// this route.
statPrefix?: string
// URI to match values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
uri?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// withoutHeader has the same syntax with the header, but has
// opposite meaning.
withoutHeaders?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
}]
// Mirror HTTP traffic to a another destination in addition to
// forwarding the requests to the intended destination.
mirror?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mirror_percent?: null | int
mirrorPercent?: null | int
mirrorPercentage?: {
value?: number
}
// Specifies the destinations to mirror HTTP traffic in addition
// to the original destination.
mirrors?: [...{
// Destination specifies the target of the mirror operation.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
percentage?: {
value?: number
}
}]
// The name assigned to the route for debugging purposes.
name?: string
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
redirect?: ({} | {
port: _
} | {
derivePort: _
}) & {
// On a redirect, overwrite the Authority/Host portion of the URL
// with this value.
authority?: string
// On a redirect, dynamically set the port: *
// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
// 443 for HTTPS.
derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
// On a redirect, overwrite the port portion of the URL with this
// value.
port?: int
// On a redirect, Specifies the HTTP status code to use in the
// redirect response.
redirectCode?: int
// On a redirect, overwrite the scheme portion of the URL with
// this value.
scheme?: string
// On a redirect, overwrite the Path portion of the URL with this
// value.
uri?: string
}
// Retry policy for HTTP requests.
retries?: {
// Number of retries to be allowed for a given request.
attempts?: int
// Timeout per attempt for a given request, including the initial
// call and any retries.
perTryTimeout?: string
// Specifies the conditions under which retry takes place.
retryOn?: string
// Flag to specify whether the retries should retry to other
// localities.
retryRemoteLocalities?: null | bool
}
// Rewrite HTTP URIs and Authority headers.
rewrite?: {
// rewrite the Authority/Host header with this value.
authority?: string
// rewrite the path (or the prefix) portion of the URI with this
// value.
uri?: string
// rewrite the path portion of the URI with the specified regex.
uriRegexRewrite?: {
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
match?: string
// The string that should replace into matching portions of
// original URI.
rewrite?: string
}
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
// Timeout for HTTP requests, default is disabled.
timeout?: string
}]
// An ordered list of route rules for opaque TCP traffic.
tcp?: [...{
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
sourceSubnet?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
// An ordered list of route rule for non-terminated TLS & HTTPS
// traffic.
tls?: [...{
// Match conditions to be satisfied for the rule to be activated.
match: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// SNI (server name indicator) to match on.
sniHosts: [...string]
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
}

584
docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,584 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#VirtualService: {
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
spec!: #VirtualServiceSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "VirtualService"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
#VirtualServiceSpec: {
// A list of namespaces to which this virtual service is exported.
exportTo?: [...string]
// The names of gateways and sidecars that should apply these
// routes.
gateways?: [...string]
// The destination hosts to which traffic is being sent.
hosts?: [...string]
// An ordered list of route rules for HTTP traffic.
http?: [...{
// Cross-Origin Resource Sharing policy (CORS).
corsPolicy?: {
// Indicates whether the caller is allowed to send the actual
// request (not the preflight) using credentials.
allowCredentials?: null | bool
// List of HTTP headers that can be used when requesting the
// resource.
allowHeaders?: [...string]
// List of HTTP methods allowed to access the resource.
allowMethods?: [...string]
allowOrigin?: [...string]
// String patterns that match allowed origins.
allowOrigins?: [...({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}]
// A list of HTTP headers that the browsers are allowed to access.
exposeHeaders?: [...string]
// Specifies how long the results of a preflight request can be
// cached.
maxAge?: string
}
// Delegate is used to specify the particular VirtualService which
// can be used to define delegate HTTPRoute.
delegate?: {
// Name specifies the name of the delegate VirtualService.
name?: string
// Namespace specifies the namespace where the delegate
// VirtualService resides.
namespace?: string
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
directResponse?: {
// Specifies the content of the response body.
body?: ({} | {
string: _
} | {
bytes: _
}) & {
// response body as base64 encoded bytes.
bytes?: string
string?: string
}
// Specifies the HTTP response status to be returned.
status: int
}
// Fault injection policy to apply on HTTP traffic at the client
// side.
fault?: {
// Abort Http request attempts and return error codes back to
// downstream service, giving the impression that the upstream
// service is faulty.
abort?: ({} | {
httpStatus: _
} | {
grpcStatus: _
} | {
http2Error: _
}) & {
// GRPC status code to use to abort the request.
grpcStatus?: string
http2Error?: string
// HTTP status code to use to abort the Http request.
httpStatus?: int
percentage?: {
value?: number
}
}
// Delay requests before forwarding, emulating various failures
// such as network issues, overloaded upstream service, etc.
delay?: ({} | {
fixedDelay: _
} | {
exponentialDelay: _
}) & {
exponentialDelay?: string
// Add a fixed delay before forwarding the request.
fixedDelay?: string
// Percentage of requests on which the delay will be injected
// (0-100).
percent?: int
percentage?: {
value?: number
}
}
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// HTTP Authority values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
authority?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// Names of gateways where the rule should be applied.
gateways?: [...string]
// The header keys must be lowercase and use hyphen as the
// separator, e.g.
headers?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// Flag to specify whether the URI matching should be
// case-insensitive.
ignoreUriCase?: bool
// HTTP Method values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
method?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// The name assigned to a match.
name?: string
// Specifies the ports on the host that is being addressed.
port?: int
// Query parameters for matching.
queryParams?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// URI Scheme values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
scheme?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// One or more labels that constrain the applicability of a rule
// to source (client) workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
// The human readable prefix to use when emitting statistics for
// this route.
statPrefix?: string
// URI to match values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
uri?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// withoutHeader has the same syntax with the header, but has
// opposite meaning.
withoutHeaders?: {
[string]: {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
}]
// Mirror HTTP traffic to a another destination in addition to
// forwarding the requests to the intended destination.
mirror?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mirror_percent?: null | int
mirrorPercent?: null | int
mirrorPercentage?: {
value?: number
}
// Specifies the destinations to mirror HTTP traffic in addition
// to the original destination.
mirrors?: [...{
// Destination specifies the target of the mirror operation.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
percentage?: {
value?: number
}
}]
// The name assigned to the route for debugging purposes.
name?: string
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
redirect?: {
// On a redirect, overwrite the Authority/Host portion of the URL
// with this value.
authority?: string
// On a redirect, dynamically set the port: *
// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
// 443 for HTTPS.
derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
// On a redirect, overwrite the port portion of the URL with this
// value.
port?: int
// On a redirect, Specifies the HTTP status code to use in the
// redirect response.
redirectCode?: int
// On a redirect, overwrite the scheme portion of the URL with
// this value.
scheme?: string
// On a redirect, overwrite the Path portion of the URL with this
// value.
uri?: string
}
// Retry policy for HTTP requests.
retries?: {
// Number of retries to be allowed for a given request.
attempts?: int
// Timeout per attempt for a given request, including the initial
// call and any retries.
perTryTimeout?: string
// Specifies the conditions under which retry takes place.
retryOn?: string
// Flag to specify whether the retries should retry to other
// localities.
retryRemoteLocalities?: null | bool
}
// Rewrite HTTP URIs and Authority headers.
rewrite?: {
// rewrite the Authority/Host header with this value.
authority?: string
// rewrite the path (or the prefix) portion of the URI with this
// value.
uri?: string
// rewrite the path portion of the URI with the specified regex.
uriRegexRewrite?: {
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
match?: string
// The string that should replace into matching portions of
// original URI.
rewrite?: string
}
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
// Timeout for HTTP requests, default is disabled.
timeout?: string
}]
// An ordered list of route rules for opaque TCP traffic.
tcp?: [...{
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
sourceSubnet?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
// An ordered list of route rule for non-terminated TLS & HTTPS
// traffic.
tls?: [...{
// Match conditions to be satisfied for the rule to be activated.
match: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// SNI (server name indicator) to match on.
sniHosts: [...string]
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
}

62
docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,62 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#WorkloadEntry: {
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
spec!: #WorkloadEntrySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "WorkloadEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
#WorkloadEntrySpec: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}

62
docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,62 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#WorkloadEntry: {
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
spec!: #WorkloadEntrySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "WorkloadEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
#WorkloadEntrySpec: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}

136
docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,136 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#WorkloadGroup: {
// Describes a collection of workload instances. See more details
// at:
// https://istio.io/docs/reference/config/networking/workload-group.html
spec!: #WorkloadGroupSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "WorkloadGroup"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Describes a collection of workload instances. See more details
// at:
// https://istio.io/docs/reference/config/networking/workload-group.html
#WorkloadGroupSpec: {
// Metadata that will be used for all corresponding
// `WorkloadEntries`.
metadata?: {
annotations?: {
[string]: string
}
labels?: {
[string]: string
}
}
// `ReadinessProbe` describes the configuration the user must
// provide for healthchecking on their workload.
probe?: ({} | {
httpGet: _
} | {
tcpSocket: _
} | {
exec: _
}) & {
exec?: {
// Command to run.
command?: [...string]
}
// Minimum consecutive failures for the probe to be considered
// failed after having succeeded.
failureThreshold?: int
// `httpGet` is performed to a given endpoint and the status/able
// to connect determines health.
httpGet?: {
// Host name to connect to, defaults to the pod IP.
host?: string
// Headers the proxy will pass on to make the request.
httpHeaders?: [...{
name?: string
value?: string
}]
// Path to access on the HTTP server.
path?: string
// Port on which the endpoint lives.
port: int
scheme?: string
}
// Number of seconds after the container has started before
// readiness probes are initiated.
initialDelaySeconds?: int
// How often (in seconds) to perform the probe.
periodSeconds?: int
// Minimum consecutive successes for the probe to be considered
// successful after having failed.
successThreshold?: int
// Health is determined by if the proxy is able to connect.
tcpSocket?: {
host?: string
port: int
}
// Number of seconds after which the probe times out.
timeoutSeconds?: int
}
// Template to be used for the generation of `WorkloadEntry`
// resources that belong to this `WorkloadGroup`.
template: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}
}

138
docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,138 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#WorkloadGroup: {
// `WorkloadGroup` enables specifying the properties of a single
// workload for bootstrap and provides a template for
// `WorkloadEntry`, similar to how `Deployment` specifies
// properties of workloads via `Pod` templates.
spec!: #WorkloadGroupSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "WorkloadGroup"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// `WorkloadGroup` enables specifying the properties of a single
// workload for bootstrap and provides a template for
// `WorkloadEntry`, similar to how `Deployment` specifies
// properties of workloads via `Pod` templates.
#WorkloadGroupSpec: {
// Metadata that will be used for all corresponding
// `WorkloadEntries`.
metadata?: {
annotations?: {
[string]: string
}
labels?: {
[string]: string
}
}
// `ReadinessProbe` describes the configuration the user must
// provide for healthchecking on their workload.
probe?: ({} | {
httpGet: _
} | {
tcpSocket: _
} | {
exec: _
}) & {
exec?: {
// Command to run.
command?: [...string]
}
// Minimum consecutive failures for the probe to be considered
// failed after having succeeded.
failureThreshold?: int
// `httpGet` is performed to a given endpoint and the status/able
// to connect determines health.
httpGet?: {
// Host name to connect to, defaults to the pod IP.
host?: string
// Headers the proxy will pass on to make the request.
httpHeaders?: [...{
name?: string
value?: string
}]
// Path to access on the HTTP server.
path?: string
// Port on which the endpoint lives.
port: int
scheme?: string
}
// Number of seconds after the container has started before
// readiness probes are initiated.
initialDelaySeconds?: int
// How often (in seconds) to perform the probe.
periodSeconds?: int
// Minimum consecutive successes for the probe to be considered
// successful after having failed.
successThreshold?: int
// Health is determined by if the proxy is able to connect.
tcpSocket?: {
host?: string
port: int
}
// Number of seconds after which the probe times out.
timeoutSeconds?: int
}
// Template to be used for the generation of `WorkloadEntry`
// resources that belong to this `WorkloadGroup`.
template: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}
}

147
docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,147 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1
import "strings"
#AuthorizationPolicy: {
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
spec!: #AuthorizationPolicySpec
apiVersion: "security.istio.io/v1"
kind: "AuthorizationPolicy"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
#AuthorizationPolicySpec: ({} | {
provider: _
}) & {
// Optional.
action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
provider?: {
// Specifies the name of the extension provider.
name?: string
}
// Optional.
rules?: [...{
// Optional.
from?: [...{
// Source specifies the source of a request.
source?: {
// Optional.
ipBlocks?: [...string]
// Optional.
namespaces?: [...string]
// Optional.
notIpBlocks?: [...string]
// Optional.
notNamespaces?: [...string]
// Optional.
notPrincipals?: [...string]
// Optional.
notRemoteIpBlocks?: [...string]
// Optional.
notRequestPrincipals?: [...string]
// Optional.
principals?: [...string]
// Optional.
remoteIpBlocks?: [...string]
// Optional.
requestPrincipals?: [...string]
}
}]
// Optional.
to?: [...{
// Operation specifies the operation of a request.
operation?: {
// Optional.
hosts?: [...string]
// Optional.
methods?: [...string]
// Optional.
notHosts?: [...string]
// Optional.
notMethods?: [...string]
// Optional.
notPaths?: [...string]
// Optional.
notPorts?: [...string]
// Optional.
paths?: [...string]
// Optional.
ports?: [...string]
}
}]
// Optional.
when?: [...{
// The name of an Istio attribute.
key: string
// Optional.
notValues?: [...string]
// Optional.
values?: [...string]
}]
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

147
docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,147 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#AuthorizationPolicy: {
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
spec!: #AuthorizationPolicySpec
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
#AuthorizationPolicySpec: ({} | {
provider: _
}) & {
// Optional.
action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
provider?: {
// Specifies the name of the extension provider.
name?: string
}
// Optional.
rules?: [...{
// Optional.
from?: [...{
// Source specifies the source of a request.
source?: {
// Optional.
ipBlocks?: [...string]
// Optional.
namespaces?: [...string]
// Optional.
notIpBlocks?: [...string]
// Optional.
notNamespaces?: [...string]
// Optional.
notPrincipals?: [...string]
// Optional.
notRemoteIpBlocks?: [...string]
// Optional.
notRequestPrincipals?: [...string]
// Optional.
principals?: [...string]
// Optional.
remoteIpBlocks?: [...string]
// Optional.
requestPrincipals?: [...string]
}
}]
// Optional.
to?: [...{
// Operation specifies the operation of a request.
operation?: {
// Optional.
hosts?: [...string]
// Optional.
methods?: [...string]
// Optional.
notHosts?: [...string]
// Optional.
notMethods?: [...string]
// Optional.
notPaths?: [...string]
// Optional.
notPorts?: [...string]
// Optional.
paths?: [...string]
// Optional.
ports?: [...string]
}
}]
// Optional.
when?: [...{
// The name of an Istio attribute.
key: string
// Optional.
notValues?: [...string]
// Optional.
values?: [...string]
}]
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

55
docs/examples/cue.mod/gen/security.istio.io/peerauthentication/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,55 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#PeerAuthentication: {
// Peer authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/peer_authentication.html
spec!: #PeerAuthenticationSpec
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Peer authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/peer_authentication.html
#PeerAuthenticationSpec: {
mtls?: {
// Defines the mTLS mode used for peer authentication.
mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
}
// Port specific mutual TLS settings.
portLevelMtls?: {
[string]: {
// Defines the mTLS mode used for peer authentication.
mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
}
}
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

111
docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,111 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1
import "strings"
#RequestAuthentication: {
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
spec!: #RequestAuthenticationSpec
apiVersion: "security.istio.io/v1"
kind: "RequestAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
#RequestAuthenticationSpec: {
// Define the list of JWTs that can be validated at the selected
// workloads' proxy.
jwtRules?: [...{
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access.
audiences?: [...string]
// If set to true, the original token will be kept for the
// upstream request.
forwardOriginalToken?: bool
// List of header locations from which JWT is expected.
fromHeaders?: [...{
// The HTTP header name.
name: string
// The prefix that should be stripped before decoding the token.
prefix?: string
}]
// List of query parameters from which JWT is expected.
fromParams?: [...string]
// Identifies the issuer that issued the JWT.
issuer: string
// JSON Web Key Set of public keys to validate signature of the
// JWT.
jwks?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwks_uri?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwksUri?: string
// This field specifies a list of operations to copy the claim to
// HTTP headers on a successfully verified token.
outputClaimToHeaders?: [...{
// The name of the claim to be copied from.
claim?: string
// The name of the header to be created.
header?: string
}]
// This field specifies the header name to output a successfully
// verified JWT payload to the backend.
outputPayloadToHeader?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

111
docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,111 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#RequestAuthentication: {
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
spec!: #RequestAuthenticationSpec
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
#RequestAuthenticationSpec: {
// Define the list of JWTs that can be validated at the selected
// workloads' proxy.
jwtRules?: [...{
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access.
audiences?: [...string]
// If set to true, the original token will be kept for the
// upstream request.
forwardOriginalToken?: bool
// List of header locations from which JWT is expected.
fromHeaders?: [...{
// The HTTP header name.
name: string
// The prefix that should be stripped before decoding the token.
prefix?: string
}]
// List of query parameters from which JWT is expected.
fromParams?: [...string]
// Identifies the issuer that issued the JWT.
issuer: string
// JSON Web Key Set of public keys to validate signature of the
// JWT.
jwks?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwks_uri?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwksUri?: string
// This field specifies a list of operations to copy the claim to
// HTTP headers on a successfully verified token.
outputClaimToHeaders?: [...{
// The name of the claim to be copied from.
claim?: string
// The name of the header to be created.
header?: string
}]
// This field specifies the header name to output a successfully
// verified JWT payload to the backend.
outputPayloadToHeader?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

7
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string_go_gen.cue Normal file
View File

@@ -0,0 +1,7 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
_#_BuiltinPluginLoadingOptions_name: "BploUndefinedBploUseStaticallyLinkedBploLoadFromFileSys"

10
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/configmapargs_go_gen.cue Normal file
View File

@@ -0,0 +1,10 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// ConfigMapArgs contains the metadata of how to generate a configmap.
#ConfigMapArgs: {
#GeneratorArgs
}

10
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/doc_go_gen.cue Normal file
View File

@@ -0,0 +1,10 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
// Package types holds the definition of the kustomization struct and
// supporting structs. It's the k8s API conformant object that describes
// a set of generation and transformation operations to create and/or
// modify k8s resources.
// A kustomization file is a serialization of this struct.
package types

29
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/fieldspec_go_gen.cue Normal file
View File

@@ -0,0 +1,29 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// FieldSpec completely specifies a kustomizable field in a k8s API object.
// It helps define the operands of transformations.
//
// For example, a directive to add a common label to objects
// will need to know that a 'Deployment' object (in API group
// 'apps', any version) can have labels at field path
// 'spec/template/metadata/labels', and further that it is OK
// (or not OK) to add that field path to the object if the
// field path doesn't exist already.
//
// This would look like
// {
// group: apps
// kind: Deployment
// path: spec/template/metadata/labels
// create: true
// }
#FieldSpec: {
path?: string @go(Path)
create?: bool @go(CreateIfNotPresent)
}
#FsSlice: [...#FieldSpec]

33
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generationbehavior_go_gen.cue Normal file
View File

@@ -0,0 +1,33 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// GenerationBehavior specifies generation behavior of configmaps, secrets and maybe other resources.
#GenerationBehavior: int // #enumGenerationBehavior
#enumGenerationBehavior:
#BehaviorUnspecified |
#BehaviorCreate |
#BehaviorReplace |
#BehaviorMerge
#values_GenerationBehavior: {
BehaviorUnspecified: #BehaviorUnspecified
BehaviorCreate: #BehaviorCreate
BehaviorReplace: #BehaviorReplace
BehaviorMerge: #BehaviorMerge
}
// BehaviorUnspecified is an Unspecified behavior; typically treated as a Create.
#BehaviorUnspecified: #GenerationBehavior & 0
// BehaviorCreate makes a new resource.
#BehaviorCreate: #GenerationBehavior & 1
// BehaviorReplace replaces a resource.
#BehaviorReplace: #GenerationBehavior & 2
// BehaviorMerge attempts to merge a new resource with an existing resource.
#BehaviorMerge: #GenerationBehavior & 3

27
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatorargs_go_gen.cue Normal file
View File

@@ -0,0 +1,27 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// GeneratorArgs contains arguments common to ConfigMap and Secret generators.
#GeneratorArgs: {
// Namespace for the resource, optional
namespace?: string @go(Namespace)
// Name - actually the partial name - of the generated resource.
// The full name ends up being something like
// NamePrefix + this.Name + hash(content of generated resource).
name?: string @go(Name)
// Behavior of generated resource, must be one of:
// 'create': create a new one
// 'replace': replace the existing one
// 'merge': merge with the existing one
behavior?: string @go(Behavior)
#KvPairSources
// Local overrides to global generatorOptions field.
options?: null | #GeneratorOptions @go(Options,*GeneratorOptions)
}

22
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatoroptions_go_gen.cue Normal file
View File

@@ -0,0 +1,22 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
#GeneratorOptions: {
// Labels to add to all generated resources.
labels?: {[string]: string} @go(Labels,map[string]string)
// Annotations to add to all generated resources.
annotations?: {[string]: string} @go(Annotations,map[string]string)
// DisableNameSuffixHash if true disables the default behavior of adding a
// suffix to the names of generated resources that is a hash of the
// resource contents.
disableNameSuffixHash?: bool @go(DisableNameSuffixHash)
// Immutable if true add to all generated resources.
immutable?: bool @go(Immutable)
}

116
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/helmchartargs_go_gen.cue Normal file
View File

@@ -0,0 +1,116 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#HelmDefaultHome: "charts"
#HelmGlobals: {
// ChartHome is a file path, relative to the kustomization root,
// to a directory containing a subdirectory for each chart to be
// included in the kustomization.
// The default value of this field is "charts".
// So, for example, kustomize looks for the minecraft chart
// at {kustomizationRoot}/{ChartHome}/minecraft.
// If the chart is there at build time, kustomize will use it as found,
// and not check version numbers or dates.
// If the chart is not there, kustomize will attempt to pull it
// using the version number specified in the kustomization file,
// and put it there. To suppress the pull attempt, simply assure
// that the chart is already there.
chartHome?: string @go(ChartHome)
// ConfigHome defines a value that kustomize should pass to helm via
// the HELM_CONFIG_HOME environment variable. kustomize doesn't attempt
// to read or write this directory.
// If omitted, {tmpDir}/helm is used, where {tmpDir} is some temporary
// directory created by kustomize for the benefit of helm.
// Likewise, kustomize sets
// HELM_CACHE_HOME={ConfigHome}/.cache
// HELM_DATA_HOME={ConfigHome}/.data
// for the helm subprocess.
configHome?: string @go(ConfigHome)
}
#HelmChart: {
// Name is the name of the chart, e.g. 'minecraft'.
name?: string @go(Name)
// Version is the version of the chart, e.g. '3.1.3'
version?: string @go(Version)
// Repo is a URL locating the chart on the internet.
// This is the argument to helm's `--repo` flag, e.g.
// `https://itzg.github.io/minecraft-server-charts`.
repo?: string @go(Repo)
// ReleaseName replaces RELEASE-NAME in chart template output,
// making a particular inflation of a chart unique with respect to
// other inflations of the same chart in a cluster. It's the first
// argument to the helm `install` and `template` commands, i.e.
// helm install {RELEASE-NAME} {chartName}
// helm template {RELEASE-NAME} {chartName}
// If omitted, the flag --generate-name is passed to 'helm template'.
releaseName?: string @go(ReleaseName)
// Namespace set the target namespace for a release. It is .Release.Namespace
// in the helm template
namespace?: string @go(Namespace)
// AdditionalValuesFiles are local file paths to values files to be used in
// addition to either the default values file or the values specified in ValuesFile.
additionalValuesFiles?: [...string] @go(AdditionalValuesFiles,[]string)
// ValuesFile is a local file path to a values file to use _instead of_
// the default values that accompanied the chart.
// The default values are in '{ChartHome}/{Name}/values.yaml'.
valuesFile?: string @go(ValuesFile)
// ValuesInline holds value mappings specified directly,
// rather than in a separate file.
valuesInline?: {...} @go(ValuesInline,map[string]interface{})
// ValuesMerge specifies how to treat ValuesInline with respect to Values.
// Legal values: 'merge', 'override', 'replace'.
// Defaults to 'override'.
valuesMerge?: string @go(ValuesMerge)
// IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions.
// Defaults to 'false'.
includeCRDs?: bool @go(IncludeCRDs)
// SkipHooks sets the --no-hooks flag when calling helm template. This prevents
// helm from erroneously rendering test templates.
skipHooks?: bool @go(SkipHooks)
// ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions
apiVersions?: [...string] @go(ApiVersions,[]string)
// KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion"
kubeVersion?: string @go(KubeVersion)
// NameTemplate is for specifying the name template used to name the release.
nameTemplate?: string @go(NameTemplate)
// SkipTests skips tests from templated output.
skipTests?: bool @go(SkipTests)
}
// HelmChartArgs contains arguments to helm.
// Deprecated. Use HelmGlobals and HelmChart instead.
#HelmChartArgs: {
chartName?: string @go(ChartName)
chartVersion?: string @go(ChartVersion)
chartRepoUrl?: string @go(ChartRepoURL)
chartHome?: string @go(ChartHome)
chartRepoName?: string @go(ChartRepoName)
helmBin?: string @go(HelmBin)
helmHome?: string @go(HelmHome)
values?: string @go(Values)
valuesLocal?: {...} @go(ValuesLocal,map[string]interface{})
valuesMerge?: string @go(ValuesMerge)
releaseName?: string @go(ReleaseName)
releaseNamespace?: string @go(ReleaseNamespace)
extraArgs?: [...string] @go(ExtraArgs,[]string)
}

40
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/iampolicygenerator_go_gen.cue Normal file
View File

@@ -0,0 +1,40 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#Cloud: string // #enumCloud
#enumCloud:
#GKE
#GKE: #Cloud & "gke"
// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
#IAMPolicyGeneratorArgs: {
// which cloud provider to generate for (e.g. "gke")
cloud: #Cloud @go(Cloud)
// information about the kubernetes cluster for this object
kubernetesService: #KubernetesService @go(KubernetesService)
// information about the service account and project
serviceAccount: #ServiceAccount @go(ServiceAccount)
}
#KubernetesService: {
// the name used for the Kubernetes service account
name: string @go(Name)
// the name of the Kubernetes namespace for this object
namespace?: string @go(Namespace)
}
#ServiceAccount: {
// the name of the new cloud provider service account
name: string @go(Name)
// The ID of the project
projectId: string @go(ProjectId)
}

26
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/image_go_gen.cue Normal file
View File

@@ -0,0 +1,26 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Image contains an image name, a new name, a new tag or digest,
// which will replace the original name and tag.
#Image: {
// Name is a tag-less image name.
name?: string @go(Name)
// NewName is the value used to replace the original name.
newName?: string @go(NewName)
// TagSuffix is the value used to suffix the original tag
// If Digest and NewTag is present an error is thrown
tagSuffix?: string @go(TagSuffix)
// NewTag is the value used to replace the original tag.
newTag?: string @go(NewTag)
// Digest is the value used to replace the original image tag.
// If digest is present NewTag value is ignored.
digest?: string @go(Digest)
}

163
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kustomization_go_gen.cue Normal file
View File

@@ -0,0 +1,163 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#KustomizationVersion: "kustomize.config.k8s.io/v1beta1"
#KustomizationKind: "Kustomization"
#ComponentVersion: "kustomize.config.k8s.io/v1alpha1"
#ComponentKind: "Component"
#MetadataNamespacePath: "metadata/namespace"
#MetadataNamespaceApiVersion: "v1"
#MetadataNamePath: "metadata/name"
#OriginAnnotations: "originAnnotations"
#TransformerAnnotations: "transformerAnnotations"
#ManagedByLabelOption: "managedByLabel"
// Kustomization holds the information needed to generate customized k8s api resources.
#Kustomization: {
#TypeMeta
// MetaData is a pointer to avoid marshalling empty struct
metadata?: null | #ObjectMeta @go(MetaData,*ObjectMeta)
// OpenAPI contains information about what kubernetes schema to use.
openapi?: {[string]: string} @go(OpenAPI,map[string]string)
// NamePrefix will prefix the names of all resources mentioned in the kustomization
// file including generated configmaps and secrets.
namePrefix?: string @go(NamePrefix)
// NameSuffix will suffix the names of all resources mentioned in the kustomization
// file including generated configmaps and secrets.
nameSuffix?: string @go(NameSuffix)
// Namespace to add to all objects.
namespace?: string @go(Namespace)
// CommonLabels to add to all objects and selectors.
commonLabels?: {[string]: string} @go(CommonLabels,map[string]string)
// Labels to add to all objects but not selectors.
labels?: [...#Label] @go(Labels,[]Label)
// CommonAnnotations to add to all objects.
commonAnnotations?: {[string]: string} @go(CommonAnnotations,map[string]string)
// Deprecated: Use the Patches field instead, which provides a superset of the functionality of PatchesStrategicMerge.
// PatchesStrategicMerge specifies the relative path to a file
// containing a strategic merge patch. Format documented at
// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
// URLs and globs are not supported.
patchesStrategicMerge?: [...#PatchStrategicMerge] @go(PatchesStrategicMerge,[]PatchStrategicMerge)
// Deprecated: Use the Patches field instead, which provides a superset of the functionality of JSONPatches.
// JSONPatches is a list of JSONPatch for applying JSON patch.
// Format documented at https://tools.ietf.org/html/rfc6902
// and http://jsonpatch.com
patchesJson6902?: [...#Patch] @go(PatchesJson6902,[]Patch)
// Patches is a list of patches, where each one can be either a
// Strategic Merge Patch or a JSON patch.
// Each patch can be applied to multiple target objects.
patches?: [...#Patch] @go(Patches,[]Patch)
// Images is a list of (image name, new name, new tag or digest)
// for changing image names, tags or digests. This can also be achieved with a
// patch, but this operator is simpler to specify.
images?: [...#Image] @go(Images,[]Image)
// Deprecated: Use the Images field instead.
imageTags?: [...#Image] @go(ImageTags,[]Image)
// Replacements is a list of replacements, which will copy nodes from a
// specified source to N specified targets.
replacements?: [...#ReplacementField] @go(Replacements,[]ReplacementField)
// Replicas is a list of {resourcename, count} that allows for simpler replica
// specification. This can also be done with a patch.
replicas?: [...#Replica] @go(Replicas,[]Replica)
// Deprecated: Vars will be removed in future release. Migrate to Replacements instead.
// Vars allow things modified by kustomize to be injected into a
// kubernetes object specification. A var is a name (e.g. FOO) associated
// with a field in a specific resource instance. The field must
// contain a value of type string/bool/int/float, and defaults to the name field
// of the instance. Any appearance of "$(FOO)" in the object
// spec will be replaced at kustomize build time, after the final
// value of the specified field has been determined.
vars?: [...#Var] @go(Vars,[]Var)
// SortOptions change the order that kustomize outputs resources.
sortOptions?: null | #SortOptions @go(SortOptions,*SortOptions)
// Resources specifies relative paths to files holding YAML representations
// of kubernetes API objects, or specifications of other kustomizations
// via relative paths, absolute paths, or URLs.
resources?: [...string] @go(Resources,[]string)
// Components specifies relative paths to specifications of other Components
// via relative paths, absolute paths, or URLs.
components?: [...string] @go(Components,[]string)
// Crds specifies relative paths to Custom Resource Definition files.
// This allows custom resources to be recognized as operands, making
// it possible to add them to the Resources list.
// CRDs themselves are not modified.
crds?: [...string] @go(Crds,[]string)
// Deprecated: Anything that would have been specified here should be specified in the Resources field instead.
bases?: [...string] @go(Bases,[]string)
// ConfigMapGenerator is a list of configmaps to generate from
// local data (one configMap per list item).
// The resulting resource is a normal operand, subject to
// name prefixing, patching, etc. By default, the name of
// the map will have a suffix hash generated from its contents.
configMapGenerator?: [...#ConfigMapArgs] @go(ConfigMapGenerator,[]ConfigMapArgs)
// SecretGenerator is a list of secrets to generate from
// local data (one secret per list item).
// The resulting resource is a normal operand, subject to
// name prefixing, patching, etc. By default, the name of
// the map will have a suffix hash generated from its contents.
secretGenerator?: [...#SecretArgs] @go(SecretGenerator,[]SecretArgs)
// HelmGlobals contains helm configuration that isn't chart specific.
helmGlobals?: null | #HelmGlobals @go(HelmGlobals,*HelmGlobals)
// HelmCharts is a list of helm chart configuration instances.
helmCharts?: [...#HelmChart] @go(HelmCharts,[]HelmChart)
// HelmChartInflationGenerator is a list of helm chart configurations.
// Deprecated. Auto-converted to HelmGlobals and HelmCharts.
helmChartInflationGenerator?: [...#HelmChartArgs] @go(HelmChartInflationGenerator,[]HelmChartArgs)
// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
generatorOptions?: null | #GeneratorOptions @go(GeneratorOptions,*GeneratorOptions)
// Configurations is a list of transformer configuration files
configurations?: [...string] @go(Configurations,[]string)
// Generators is a list of files containing custom generators
generators?: [...string] @go(Generators,[]string)
// Transformers is a list of files containing transformers
transformers?: [...string] @go(Transformers,[]string)
// Validators is a list of files containing validators
validators?: [...string] @go(Validators,[]string)
// BuildMetadata is a list of strings used to toggle different build options
buildMetadata?: [...string] @go(BuildMetadata,[]string)
}
_#deprecatedWarningToRunEditFix: "Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedWarningToRunEditFixExperimential: "[EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedBaseWarningMessage: "# Warning: 'bases' is deprecated. Please use 'resources' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedImageTagsWarningMessage: "# Warning: 'imageTags' is deprecated. Please use 'images' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedPatchesJson6902Message: "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedPatchesStrategicMergeMessage: "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedVarsMessage: "# Warning: 'vars' is deprecated. Please use 'replacements' instead. [EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
_#deprecatedCommonLabelsWarningMessage: "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead. Run 'kustomize edit fix' to update your Kustomization automatically."

37
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kvpairsources_go_gen.cue Normal file
View File

@@ -0,0 +1,37 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// KvPairSources defines places to obtain key value pairs.
#KvPairSources: {
// LiteralSources is a list of literal
// pair sources. Each literal source should
// be a key and literal value, e.g. `key=value`
literals?: [...string] @go(LiteralSources,[]string)
// FileSources is a list of file "sources" to
// use in creating a list of key, value pairs.
// A source takes the form: [{key}=]{path}
// If the "key=" part is missing, the key is the
// path's basename. If they "key=" part is present,
// it becomes the key (replacing the basename).
// In either case, the value is the file contents.
// Specifying a directory will iterate each named
// file in the directory whose basename is a
// valid configmap key.
files?: [...string] @go(FileSources,[]string)
// EnvSources is a list of file paths.
// The contents of each file should be one
// key=value pair per line, e.g. a Docker
// or npm ".env" file or a ".ini" file
// (wikipedia.org/wiki/INI_file)
envs?: [...string] @go(EnvSources,[]string)
// Older, singular form of EnvSources.
// On edits (e.g. `kustomize fix`) this is merged into the plural form
// for consistency with LiteralSources and FileSources.
env?: string @go(EnvSource)
}

23
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/labels_go_gen.cue Normal file
View File

@@ -0,0 +1,23 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#Label: {
// Pairs contains the key-value pairs for labels to add
pairs?: {[string]: string} @go(Pairs,map[string]string)
// IncludeSelectors inidicates should transformer include the
// fieldSpecs for selectors. Custom fieldSpecs specified by
// FieldSpecs will be merged with builtin fieldSpecs if this
// is true.
includeSelectors?: bool @go(IncludeSelectors)
// IncludeTemplates inidicates should transformer include the
// spec/template/metadata fieldSpec. Custom fieldSpecs specified by
// FieldSpecs will be merged with spec/template/metadata fieldSpec if this
// is true. If IncludeSelectors is true, IncludeTemplates is not needed.
includeTemplates?: bool @go(IncludeTemplates)
fields?: [...#FieldSpec] @go(FieldSpecs,[]FieldSpec)
}

34
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_go_gen.cue Normal file
View File

@@ -0,0 +1,34 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Restrictions on what things can be referred to
// in a kustomization file.
//
//go:generate stringer -type=LoadRestrictions
#LoadRestrictions: int // #enumLoadRestrictions
#enumLoadRestrictions:
#LoadRestrictionsUnknown |
#LoadRestrictionsRootOnly |
#LoadRestrictionsNone
#values_LoadRestrictions: {
LoadRestrictionsUnknown: #LoadRestrictionsUnknown
LoadRestrictionsRootOnly: #LoadRestrictionsRootOnly
LoadRestrictionsNone: #LoadRestrictionsNone
}
#LoadRestrictionsUnknown: #LoadRestrictions & 0
// Files referenced by a kustomization file must be in
// or under the directory holding the kustomization
// file itself.
#LoadRestrictionsRootOnly: #LoadRestrictions & 1
// The kustomization file may specify absolute or
// relative paths to patch or resources files outside
// its own tree.
#LoadRestrictionsNone: #LoadRestrictions & 2

7
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_string_go_gen.cue Normal file
View File

@@ -0,0 +1,7 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
_#_LoadRestrictions_name: "LoadRestrictionsUnknownLoadRestrictionsRootOnlyLoadRestrictionsNone"

14
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/objectmeta_go_gen.cue Normal file
View File

@@ -0,0 +1,14 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// ObjectMeta partially copies apimachinery/pkg/apis/meta/v1.ObjectMeta
// No need for a direct dependence; the fields are stable.
#ObjectMeta: {
name?: string @go(Name)
namespace?: string @go(Namespace)
labels?: {[string]: string} @go(Labels,map[string]string)
annotations?: {[string]: string} @go(Annotations,map[string]string)
}

11
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pair_go_gen.cue Normal file
View File

@@ -0,0 +1,11 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Pair is a key value pair.
#Pair: {
Key: string
Value: string
}

23
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patch_go_gen.cue Normal file
View File

@@ -0,0 +1,23 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Patch represent either a Strategic Merge Patch or a JSON patch
// and its targets.
// The content of the patch can either be from a file
// or from an inline string.
#Patch: {
// Path is a relative file path to the patch file.
path?: string @go(Path)
// Patch is the content of a patch.
patch?: string @go(Patch)
// Target points to the resources that the patch is applied to
target?: #Target | #Selector @go(Target,*Selector)
// Options is a list of options for the patch
options?: {[string]: bool} @go(Options,map[string]bool)
}

10
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patchstrategicmerge_go_gen.cue Normal file
View File

@@ -0,0 +1,10 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// PatchStrategicMerge represents a relative path to a
// stategic merge patch with the format
// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
#PatchStrategicMerge: string

27
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginconfig_go_gen.cue Normal file
View File

@@ -0,0 +1,27 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#HelmConfig: {
Enabled: bool
Command: string
ApiVersions: [...string] @go(,[]string)
KubeVersion: string
}
// PluginConfig holds plugin configuration.
#PluginConfig: {
// PluginRestrictions distinguishes plugin restrictions.
PluginRestrictions: #PluginRestrictions
// BpLoadingOptions distinguishes builtin plugin behaviors.
BpLoadingOptions: #BuiltinPluginLoadingOptions
// FnpLoadingOptions sets the way function-based plugin behaviors.
FnpLoadingOptions: #FnPluginLoadingOptions
// HelmConfig contains metadata needed for allowing and running helm.
HelmConfig: #HelmConfig
}

87
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_go_gen.cue Normal file
View File

@@ -0,0 +1,87 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Some plugin classes
// - builtin: plugins defined in the kustomize repo.
// May be freely used and re-configured.
// - local: plugins that aren't builtin but are
// locally defined (presumably by the user), meaning
// the kustomization refers to them via a relative
// file path, not a URL.
// - remote: require a build-time download to obtain.
// Unadvised, unless one controls the
// serving site.
//
//go:generate stringer -type=PluginRestrictions
#PluginRestrictions: int // #enumPluginRestrictions
#enumPluginRestrictions:
#PluginRestrictionsUnknown |
#PluginRestrictionsBuiltinsOnly |
#PluginRestrictionsNone
#values_PluginRestrictions: {
PluginRestrictionsUnknown: #PluginRestrictionsUnknown
PluginRestrictionsBuiltinsOnly: #PluginRestrictionsBuiltinsOnly
PluginRestrictionsNone: #PluginRestrictionsNone
}
#PluginRestrictionsUnknown: #PluginRestrictions & 0
// Non-builtin plugins completely disabled.
#PluginRestrictionsBuiltinsOnly: #PluginRestrictions & 1
// No restrictions, do whatever you want.
#PluginRestrictionsNone: #PluginRestrictions & 2
// BuiltinPluginLoadingOptions distinguish ways in which builtin plugins are used.
//go:generate stringer -type=BuiltinPluginLoadingOptions
#BuiltinPluginLoadingOptions: int // #enumBuiltinPluginLoadingOptions
#enumBuiltinPluginLoadingOptions:
#BploUndefined |
#BploUseStaticallyLinked |
#BploLoadFromFileSys
#values_BuiltinPluginLoadingOptions: {
BploUndefined: #BploUndefined
BploUseStaticallyLinked: #BploUseStaticallyLinked
BploLoadFromFileSys: #BploLoadFromFileSys
}
#BploUndefined: #BuiltinPluginLoadingOptions & 0
// Desired in production use for performance.
#BploUseStaticallyLinked: #BuiltinPluginLoadingOptions & 1
// Desired in testing and development cycles where it's undesirable
// to generate static code.
#BploLoadFromFileSys: #BuiltinPluginLoadingOptions & 2
// FnPluginLoadingOptions set way functions-based plugins are restricted
#FnPluginLoadingOptions: {
// Allow to run executables
EnableExec: bool
// Allow to run starlark
EnableStar: bool
// Allow container access to network
Network: bool
NetworkName: string
// list of mounts
Mounts: [...string] @go(,[]string)
// list of env variables to pass to fn
Env: [...string] @go(,[]string)
// Run as uid and gid of the command executor
AsCurrentUser: bool
// Run in this working directory
WorkingDir: string
}

7
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string_go_gen.cue Normal file
View File

@@ -0,0 +1,7 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
_#_PluginRestrictions_name: "PluginRestrictionsUnknownPluginRestrictionsBuiltinsOnlyPluginRestrictionsNone"

57
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacement_go_gen.cue Normal file
View File

@@ -0,0 +1,57 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#DefaultReplacementFieldPath: "metadata.name"
// Replacement defines how to perform a substitution
// where it is from and where it is to.
#Replacement: {
// The source of the value.
source?: null | #SourceSelector @go(Source,*SourceSelector)
// The N fields to write the value to.
targets?: [...null | #TargetSelector] @go(Targets,[]*TargetSelector)
}
// SourceSelector is the source of the replacement transformer.
#SourceSelector: {
// Structured field path expected in the allowed object.
fieldPath?: string @go(FieldPath)
// Used to refine the interpretation of the field.
options?: null | #FieldOptions @go(Options,*FieldOptions)
}
// TargetSelector specifies fields in one or more objects.
#TargetSelector: {
// Include objects that match this.
select?: null | #Selector @go(Select,*Selector)
// From the allowed set, remove objects that match this.
reject?: [...null | #Selector] @go(Reject,[]*Selector)
// Structured field paths expected in each allowed object.
fieldPaths?: [...string] @go(FieldPaths,[]string)
// Used to refine the interpretation of the field.
options?: null | #FieldOptions @go(Options,*FieldOptions)
}
// FieldOptions refine the interpretation of FieldPaths.
#FieldOptions: {
// Used to split/join the field.
delimiter?: string @go(Delimiter)
// Which position in the split to consider.
index?: int @go(Index)
// TODO (#3492): Implement use of this option
// None, Base64, URL, Hex, etc
encoding?: string @go(Encoding)
// If field missing, add it.
create?: bool @go(Create)
}

10
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacementfield_go_gen.cue Normal file
View File

@@ -0,0 +1,10 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
#ReplacementField: {
#Replacement
path?: string @go(Path)
}

17
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replica_go_gen.cue Normal file
View File

@@ -0,0 +1,17 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Replica specifies a modification to a replica config.
// The number of replicas of a resource whose name matches will be set to count.
// This struct is used by the ReplicaCountTransform, and is meant to supplement
// the existing patch functionality with a simpler syntax for replica configuration.
#Replica: {
// The name of the resource to change the replica count
name?: string @go(Name)
// The number of replicas required.
count: int64 @go(Count)
}

19
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/secretargs_go_gen.cue Normal file
View File

@@ -0,0 +1,19 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// SecretArgs contains the metadata of how to generate a secret.
#SecretArgs: {
#GeneratorArgs
// Type of the secret.
//
// This is the same field as the secret type field in v1/Secret:
// It can be "Opaque" (default), or "kubernetes.io/tls".
//
// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
// keys: "tls.key" and "tls.crt"
type?: string @go(Type)
}

20
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/selector_go_gen.cue Normal file
View File

@@ -0,0 +1,20 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Selector specifies a set of resources.
// Any resource that matches intersection of all conditions
// is included in this set.
#Selector: {
// AnnotationSelector is a string that follows the label selection expression
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
// It matches with the resource annotations.
annotationSelector?: string @go(AnnotationSelector)
// LabelSelector is a string that follows the label selection expression
// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
// It matches with the resource labels.
labelSelector?: string @go(LabelSelector)
}

36
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/sortoptions_go_gen.cue Normal file
View File

@@ -0,0 +1,36 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// SortOptions defines the order that kustomize outputs resources.
#SortOptions: {
// Order selects the ordering strategy.
order?: #SortOrder @go(Order)
// LegacySortOptions tweaks the sorting for the "legacy" sort ordering
// strategy.
legacySortOptions?: null | #LegacySortOptions @go(LegacySortOptions,*LegacySortOptions)
}
// SortOrder defines different ordering strategies.
#SortOrder: string // #enumSortOrder
#enumSortOrder:
#LegacySortOrder |
#FIFOSortOrder
#LegacySortOrder: #SortOrder & "legacy"
#FIFOSortOrder: #SortOrder & "fifo"
// LegacySortOptions define various options for tweaking the "legacy" ordering
// strategy.
#LegacySortOptions: {
// OrderFirst selects the resource kinds to order first.
orderFirst: [...string] @go(OrderFirst,[]string)
// OrderLast selects the resource kinds to order last.
orderLast: [...string] @go(OrderLast,[]string)
}

12
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/typemeta_go_gen.cue Normal file
View File

@@ -0,0 +1,12 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta
// No need for a direct dependence; the fields are stable.
#TypeMeta: {
kind?: string @go(Kind)
apiVersion?: string @go(APIVersion)
}

45
docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue Normal file
View File

@@ -0,0 +1,45 @@
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go sigs.k8s.io/kustomize/api/types
package types
// Var represents a variable whose value will be sourced
// from a field in a Kubernetes object.
#Var: {
// Value of identifier name e.g. FOO used in container args, annotations
// Appears in pod template as $(FOO)
name: string @go(Name)
// ObjRef must refer to a Kubernetes resource under the
// purview of this kustomization. ObjRef should use the
// raw name of the object (the name specified in its YAML,
// before addition of a namePrefix and a nameSuffix).
objref: #Target @go(ObjRef)
// FieldRef refers to the field of the object referred to by
// ObjRef whose value will be extracted for use in
// replacing $(FOO).
// If unspecified, this defaults to fieldPath: $defaultFieldPath
fieldref?: #FieldSelector @go(FieldRef)
}
// Target refers to a kubernetes object by Group, Version, Kind and Name
// gvk.Gvk contains Group, Version and Kind
// APIVersion is added to keep the backward compatibility of using ObjectReference
// for Var.ObjRef
#Target: {
apiVersion?: string @go(APIVersion)
name: string @go(Name)
namespace?: string @go(Namespace)
}
// FieldSelector contains the fieldPath to an object field.
// This struct is added to keep the backward compatibility of using ObjectFieldSelector
// for Var.FieldRef
#FieldSelector: {
fieldPath?: string @go(FieldPath)
}
// byName is a sort interface which sorts Vars by name alphabetically
_#byName: [...#Var]

184
docs/examples/cue.mod/gen/telemetry.istio.io/telemetry/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,184 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import "strings"
#Telemetry: {
// Telemetry configuration for workloads. See more details at:
// https://istio.io/docs/reference/config/telemetry.html
spec!: #TelemetrySpec
apiVersion: "telemetry.istio.io/v1alpha1"
kind: "Telemetry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Telemetry configuration for workloads. See more details at:
// https://istio.io/docs/reference/config/telemetry.html
#TelemetrySpec: {
// Optional.
accessLogging?: [...{
// Controls logging.
disabled?: null | bool
filter?: {
// CEL expression for selecting when requests/connections should
// be logged.
expression?: string
}
match?: {
// This determines whether or not to apply the access logging
// configuration based on the direction of traffic relative to
// the proxied workload.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
providers?: [...{
// Required.
name: string
}]
}]
// Optional.
metrics?: [...{
// Optional.
overrides?: [...{
// Optional.
disabled?: null | bool
// Match allows provides the scope of the override.
match?: ({} | {
metric: _
} | {
customMetric: _
}) & {
// Allows free-form specification of a metric.
customMetric?: string
// One of the well-known Istio Standard Metrics.
metric?: "ALL_METRICS" | "REQUEST_COUNT" | "REQUEST_DURATION" | "REQUEST_SIZE" | "RESPONSE_SIZE" | "TCP_OPENED_CONNECTIONS" | "TCP_CLOSED_CONNECTIONS" | "TCP_SENT_BYTES" | "TCP_RECEIVED_BYTES" | "GRPC_REQUEST_MESSAGES" | "GRPC_RESPONSE_MESSAGES"
// Controls which mode of metrics generation is selected: CLIENT
// and/or SERVER.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
tagOverrides?: {
[string]: {
// Operation controls whether or not to update/add a tag, or to
// remove it.
operation?: "UPSERT" | "REMOVE"
// Value is only considered if the operation is `UPSERT`.
value?: string
}
}
}]
// Optional.
providers?: [...{
// Required.
name: string
}]
// Optional.
reportingInterval?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
// Optional.
tracing?: [...{
// Optional.
customTags?: {
[string]: ({} | {
literal: _
} | {
environment: _
} | {
header: _
}) & {
// Environment adds the value of an environment variable to each
// span.
environment?: {
// Optional.
defaultValue?: string
// Name of the environment variable from which to extract the tag
// value.
name?: string
}
// RequestHeader adds the value of an header from the request to
// each span.
header?: {
// Optional.
defaultValue?: string
// Name of the header from which to extract the tag value.
name?: string
}
literal?: {
// The tag value to use.
value?: string
}
}
}
// Controls span reporting.
disableSpanReporting?: null | bool
match?: {
// This determines whether or not to apply the tracing
// configuration based on the direction of traffic relative to
// the proxied workload.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
providers?: [...{
// Required.
name: string
}]
// Controls the rate at which traffic will be selected for tracing
// if no prior sampling decision has been made.
randomSamplingPercentage?: null | number
useRequestIdForTraceSampling?: null | bool
}]
}

6
docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue Normal file
View File

@@ -0,0 +1,6 @@
package v1
#Deployment: {
apiVersion: "apps/v1"
kind: "Deployment"
}

8
docs/examples/cue.mod/usr/k8s.io/api/batch/v1/types.cue
View File

@@ -1,11 +1,11 @@
package v1
#CronJob: {
apiVersion: "batch/v1"
kind: "CronJob"
apiVersion: "batch/v1"
kind: "CronJob"
}
#Job: {
apiVersion: "batch/v1"
kind: "Job"
apiVersion: "batch/v1"
kind: "Job"
}

21
docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue
View File

@@ -1,21 +1,26 @@
package v1
#Namespace: {
apiVersion: "v1"
kind: "Namespace"
apiVersion: "v1"
kind: "Namespace"
}
#ConfigMap: {
apiVersion: "v1"
kind: "ConfigMap"
apiVersion: "v1"
kind: "ConfigMap"
}
#ServiceAccount: {
apiVersion: "v1"
kind: "ServiceAccount"
apiVersion: "v1"
kind: "ServiceAccount"
}
#Pod: {
apiVersion: "v1"
kind: "Pod"
apiVersion: "v1"
kind: "Pod"
}
#Service: {
apiVersion: "v1"
kind: "Service"
}

15
docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/patch_go.cue Normal file
View File

@@ -0,0 +1,15 @@
package types
#Patch: {
// Path is a relative file path to the patch file.
path?: string @go(Path)
// Patch is the content of a patch.
patch?: string @go(Patch)
// Target points to the resources that the patch is applied to
target?: #Target | #Selector @go(Target,*Selector)
// Options is a list of options for the patch
options?: {[string]: bool} @go(Options,map[string]bool)
}

7
docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/var_go.cue Normal file
View File

@@ -0,0 +1,7 @@
package types
#Target: {
group?: string @go(Group)
version?: string @go(Version)
kind?: string @go(Kind)
}

2
docs/examples/namespaces.cue
View File

@@ -3,6 +3,8 @@ package holos
// PlatformNamespace is a namespace to manage for Secret provisioning, SecretStore, etc...
#PlatformNamespace: {
name: string
labels?: {[string]: string}
annotations?: {[string]: string}
}
// #PlatformNamespaces is a list of namespaces to manage across the platform.

61
docs/examples/platforms/reference/certificates.cue Normal file
View File

@@ -0,0 +1,61 @@
package holos
#PlatformCerts: {
// Globally scoped platform services are defined here.
login: #PlatformCert & {
_name: "login"
_wildcard: true
_description: "Cert for Zitadel oidc identity provider for iam services"
}
// Cluster scoped services are defined here.
for cluster in #Platform.clusters {
"\(cluster.name)-httpbin": #ClusterCert & {
_name: "httpbin"
_cluster: cluster.name
_description: "Test endpoint to verify the service mesh ingress gateway"
}
}
}
// #PlatformCert provisions a cert in the provisioner cluster.
// Workload clusters use ExternalSecret resources to fetch the Secret tls key and cert from the provisioner cluster.
#PlatformCert: #Certificate & {
_name: string
_wildcard: true | *false
metadata: name: string | *_name
metadata: namespace: string | *"istio-ingress"
spec: {
commonName: string | *"\(_name).\(#Platform.org.domain)"
if _wildcard {
dnsNames: [commonName, "*.\(commonName)"]
}
if !_wildcard {
dnsNames: [commonName]
}
secretName: metadata.name
issuerRef: kind: "ClusterIssuer"
issuerRef: name: string | *"letsencrypt"
}
}
// #ClusterCert provisions a cluster specific certificate.
#ClusterCert: #Certificate & {
_name: string
_cluster: string
_wildcard: true | *false
metadata: name: string | *"\(_cluster)-\(_name)"
metadata: namespace: string | *"istio-ingress"
spec: {
commonName: string | *"\(_name).\(_cluster).\(#Platform.org.domain)"
if _wildcard {
dnsNames: [commonName, "*.\(commonName)"]
}
if !_wildcard {
dnsNames: [commonName]
}
secretName: metadata.name
issuerRef: kind: "ClusterIssuer"
issuerRef: name: string | *"letsencrypt"
}
}

10
docs/examples/platforms/reference/clusters/provisioner/iam/iam.cue Normal file
View File

@@ -0,0 +1,10 @@
package holos
// Components under this directory are part of this collection
#InputKeys: project: "iam"
// Shared dependencies for all components in this collection.
#DependsOn: _Namespaces
// Common Dependencies
_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

108
docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/crdb/crdbissuer.cue Normal file
View File

@@ -0,0 +1,108 @@
package holos
// Manage an Issuer for cockroachdb for zitadel.
// For the iam login service, zitadel connects to cockroach db using tls certs for authz.
// Upstream: "The recommended approach is to use cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS."
// Refer to https://www.cockroachlabs.com/docs/stable/secure-cockroachdb-kubernetes#deploy-cert-manager-for-mtls
#InputKeys: component: "crdb"
#KubernetesObjects & {
apiObjects: {
Issuer: {
// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
crdb: #Issuer & {
_description: "Issues the self signed root ca cert for cockroach db"
metadata: name: #ComponentName
metadata: namespace: #TargetNamespace
spec: selfSigned: {}
}
"crdb-ca-issuer": #Issuer & {
_description: "Issues mtls certs for cockroach db"
metadata: name: "crdb-ca-issuer"
metadata: namespace: #TargetNamespace
spec: ca: secretName: "cockroach-ca"
}
}
Certificate: {
"crdb-ca-cert": #Certificate & {
_description: "Root CA cert for cockroach db"
metadata: name: "crdb-ca-cert"
metadata: namespace: #TargetNamespace
spec: {
commonName: "root"
isCA: true
issuerRef: group: "cert-manager.io"
issuerRef: kind: "Issuer"
issuerRef: name: "crdb"
privateKey: algorithm: "ECDSA"
privateKey: size: 256
secretName: "cockroach-ca"
subject: organizations: ["Cockroach"]
}
}
"crdb-node": #Certificate & {
metadata: name: "crdb-node"
metadata: namespace: #TargetNamespace
spec: {
commonName: "node"
dnsNames: [
"localhost",
"127.0.0.1",
"crdb-public",
"crdb-public.\(#TargetNamespace)",
"crdb-public.\(#TargetNamespace).svc.cluster.local",
"*.crdb",
"*.crdb.\(#TargetNamespace)",
"*.crdb.\(#TargetNamespace).svc.cluster.local",
]
duration: "876h"
issuerRef: group: "cert-manager.io"
issuerRef: kind: "Issuer"
issuerRef: name: "crdb-ca-issuer"
privateKey: algorithm: "RSA"
privateKey: size: 2048
renewBefore: "168h"
secretName: "cockroachdb-node"
subject: organizations: ["Cockroach"]
usages: ["digital signature", "key encipherment", "server auth", "client auth"]
}
}
"crdb-root-client": #Certificate & {
metadata: name: "crdb-root-client"
metadata: namespace: #TargetNamespace
spec: {
commonName: "root"
duration: "672h"
issuerRef: group: "cert-manager.io"
issuerRef: kind: "Issuer"
issuerRef: name: "crdb-ca-issuer"
privateKey: algorithm: "RSA"
privateKey: size: 2048
renewBefore: "48h"
secretName: "cockroachdb-root"
subject: organizations: ["Cockroach"]
usages: ["digital signature", "key encipherment", "client auth"]
}
}
}
Certificate: zitadel: #Certificate & {
metadata: name: "crdb-zitadel-client"
metadata: namespace: #TargetNamespace
spec: {
commonName: "zitadel"
issuerRef: {
group: "cert-manager.io"
kind: "Issuer"
name: "crdb-ca-issuer"
}
privateKey: algorithm: "RSA"
privateKey: size: 2048
renewBefore: "48h0m0s"
secretName: "cockroachdb-zitadel"
subject: organizations: ["Cockroach"]
usages: ["digital signature", "key encipherment", "client auth"]
}
}
}
}

7
docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/zitadel.cue Normal file
View File

@@ -0,0 +1,7 @@
package holos
#TargetNamespace: #InstancePrefix + "-zitadel"
#DB: {
Host: "crdb-public"
}

20
docs/examples/platforms/reference/clusters/provisioner/mesh/certificates/certs.cue Normal file
View File

@@ -0,0 +1,20 @@
package holos
// Provision all platform certificates.
#InputKeys: component: "certificates"
// Certificates usually go into the istio-system namespace, but they may go anywhere.
#TargetNamespace: "default"
// Depends on issuers
#DependsOn: _LetsEncrypt
#KubernetesObjects & {
apiObjects: {
for k, obj in #PlatformCerts {
"\(obj.kind)": {
"\(obj.metadata.namespace)/\(obj.metadata.name)": obj
}
}
}
}

43
docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/certmanager.cue Normal file
View File

@@ -0,0 +1,43 @@
package holos
// https://cert-manager.io/docs/
#TargetNamespace: "cert-manager"
#InputKeys: {
component: "certmanager"
service: "cert-manager"
}
#HelmChart & {
values: #Values & {
installCRDs: true
startupapicheck: enabled: false
// Must not use kube-system on gke autopilot. GKE Warden authz blocks access.
global: leaderElection: namespace: #TargetNamespace
}
namespace: #TargetNamespace
chart: {
name: "cert-manager"
version: "1.14.3"
repository: {
name: "jetstack"
url: "https://charts.jetstack.io"
}
}
}
// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
#PodResources: {
requests: {
cpu: string | *"250m"
memory: string | *"512Mi"
"ephemeral-storage": string | *"100Mi"
}
}
// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
#NodeSelector: {
"kubernetes.io/os": "linux"
"cloud.google.com/gke-spot": "true"
}

1254
docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/values.cue Normal file
View File

File diff suppressed because it is too large Load Diff

78
docs/examples/platforms/reference/clusters/provisioner/mesh/letsencrypt/issuers.cue Normal file
View File

@@ -0,0 +1,78 @@
package holos
// Lets Encrypt certificate issuers for public tls certs
#InputKeys: component: "letsencrypt"
#TargetNamespace: "cert-manager"
let Name = "letsencrypt"
// The cloudflare api token is platform scoped, not cluster scoped.
#SecretName: "cloudflare-api-token-secret"
// Depends on cert manager
#DependsOn: _CertManager
#KubernetesObjects & {
apiObjects: {
ClusterIssuer: {
letsencrypt: #ClusterIssuer & {
metadata: name: Name
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name
solvers: [{
dns01: cloudflare: {
email: #Platform.org.cloudflare.email
apiTokenSecretRef: name: #SecretName
apiTokenSecretRef: key: "api_token"
}}]
}
}
}
letsencryptStaging: #ClusterIssuer & {
metadata: name: Name + "-staging"
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name + "-staging"
solvers: [{
dns01: cloudflare: {
email: #Platform.org.cloudflare.email
apiTokenSecretRef: name: #SecretName
apiTokenSecretRef: key: "api_token"
}}]
}
}
}
}
}
}
// _HTTPSolvers are disabled in the provisioner cluster, dns is the method supported by holos.
_HTTPSolvers: {
letsencryptHTTP: #ClusterIssuer & {
metadata: name: Name + "-http"
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name
solvers: [{http01: ingress: class: "istio"}]
}
}
}
letsencryptHTTPStaging: #ClusterIssuer & {
metadata: name: Name + "-http-staging"
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name + "-staging"
solvers: [{http01: ingress: class: "istio"}]
}
}
}
}

13
docs/examples/platforms/reference/clusters/provisioner/mesh/mesh.cue Normal file
View File

@@ -0,0 +1,13 @@
package holos
// Components under this directory are part of this collection
#InputKeys: project: "mesh"
// Shared dependencies for all components in this collection.
#DependsOn: _Namespaces
// Common Dependencies
_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"
_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
_LetsEncrypt: LetsEncrypt: name: "\(#InstancePrefix)-letsencrypt"
_Certificates: Certificates: name: "\(#InstancePrefix)-certificates"

27
docs/examples/platforms/reference/clusters/provisioner/components/eso-creds-refresher/component.cue → docs/examples/platforms/reference/clusters/provisioner/secrets/eso-creds-refresher/component.cue
View File

@@ -8,21 +8,24 @@ package holos
// - Namespace
// - ServiceAccount eso-reader, eso-writer
import "list"
// objects are kubernetes api objects to apply.
objects: list.FlattenN(_objects, 1)
_objects: [
#CredsRefresherIAM.role,
#CredsRefresherIAM.binding,
for ns in #PlatformNamespaces {(#PlatformNamespaceObjects & {_ns: ns}).objects},
]
// No flux kustomization
ksObjects: []
{} & #KubernetesObjects
#KubernetesObjects & {
apiObjects: {
let role = #CredsRefresherIAM.role
let binding = #CredsRefresherIAM.binding
ClusterRole: "\(role.metadata.name)": role
ClusterRoleBinding: "\(binding.metadata.name)": binding
for ns in #PlatformNamespaces {
for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
let Kind = obj.kind
let Name = obj.metadata.name
"\(Kind)": "\(ns.name)/\(Name)": obj
}
}
}
}
#InputKeys: {
cluster: "provisioner"

0
docs/examples/platforms/reference/clusters/provisioner/components/eso-creds-refresher/readme.md → docs/examples/platforms/reference/clusters/provisioner/secrets/eso-creds-refresher/readme.md
View File

22
docs/examples/platforms/reference/clusters/workload/projects/secrets/components/namespaces/component.cue → docs/examples/platforms/reference/clusters/provisioner/secrets/namespaces/component.cue
View File

@@ -1,7 +1,5 @@
package holos
import "list"
#TargetNamespace: "default"
#InputKeys: {
@@ -20,12 +18,14 @@ import "list"
]
}
objects: list.FlattenN(_objects, 1)
_objects: [
for ns in #PlatformNamespaces {
(#PlatformNamespaceObjects & {_ns: ns}).objects
},
]
{} & #KubernetesObjects
#KubernetesObjects & {
apiObjects: {
for ns in #PlatformNamespaces {
for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
let Kind = obj.kind
let Name = obj.metadata.name
"\(Kind)": "\(Name)": obj
}
}
}
}

0
docs/examples/platforms/reference/clusters/provisioner/components/namespaces/readme.md → docs/examples/platforms/reference/clusters/provisioner/secrets/namespaces/readme.md
View File

10
docs/examples/platforms/reference/clusters/workload/cloud/iam/iam.cue Normal file
View File

@@ -0,0 +1,10 @@
package holos
// Components under this directory are part of this collection
#InputKeys: project: "iam"
// Shared dependencies for all components in this collection.
#DependsOn: _Namespaces
// Common Dependencies
_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

17
docs/examples/platforms/reference/clusters/workload/cloud/iam/readme.md Normal file
View File

@@ -0,0 +1,17 @@
# IAM
The IAM service provides identity and access management for a holos managed platform. Zitadel is the identity provider which integrates tightly with:
1. AuthorizationPolicy at the level of the service mesh.
2. Application level oidc login (ArgoCD, Grafana, etc...)
3. Cloud provider IAM via oidc.
## Preflight
The zitadel master key needs to have a data key named `masterkey` with a Secret name of `zitadel-masterkey`.
```bash
holos create secret zitadel-masterkey --namespace prod-iam-zitadel --append-hash=false --data-stdin <<EOF
{"masterkey":"$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"}
EOF
```

20
docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/cockroachdb.cue Normal file
View File

@@ -0,0 +1,20 @@
package holos
#InputKeys: component: "crdb"
#HelmChart & {
namespace: #TargetNamespace
chart: {
name: "cockroachdb"
version: "11.2.3"
repository: {
name: "cockroachdb"
url: "https://charts.cockroachdb.com/"
}
}
values: #Values
apiObjects: {
ExternalSecret: node: #ExternalSecret & {_name: "cockroachdb-node"}
ExternalSecret: root: #ExternalSecret & {_name: "cockroachdb-root"}
}
}

606
docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.cue Normal file
View File

@@ -0,0 +1,606 @@
package holos
#Values: {
// Generated file, DO NOT EDIT. Source: build/templates/values.yaml
// Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
nameOverride: ""
// Override the resource names created by this chart which originally is generated using release and chart name.
fullnameOverride: string | *""
image: {
repository: string | *"cockroachdb/cockroach"
tag: "v23.1.13"
pullPolicy: "IfNotPresent"
credentials: {}
}
// registry: docker.io
// username: john_doe
// password: changeme
// Additional labels to apply to all Kubernetes resources created by this chart.
labels: {}
// app.kubernetes.io/part-of: my-app
// Cluster's default DNS domain.
// You should overwrite it if you're using a different one,
// otherwise CockroachDB nodes discovery won't work.
clusterDomain: "cluster.local"
conf: {
// An ordered list of CockroachDB node attributes.
// Attributes are arbitrary strings specifying machine capabilities.
// Machine capabilities might include specialized hardware or number of cores
// (e.g. "gpu", "x16c").
attrs: []
// - x16c
// - gpu
// Total size in bytes for caches, shared evenly if there are multiple
// storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
// A percentage of physical memory can also be specified (e.g. `.25`).
cache: "25%"
// Sets a name to verify the identity of a cluster.
// The value must match between all nodes specified via `conf.join`.
// This can be used as an additional verification when either the node or
// cluster, or both, have not yet been initialized and do not yet know their
// cluster ID.
// To introduce a cluster name into an already-initialized cluster, pair this
// option with `conf.disable-cluster-name-verification: yes`.
"cluster-name": ""
// Tell the server to ignore `conf.cluster-name` mismatches.
// This is meant for use when opting an existing cluster into starting to use
// cluster name verification, or when changing the cluster name.
// The cluster should be restarted once with `conf.cluster-name` and
// `conf.disable-cluster-name-verification: yes` combined, and once all nodes
// have been updated to know the new cluster name, the cluster can be restarted
// again with `conf.disable-cluster-name-verification: no`.
// This option has no effect if `conf.cluster-name` is not specified.
"disable-cluster-name-verification": false
// The addresses for connecting a CockroachDB nodes to an existing cluster.
// If you are deploying a second CockroachDB instance that should join a first
// one, use the below list to join to the existing instance.
// Each item in the array should be a FQDN (and port if needed) resolvable by
// new Pods.
join: []
// New logging configuration.
log: {
enabled: false
// https://www.cockroachlabs.com/docs/v21.1/configure-logs
config: {}
}
// file-defaults:
// dir: /custom/dir/path/
// fluent-defaults:
// format: json-fluent
// sinks:
// stderr:
// channels: [DEV]
// Logs at or above this threshold to STDERR. Ignored when "log" is enabled
logtostderr: "INFO"
// Maximum storage capacity available to store temporary disk-based data for
// SQL queries that exceed the memory budget (e.g. join, sorts, etc are
// sometimes able to spill intermediate results to disk).
// Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
// `32GiB`) or a percentage of disk size (e.g. `10%`).
// The location of the temporary files is within the first store dir.
// If expressed as a percentage, `max-disk-temp-storage` is interpreted
// relative to the size of the storage device on which the first store is
// placed. The temp space usage is never counted towards any store usage
// (although it does share the device with the first store) so, when
// configuring this, make sure that the size of this temp storage plus the size
// of the first store don't exceed the capacity of the storage device.
// If the first store is an in-memory one (i.e. `type=mem`), then this
// temporary "disk" data is also kept in-memory.
// A percentage value is interpreted as a percentage of the available internal
// memory.
// max-disk-temp-storage: 0GB
// Maximum allowed clock offset for the cluster. If observed clock offsets
// exceed this limit, servers will crash to minimize the likelihood of
// reading inconsistent data. Increasing this value will increase the time
// to recovery of failures as well as the frequency of uncertainty-based
// read restarts.
// Note, that this value must be the same on all nodes in the cluster.
// In order to change it, all nodes in the cluster must be stopped
// simultaneously and restarted with the new value.
// max-offset: 500ms
// Maximum memory capacity available to store temporary data for SQL clients,
// including prepared queries and intermediate data rows during query
// execution. Accepts numbers interpreted as bytes, size suffixes
// (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
"max-sql-memory": "25%"
// An ordered, comma-separated list of key-value pairs that describe the
// topography of the machine. Topography might include country, datacenter
// or rack designations. Data is automatically replicated to maximize
// diversities of each tier. The order of tiers is used to determine
// the priority of the diversity, so the more inclusive localities like
// country should come before less inclusive localities like datacenter.
// The tiers and order must be the same on all nodes. Including more tiers
// is better than including fewer. For example:
// locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
// locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
// locality: planet=earth,province=manitoba,colo=secondary,power=3
locality: ""
// Run CockroachDB instances in standalone mode with replication disabled
// (replication factor = 1).
// Enabling this option makes the following values to be ignored:
// - `conf.cluster-name`
// - `conf.disable-cluster-name-verification`
// - `conf.join`
//
// WARNING: Enabling this option makes each deployed Pod as a STANDALONE
// CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
// Don't use this option for production deployments unless you clearly
// understand what you're doing.
// Usually, this option is intended to be used in conjunction with
// `statefulset.replicas: 1` for temporary one-time deployments (like
// running E2E tests, for example).
"single-node": false
// If non-empty, create a SQL audit log in the specified directory.
"sql-audit-dir": ""
// CockroachDB's port to listen to inter-communications and client connections.
port: 26257
// CockroachDB's port to listen to HTTP requests.
"http-port": 8080
// CockroachDB's data mount path.
path: "cockroach-data"
// CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
// Uses --store flag
store: {
enabled: false
// Should be empty or 'mem'
type: null
// Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
size: null
// Arbitrary strings, separated by colons, specifying disk type or capability
attrs: null
}
}
statefulset: {
replicas: 3
updateStrategy: type: "RollingUpdate"
podManagementPolicy: "Parallel"
budget: maxUnavailable: 1
// List of additional command-line arguments you want to pass to the
// `cockroach start` command.
args: []
// - --disable-cluster-name-verification
// List of extra environment variables to pass into container
env: []
// - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
// value: "24h"
// List of Secrets names in the same Namespace as the CockroachDB cluster,
// which shall be mounted into `/etc/cockroach/secrets/` for every cluster
// member.
secretMounts: []
// Additional labels to apply to this StatefulSet and all its Pods.
labels: {
"app.kubernetes.io/component": "cockroachdb"
}
// Additional annotations to apply to the Pods of this StatefulSet.
annotations: {}
// Affinity rules for scheduling Pods of this StatefulSet on Nodes.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
nodeAffinity: {}
// Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinity: {}
// Anti-affinity rules for scheduling Pods of this StatefulSet.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
// You may either toggle options below for default anti-affinity rules,
// or specify the whole set of anti-affinity rules instead of them.
podAntiAffinity: {
// The topologyKey to be used.
// Can be used to spread across different nodes, AZs, regions etc.
topologyKey: "kubernetes.io/hostname"
// Type of anti-affinity rules: either `soft`, `hard` or empty value (which
// disables anti-affinity rules).
type: "soft"
// Weight for `soft` anti-affinity rules.
// Does not apply for other anti-affinity types.
weight: 100
}
// Node selection constraints for scheduling Pods of this StatefulSet.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
// PriorityClassName given to Pods of this StatefulSet
// https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
// Taints to be tolerated by Pods of this StatefulSet.
// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
// https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints: {
maxSkew: 1
topologyKey: "topology.kubernetes.io/zone"
whenUnsatisfiable: "ScheduleAnyway"
}
// Uncomment the following resources definitions or pass them from
// command line to control the CPU and memory resources allocated
// by Pods of this StatefulSet.
resources: {}
// limits:
// cpu: 100m
// memory: 512Mi
// requests:
// cpu: 100m
// memory: 512Mi
// Custom Liveness probe
// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
customLivenessProbe: {}
// httpGet:
// path: /health
// port: http
// scheme: HTTPS
// initialDelaySeconds: 30
// periodSeconds: 5
// Custom Rediness probe
// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
customReadinessProbe: {}
// httpGet:
// path: /health
// port: http
// scheme: HTTPS
// initialDelaySeconds: 30
// periodSeconds: 5
securityContext: {
enabled: true
}
serviceAccount: {
// Specifies whether this ServiceAccount should be created.
create: true
// The name of this ServiceAccount to use.
// If not set and `create` is `true`, then service account is auto-generated.
// If not set and `create` is `false`, then it uses default service account.
name: ""
// Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
annotations: {}
}
}
service: {
ports: {
// You can set a different external and internal gRPC ports and their name.
grpc: {
external: {
port: 26257
name: "grpc"
}
// If the port number is different than `external.port`, then it will be
// named as `internal.name` in Service.
internal: {
port: 26257
// If using Istio set it to `cockroach`.
name: "grpc-internal"
}
}
http: {
port: 8080
name: "http"
}
}
// This Service is meant to be used by clients of the database.
// It exposes a ClusterIP that will automatically load balance connections
// to the different database Pods.
public: {
type: "ClusterIP"
// Additional labels to apply to this Service.
labels: {
"app.kubernetes.io/component": "cockroachdb"
}
// Additional annotations to apply to this Service.
annotations: {}
}
// This service only exists to create DNS entries for each pod in
// the StatefulSet such that they can resolve each other's IP addresses.
// It does not create a load-balanced ClusterIP and should not be used directly
// by clients in most circumstances.
discovery: {
// Additional labels to apply to this Service.
labels: {
"app.kubernetes.io/component": "cockroachdb"
}
// Additional annotations to apply to this Service.
annotations: {}
}
}
// CockroachDB's ingress for web ui.
ingress: {
enabled: false
labels: {}
annotations: {}
// kubernetes.io/ingress.class: nginx
// cert-manager.io/cluster-issuer: letsencrypt
paths: ["/"]
hosts: []
// - cockroachlabs.com
tls: []
}
// - hosts: [cockroachlabs.com]
// secretName: cockroachlabs-tls
prometheus: {
enabled: true
}
securityContext: enabled: true
// CockroachDB's Prometheus operator ServiceMonitor support
serviceMonitor: {
enabled: false
labels: {}
annotations: {}
interval: "10s"
// scrapeTimeout: 10s
// Limits the ServiceMonitor to the current namespace if set to `true`.
namespaced: false
// tlsConfig: TLS configuration to use when scraping the endpoint.
// Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
tlsConfig: {}
}
// CockroachDB's data persistence.
// If neither `persistentVolume` nor `hostPath` is used, then data will be
// persisted in ad-hoc `emptyDir`.
storage: {
// Absolute path on host to store CockroachDB's data.
// If not specified, then `emptyDir` will be used instead.
// If specified, but `persistentVolume.enabled` is `true`, then has no effect.
hostPath: ""
// If `enabled` is `true` then a PersistentVolumeClaim will be created and
// used to store CockroachDB's data, otherwise `hostPath` is used.
persistentVolume: {
enabled: true
size: string | *"100Gi"
// If defined, then `storageClassName: <storageClass>`.
// If set to "-", then `storageClassName: ""`, which disables dynamic
// provisioning.
// If undefined or empty (default), then no `storageClassName` spec is set,
// so the default provisioner will be chosen (gp2 on AWS, standard on
// GKE, AWS & OpenStack).
storageClass: ""
// Additional labels to apply to the created PersistentVolumeClaims.
labels: {}
// Additional annotations to apply to the created PersistentVolumeClaims.
annotations: {}
}
}
// Kubernetes Job which initializes multi-node CockroachDB cluster.
// It's not created if `statefulset.replicas` is `1`.
init: {
// Additional labels to apply to this Job and its Pod.
labels: {
"app.kubernetes.io/component": "init"
}
// Additional annotations to apply to this Job.
jobAnnotations: {}
// Additional annotations to apply to the Pod of this Job.
annotations: {}
// Affinity rules for scheduling the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
affinity: {}
// Node selection constraints for scheduling the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
// Taints to be tolerated by the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
// The init Pod runs at cluster creation to initialize CockroachDB. It finishes
// quickly and doesn't continue to consume resources in the Kubernetes
// cluster. Normally, you should leave this section commented out, but if your
// Kubernetes cluster uses Resource Quotas and requires all pods to specify
// resource requests or limits, you can set those here.
resources: {}
// requests:
// cpu: "10m"
// memory: "128Mi"
// limits:
// cpu: "10m"
// memory: "128Mi"
securityContext: {
enabled: true
}
provisioning: {
enabled: false
// https://www.cockroachlabs.com/docs/stable/cluster-settings.html
clusterSettings: null
// cluster.organization: "'FooCorp - Local Testing'"
// enterprise.license: "'xxxxx'"
users: []
// - name:
// password:
// # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
// options: [LOGIN]
databases: []
}
}
// - name:
// # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
// options: [encoding='utf-8']
// owners: []
// # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
// owners_with_grant_option: []
// # Backup schedules are not idemponent for now and will fail on next run
// # https://github.com/cockroachdb/cockroach/issues/57892
// backup:
// into: s3://
// # Enterprise-only option (revision_history)
// # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
// options: [revision_history]
// recurring: '@always'
// # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
// fullBackup: '@daily'
// schedule:
// # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
// options: [first_run = 'now']
// Whether to run securely using TLS certificates.
tls: {
enabled: true
copyCerts: image: "busybox"
certs: {
// Bring your own certs scenario. If provided, tls.init section will be ignored.
provided: true | *false
// Secret name for the client root cert.
clientRootSecret: "cockroachdb-root"
// Secret name for node cert.
nodeSecret: "cockroachdb-node"
// Secret name for CA cert
caSecret: "cockroach-ca"
// Enable if the secret is a dedicated TLS.
// TLS secrets are created by cert-mananger, for example.
tlsSecret: true | *false
// Enable if the you want cockroach db to create its own certificates
selfSigner: {
// If set, the cockroach db will generate its own certificates
enabled: false | *true
// Run selfSigner as non-root
securityContext: {
enabled: true
}
// If set, the user should provide the CA certificate to sign other certificates.
caProvided: false
// It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
caSecret: ""
// Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
minimumCertDuration: "624h"
// Duration of CA certificates in hour
caCertDuration: "43800h"
// Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
caCertExpiryWindow: "648h"
// Duration of Client certificates in hour
clientCertDuration: "672h"
// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: "48h"
// Duration of node certificates in hour
nodeCertDuration: "8760h"
// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: "168h"
// If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
rotateCerts: true
// Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
readinessWait: "30s"
// Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
podUpdateTimeout: "2m"
// ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
svcAccountAnnotations: {}
}
// Use cert-manager to issue certificates for mTLS.
certManager: true | *false
// Specify an Issuer or a ClusterIssuer to use, when issuing
// node and client certificates. The values correspond to the
// issuerRef specified in the certificate.
certManagerIssuer: {
group: "cert-manager.io"
kind: "Issuer"
name: string | *"cockroachdb"
// Make it false when you are providing your own CA issuer
isSelfSignedIssuer: true
// Duration of Client certificates in hours
clientCertDuration: "672h"
// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: "48h"
// Duration of node certificates in hours
nodeCertDuration: "8760h"
// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: "168h"
}
}
selfSigner: {
// Additional annotations to apply to the Pod of this Job.
annotations: {}
// Affinity rules for scheduling the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
affinity: {}
// Node selection constraints for scheduling the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
// Taints to be tolerated by the Pod of this Job.
// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
// Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
image: {
repository: "cockroachlabs-helm-charts/cockroach-self-signer-cert"
tag: "1.5"
pullPolicy: "IfNotPresent"
credentials: {}
registry: "gcr.io"
}
}
}
// username: john_doe
// password: changeme
networkPolicy: {
enabled: false
ingress: {
// List of sources which should be able to access the CockroachDB Pods via
// gRPC port. Items in this list are combined using a logical OR operation.
// Rules for allowing inter-communication are applied automatically.
// If empty, then connections from any Pod is allowed.
grpc: []
// - podSelector:
// matchLabels:
// app.kubernetes.io/name: my-app-django
// app.kubernetes.io/instance: my-app
// List of sources which should be able to access the CockroachDB Pods via
// HTTP port. Items in this list are combined using a logical OR operation.
// If empty, then connections from any Pod is allowed.
http: []
}
}
// - namespaceSelector:
// matchLabels:
// project: my-project
// To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
// make sure to set ingress.paths: ['/*']
iap: {
enabled: false
}
}

23
docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.holos.cue Normal file
View File

@@ -0,0 +1,23 @@
package holos
#Values: {
image: repository: "quay.io/holos/cockroachdb/cockroach"
fullnameOverride: #ComponentName
tls: {
enabled: true
certs: {
// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
selfSigner: enabled: false
certManager: false
provided: true
tlsSecret: true
}
}
storage: persistentVolume: {
enabled: true
size: "1Gi"
}
}

10
docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel.cue Normal file
View File

@@ -0,0 +1,10 @@
package holos
#TargetNamespace: #InstancePrefix + "-zitadel"
#DB: {
Host: "crdb-public"
}
// The canonical login domain for the entire platform. Zitadel will be active on a singlec cluster at a time, but always accessible from this hostname.
#ExternalDomain: "login.\(#Platform.org.domain)"

251
docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel/values.cue Normal file
View File

@@ -0,0 +1,251 @@
package holos
#Values: {
// Default values for zitadel.
zitadel: {
// The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
// See all defaults here:
// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
configmapConfig: {
ExternalSecure: true
Machine: Identification: {
Hostname: Enabled: true
Webhook: Enabled: false
}
}
// The ZITADEL config under secretConfig is written to a Kubernetes Secret
// See all defaults here:
// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
secretConfig: null
// Annotations set on secretConfig secret
secretConfigAnnotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "0"
}
// Reference the name of a secret that contains ZITADEL configuration.
configSecretName: null
// The key under which the ZITADEL configuration is located in the secret.
configSecretKey: "config-yaml"
// ZITADEL uses the masterkey for symmetric encryption.
// You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
masterkey: ""
// Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
// Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
masterkeySecretName: string | *""
// Annotations set on masterkey secret
masterkeyAnnotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "0"
}
// The CA Certificate needed for establishing secure database connections
dbSslCaCrt: ""
// The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
dbSslCaCrtSecret: string | *""
// The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
dbSslAdminCrtSecret: string | *""
// The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
dbSslUserCrtSecret: string | *""
// Generate a self-signed certificate using an init container
// This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
// E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
// By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
selfSignedCert: {
enabled: false
additionalDnsName: null
}
}
replicaCount: 3
image: {
repository: "ghcr.io/zitadel/zitadel"
pullPolicy: "IfNotPresent"
// Overrides the image tag whose default is the chart appVersion.
tag: ""
}
chownImage: {
repository: "alpine"
pullPolicy: "IfNotPresent"
tag: "3.19"
}
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
// Annotations to add to the deployment
annotations: {}
// Annotations to add to the configMap
configMap: {
annotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "0"
}
}
serviceAccount: {
// Specifies whether a service account should be created
create: true
// Annotations to add to the service account
annotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "0"
}
// The name of the service account to use.
// If not set and create is true, a name is generated using the fullname template
name: ""
}
podAnnotations: {}
podAdditionalLabels: {}
podSecurityContext: {
runAsNonRoot: true
runAsUser: 1000
}
securityContext: {}
// Additional environment variables
env: []
// - name: ZITADEL_DATABASE_POSTGRES_HOST
// valueFrom:
// secretKeyRef:
// name: postgres-pguser-postgres
// key: host
service: {
type: "ClusterIP"
// If service type is "ClusterIP", this can optionally be set to a fixed IP address.
clusterIP: ""
port: 8080
protocol: "http2"
annotations: {}
scheme: "HTTP"
}
ingress: {
enabled: false
className: ""
annotations: {}
hosts: [{
host: "localhost"
paths: [{
path: "/"
pathType: "Prefix"
}]
}]
tls: []
}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
initJob: {
// Once ZITADEL is installed, the initJob can be disabled.
enabled: true
annotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "1"
}
resources: {}
backoffLimit: 5
activeDeadlineSeconds: 300
extraContainers: []
podAnnotations: {}
// Available init commands :
// "": initialize ZITADEL instance (without skip anything)
// database: initialize only the database
// grant: set ALL grant to user
// user: initialize only the database user
// zitadel: initialize ZITADEL internals (skip "create user" and "create database")
command: ""
}
setupJob: {
annotations: {
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
"helm.sh/hook-weight": "2"
}
resources: {}
activeDeadlineSeconds: 300
extraContainers: []
podAnnotations: {}
additionalArgs: ["--init-projections=true"]
machinekeyWriter: {
image: {
repository: "bitnami/kubectl"
tag: ""
}
resources: {}
}
}
readinessProbe: {
enabled: true
initialDelaySeconds: 0
periodSeconds: 5
failureThreshold: 3
}
livenessProbe: {
enabled: true
initialDelaySeconds: 0
periodSeconds: 5
failureThreshold: 3
}
startupProbe: {
enabled: true
periodSeconds: 1
failureThreshold: 30
}
metrics: {
enabled: false
serviceMonitor: {
// If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
// https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
// The Prometheus community Helm chart installs this operator
// https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
enabled: false
honorLabels: false
honorTimestamps: true
}
}
pdb: {
enabled: false
// these values are used for the PDB and are mutally exclusive
minAvailable: 1
// maxUnavailable: 1
annotations: {}
}
}

Some files were not shown because too many files have changed in this diff Show More