Merge pull request #190 from holos-run/jeff/189-reference-docs

(#189) v1alpha2 API for reference docs

.github/workflows/lint.yaml

@@ -1,6 +1,7 @@
+---
 # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
 name: Lint
-on:
+"on":
   push:
     branches:
       - main
@@ -14,14 +15,35 @@ permissions:
 jobs:
   golangci:
     name: lint
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
         with:
           go-version: stable
-          cache: false
+
+      - name: Install Packages
+        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
+
+      - name: Install Tools
+        run: |
+          set -x
+          make tools
+          make buf
+          go generate ./...
+          make frontend
+          go mod tidy
+
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
         with:
           version: latest
+          skip-pkg-cache: true

.github/workflows/release.yaml

@@ -2,32 +2,61 @@ name: Release
 
 on:
   push:
-    # Run only against tags
     tags:
       - '*'
+    branches:
+      - release
 
 permissions:
   contents: write
 
 jobs:
   goreleaser:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
+      # Must come before Checkout, otherwise goreleaser fails
+      - name: Provide GPG and Git
+        run: sudo apt update && sudo apt -qq -y install gnupg git curl zip unzip tar bzip2 make
+
+      # Must come after git executable is provided
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      # Necessary to run these outside of goreleaser, otherwise
+      # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
+      - name: Install Tools
+        run: |
+          set -x
+          make tools
+          make buf
+          go generate ./...
+          make frontend
+          go mod tidy
+
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@v6
         with:
           gpg_private_key: ${{ secrets.GPG_CODE_SIGNING_SECRETKEY }}
           passphrase: ${{ secrets.GPG_CODE_SIGNING_PASSPHRASE }}
+
       - name: List keys
         run: gpg -K
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: stable
+
+      - name: Git diff
+        run: git diff
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:

.github/workflows/test.yaml

@@ -13,15 +13,38 @@ permissions:
 
 jobs:
   test:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version: stable
 
+      - name: Install Packages
+        run: sudo apt update && sudo apt -qq -y install git curl zip unzip tar bzip2 make
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Install Tools
+        run: |
+          set -x
+          make tools
+          make buf
+          go generate ./...
+          make frontend
+          go mod tidy
+
       - name: Test
         run: ./scripts/test

.gitignore

@@ -1,7 +1,9 @@
-bin/
+/bin/
 vendor/
 .idea/
 coverage.out
-dist/
+/dist/
 *.hold/
 /deploy/
+.vscode/
+tmp/

.golangci.yaml

@@ -0,0 +1,2 @@
+run:
+  timeout: 5m

.goreleaser.yaml

@@ -10,10 +10,8 @@ version: 1
 
 before:
   hooks:
-    # You may remove this if you don't use go modules.
-    - go mod tidy
-    # you may remove this if you don't need go generate
     - go generate ./...
+    - go mod tidy
 
 builds:
   - main: ./cmd/holos
@@ -23,6 +21,9 @@ builds:
       - linux
       - windows
       - darwin
+    goarch:
+      - amd64
+      - arm64
 
 signs:
   - artifacts: checksum

Dockerfile

@@ -0,0 +1,8 @@
+FROM quay.io/holos-run/debian:bullseye AS final
+USER root
+WORKDIR /app
+ADD bin bin
+RUN chown -R app: /app
+# Kubernetes requires the user to be numeric
+USER 8192
+ENTRYPOINT bin/holos server

Makefile

@@ -4,19 +4,24 @@ PROJ=holos
 ORG_PATH=github.com/holos-run
 REPO_PATH=$(ORG_PATH)/$(PROJ)
 
-VERSION := $(shell grep "const Version " pkg/version/version.go | sed -E 's/.*"(.+)"$$/\1/')
+VERSION := $(shell cat version/embedded/major version/embedded/minor version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
-DOCKER_REPO=quay.io/openinfrastructure/holos
+DOCKER_REPO=quay.io/holos-run/holos
 IMAGE_NAME=$(DOCKER_REPO)
 
 $( shell mkdir -p bin)
 
+# For buf plugin protoc-gen-connect-es
+export PATH := $(PWD)/internal/frontend/holos/node_modules/.bin:$(PATH)
+
 GIT_COMMIT=$(shell git rev-parse HEAD)
+GIT_SUFFIX=$(shell test -n "`git status --porcelain`" && echo "-dirty" || echo "")
+GIT_DETAIL=$(shell git describe --tags HEAD)
 GIT_TREE_STATE=$(shell test -n "`git status --porcelain`" && echo "dirty" || echo "clean")
 BUILD_DATE=$(shell date -Iseconds)
 
-LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/pkg/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/pkg/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/pkg/version.BuildDate=${BUILD_DATE}"
+LD_FLAGS="-w -X ${ORG_PATH}/${PROJ}/version.GitDescribe=${GIT_DETAIL}${GIT_SUFFIX} -X ${ORG_PATH}/${PROJ}/version.GitCommit=${GIT_COMMIT} -X ${ORG_PATH}/${PROJ}/version.GitTreeState=${GIT_TREE_STATE} -X ${ORG_PATH}/${PROJ}/version.BuildDate=${BUILD_DATE}"
 
 .PHONY: default
 default: test
@@ -39,24 +44,48 @@ bumpmajor: ## Bump the major version.
 	scripts/bump minor 0
 	scripts/bump patch 0
 
+.PHONY: show-version
+show-version: ## Print the full version.
+	@echo $(VERSION)
+
 .PHONY: tidy
 tidy: ## Tidy go module.
 	go mod tidy
 
 .PHONY: fmt
-fmt: ## Format Go code.
+fmt: ## Format code.
+	cd docs/examples && cue fmt ./...
+	cd internal/generate/platforms && cue fmt ./...
 	go fmt ./...
 
 .PHONY: vet
 vet: ## Vet Go code.
 	go vet ./...
 
+.PHONY: gencue
+gencue: ## Generate CUE definitions
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/v1alpha1/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/core/...
+	cd internal/generate/platforms && cue get go github.com/holos-run/holos/api/meta/...
+
+.PHONY: rmgen
+rmgen: ## Remove generated code
+	git rm -rf service/gen/ internal/frontend/holos/src/app/gen/ || true
+	rm -rf service/gen/ internal/frontend/holos/src/app/gen/
+	git rm -rf internal/ent/
+	rm -rf internal/ent/
+	git restore --staged internal/ent/generate.go internal/ent/schema/
+	git restore internal/ent/generate.go internal/ent/schema/
+
+.PHONY: regenerate
+regenerate: generate ## Re-generate code (delete and re-create)
+
 .PHONY: generate
-generate: ## Generate code.
+generate: buf gencue ## Generate code.
 	go generate ./...
 
 .PHONY: build
-build: generate ## Build holos executable.
+build: generate frontend ## Build holos executable.
 	@echo "building ${BIN_NAME} ${VERSION}"
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
@@ -75,6 +104,8 @@ test: ## Run tests.
 
 .PHONY: lint
 lint: ## Run linters.
+	buf lint
+	cd internal/frontend/holos && ng lint
 	golangci-lint run
 
 .PHONY: coverage
@@ -85,6 +116,47 @@ coverage: test  ## Test coverage profile.
 snapshot:  ## Go release snapshot
 	goreleaser release --snapshot --clean
 
+.PHONY: buf
+buf: ## buf generate
+	cd service && buf dep update
+	buf generate
+
+.PHONY: tools
+tools: go-deps frontend-deps  ## install tool dependencies
+
+.PHONY: go-deps
+go-deps: ## tool versions pinned in tools.go
+	go install cuelang.org/go/cmd/cue
+	go install github.com/bufbuild/buf/cmd/buf
+	go install github.com/fullstorydev/grpcurl/cmd/grpcurl
+	go install google.golang.org/protobuf/cmd/protoc-gen-go
+	go install connectrpc.com/connect/cmd/protoc-gen-connect-go
+	go install honnef.co/go/tools/cmd/staticcheck
+	go install golang.org/x/tools/cmd/godoc
+	# curl https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash
+
+.PHONY: frontend-deps
+frontend-deps: ## Setup npm and vite
+	cd internal/frontend/holos && npm install
+	cd internal/frontend/holos && npm install --save-dev @bufbuild/buf @connectrpc/protoc-gen-connect-es
+	cd internal/frontend/holos && npm install @connectrpc/connect @connectrpc/connect-web @bufbuild/protobuf
+	# https://github.com/connectrpc/connect-query-es/blob/1350b6f07b6aead81793917954bdb1cc3ce09df9/packages/protoc-gen-connect-query/README.md?plain=1#L23
+	cd internal/frontend/holos && npm install --save-dev @connectrpc/protoc-gen-connect-query @bufbuild/protoc-gen-es
+	cd internal/frontend/holos && npm install @connectrpc/connect-query @bufbuild/protobuf
+
+
+.PHONY: frontend
+frontend: buf
+	cd internal/frontend/holos && rm -rf dist
+	mkdir -p internal/frontend/holos/dist
+	cd internal/frontend/holos && ng build
+	touch internal/frontend/frontend.go
+
+.PHONY: image
+image: build ## Docker image build
+	docker build . -t ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+	docker push ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

README.md

@@ -0,0 +1 @@
+# Holos

Tiltfile

@@ -0,0 +1,311 @@
+# -*- mode: Python -*-
+# This Tiltfile manages a Go project with live leload in Kubernetes
+
+listen_port = 3000
+metrics_port = 9090
+
+# Use our wrapper to set the kube namespace
+if os.getenv('TILT_WRAPPER') != '1':
+    fail("could not run, ./hack/tilt/bin/tilt was not used to start tilt")
+
+# AWS Account to work in
+aws_account = '271053619184'
+aws_region = 'us-east-2'
+
+# Resource ids
+holos_backend = 'Holos Backend'
+pg_admin = 'pgAdmin'
+pg_cluster = 'PostgresCluster'
+pg_svc = 'Database Pod'
+compile_id = 'Go Build'
+auth_id = 'Auth Policy'
+lint_id = 'Run Linters'
+tests_id = 'Run Tests'
+
+# PostgresCluster resource name in k8s
+pg_cluster_name = 'holos'
+# Database name inside the PostgresCluster
+pg_database_name = 'holos'
+# PGAdmin name
+pg_admin_name = 'pgadmin'
+
+# Default Registry.
+# See: https://github.com/tilt-dev/tilt.build/blob/master/docs/choosing_clusters.md#manual-configuration
+# Note, Tilt will append the image name to the registry uri path
+default_registry('{account}.dkr.ecr.{region}.amazonaws.com/holos-run/holos-server'.format(account=aws_account, region=aws_region))
+
+# Set a name prefix specific to the user.  Multiple developers share the tilt-holos namespace.
+developer = os.getenv('USER')
+holos_server = 'holos'
+# See ./hack/tilt/bin/tilt
+namespace = os.getenv('NAMESPACE')
+# We always develop against the k1 cluster.
+os.putenv('KUBECONFIG', os.path.abspath('./hack/tilt/kubeconfig'))
+# The context defined in ./hack/tilt/kubeconfig
+allow_k8s_contexts('sso@k1')
+allow_k8s_contexts('sso@k2')
+allow_k8s_contexts('sso@k3')
+allow_k8s_contexts('sso@k4')
+allow_k8s_contexts('sso@k5')
+# PG db connection for localhost -> k8s port-forward
+os.putenv('PGHOST', 'localhost')
+os.putenv('PGPORT', '15432')
+# We always develop in the dev aws account.
+os.putenv('AWS_CONFIG_FILE', os.path.abspath('./hack/tilt/aws.config'))
+os.putenv('AWS_ACCOUNT', aws_account)
+os.putenv('AWS_DEFAULT_REGION', aws_region)
+os.putenv('AWS_PROFILE', 'dev-holos')
+os.putenv('AWS_SDK_LOAD_CONFIG', '1')
+# Authenticate to AWS ECR when tilt up is run by the developer
+local_resource('AWS Credentials', './hack/tilt/aws-login.sh', auto_init=True)
+
+# Extensions are open-source, pre-packaged functions that extend Tilt
+#
+#   More info: https://github.com/tilt-dev/tilt-extensions
+#   More info: https://docs.tilt.dev/extensions.html
+load('ext://restart_process', 'docker_build_with_restart')
+load('ext://k8s_attach', 'k8s_attach')
+load('ext://git_resource', 'git_checkout')
+load('ext://uibutton', 'cmd_button')
+
+# Paths edited by the developer Tilt watches to trigger compilation.
+# Generated files should be excluded to avoid an infinite build loop.
+developer_paths = [
+    './cmd',
+    './internal/server',
+    './internal/ent/schema',
+    './frontend/package-lock.json',
+    './frontend/src',
+    './go.mod',
+    './pkg',
+    './service/holos',
+]
+
+# Builds the holos-server executable
+local_resource(compile_id, 'make build', deps=developer_paths)
+
+# Build Docker image
+#   Tilt will automatically associate image builds with the resource(s)
+#   that reference them (e.g. via Kubernetes or Docker Compose YAML).
+#
+#   More info: https://docs.tilt.dev/api.html#api.docker_build
+#
+docker_build_with_restart(
+    'holos',
+    context='.',
+    entrypoint=[
+        '/app/bin/holos',
+        'server',
+        '--listen-port={}'.format(listen_port),
+        '--oidc-issuer=https://login.ois.run',
+        '--oidc-audience=262096764402729854@holos_platform',
+        '--log-level=debug',
+        '--metrics-port={}'.format(metrics_port),
+    ],
+    dockerfile='./hack/tilt/Dockerfile',
+    only=['./bin'],
+    # (Recommended) Updating a running container in-place
+    # https://docs.tilt.dev/live_update_reference.html
+    live_update=[
+        # Sync files from host to container
+        sync('./bin', '/app/bin'),
+        # Wait for aws-login https://github.com/tilt-dev/tilt/issues/3048
+        sync('./tilt/aws-login.last', '/dev/null'),
+        # Execute commands in the container when paths change
+        # run('/app/hack/codegen.sh', trigger=['./app/api'])
+    ],
+)
+
+
+# Run local commands
+#   Local commands can be helpful for one-time tasks like installing
+#   project prerequisites. They can also manage long-lived processes
+#   for non-containerized services or dependencies.
+#
+#   More info: https://docs.tilt.dev/local_resource.html
+#
+# local_resource('install-helm',
+#                cmd='which helm > /dev/null || brew install helm',
+#                # `cmd_bat`, when present, is used instead of `cmd` on Windows.
+#                cmd_bat=[
+#                    'powershell.exe',
+#                    '-Noninteractive',
+#                    '-Command',
+#                    '& {if (!(Get-Command helm -ErrorAction SilentlyContinue)) {scoop install helm}}'
+#                ]
+# )
+
+# Teach tilt about our custom resources (Note, this may be intended for workloads)
+# k8s_kind('authorizationpolicy')
+# k8s_kind('requestauthentication')
+# k8s_kind('virtualservice')
+k8s_kind('pgadmin')
+
+
+# Troubleshooting
+def resource_name(id):
+    print('resource: {}'.format(id))
+    return id.name
+
+
+workload_to_resource_function(resource_name)
+
+# Apply Kubernetes manifests
+#   Tilt will build & push any necessary images, re-deploying your
+#   resources as they change.
+#
+#   More info: https://docs.tilt.dev/api.html#api.k8s_yaml
+#
+
+def holos_yaml():
+    """Return a k8s Deployment personalized for the developer."""
+    k8s_yaml_template = str(read_file('./hack/tilt/k8s.yaml'))
+    return k8s_yaml_template.format(
+        name=holos_server,
+        developer=developer,
+        namespace=namespace,
+        listen_port=listen_port,
+        metrics_port=metrics_port,
+        tz=os.getenv('TZ'),
+    )
+
+# Customize a Kubernetes resource
+#   By default, Kubernetes resource names are automatically assigned
+#   based on objects in the YAML manifests, e.g. Deployment name.
+#
+#   Tilt strives for sane defaults, so calling k8s_resource is
+#   optional, and you only need to pass the arguments you want to
+#   override.
+#
+#   More info: https://docs.tilt.dev/api.html#api.k8s_resource
+#
+k8s_yaml(blob(holos_yaml()))
+
+# Backend server process
+k8s_resource(
+    workload=holos_server,
+    new_name=holos_backend,
+    objects=[
+        '{}:serviceaccount'.format(holos_server),
+        '{}:servicemonitor'.format(holos_server),
+    ],
+    resource_deps=[compile_id],
+    links=[
+        link('https://{}.app.dev.k2.holos.run/ui/'.format(developer), "Holos Web UI")
+    ],
+)
+
+
+# AuthorizationPolicy - Beyond Corp functionality
+k8s_resource(
+    new_name=auth_id,
+    objects=[
+      '{}:virtualservice'.format(holos_server),
+    ],
+)
+
+# Database
+# Note: Tilt confuses the backup pods with the database server pods, so this code is careful to tease the pods
+# apart so logs are streamed correctly.
+# See: https://github.com/tilt-dev/tilt.specs/blob/master/resource_assembly.md
+
+# pgAdmin Web UI
+k8s_resource(
+    workload=pg_admin_name,
+    new_name=pg_admin,
+    port_forwards=[
+        port_forward(15050, 5050, pg_admin),
+    ],
+)
+
+# Disabled because these don't group resources nicely
+# k8s_kind('postgrescluster')
+
+# Postgres database in-cluster
+k8s_resource(
+    new_name=pg_cluster,
+    objects=['holos:postgrescluster'],
+)
+
+# Needed to select the database by label
+# https://docs.tilt.dev/api.html#api.k8s_custom_deploy
+k8s_custom_deploy(
+    pg_svc,
+    apply_cmd=['./hack/tilt/k8s-get-db-sts', pg_cluster_name],
+    delete_cmd=['echo', 'Skipping delete.  Object managed by custom resource.'],
+    deps=[],
+)
+k8s_resource(
+    pg_svc,
+    port_forwards=[
+        port_forward(15432, 5432, 'psql'),
+    ],
+    resource_deps=[pg_cluster]
+)
+
+
+# Run tests
+local_resource(
+    tests_id,
+    'make test',
+    allow_parallel=True,
+    auto_init=False,
+    deps=developer_paths,
+)
+
+# Run linter
+local_resource(
+    lint_id,
+    'make lint',
+    allow_parallel=True,
+    auto_init=False,
+    deps=developer_paths,
+)
+
+# UI Buttons for helpful things.
+# Icons: https://fonts.google.com/icons
+os.putenv("GH_FORCE_TTY", "80%")
+cmd_button(
+    '{}:go-test-failfast'.format(tests_id),
+    argv=['./hack/tilt/go-test-failfast'],
+    resource=tests_id,
+    icon_name='quiz',
+    text='Fail Fast',
+)
+cmd_button(
+    '{}:issues'.format(holos_server),
+    argv=['./hack/tilt/gh-issues'],
+    resource=holos_backend,
+    icon_name='folder_data',
+    text='Issues',
+)
+cmd_button(
+    '{}:gh-issue-view'.format(holos_server),
+    argv=['./hack/tilt/gh-issue-view'],
+    resource=holos_backend,
+    icon_name='task',
+    text='View Issue',
+)
+cmd_button(
+    '{}:get-pgdb-creds'.format(holos_server),
+    argv=['./hack/tilt/get-pgdb-creds', pg_cluster_name, pg_database_name],
+    resource=pg_svc,
+    icon_name='lock_open_right',
+    text='DB Creds',
+)
+cmd_button(
+    '{}:get-pgdb-creds'.format(pg_admin_name),
+    argv=['./hack/tilt/get-pgdb-creds', pg_cluster_name, pg_database_name],
+    resource=pg_admin,
+    icon_name='lock_open_right',
+    text='DB Creds',
+)
+cmd_button(
+    '{}:get-pgadmin-creds'.format(pg_admin_name),
+    argv=['./hack/tilt/get-pgadmin-creds', pg_admin_name],
+    resource=pg_admin,
+    icon_name='lock_open_right',
+    text='pgAdmin Login',
+)
+
+print("✨ Tiltfile evaluated")

api/core/v1alpha2/apiobjects.go

@@ -0,0 +1,38 @@
+package v1alpha2
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+type Label string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+type Kind string
+
+// APIObjectMap represents the marshalled yaml representation of kubernetes api
+// objects.  Do not produce an APIObjectMap directly, instead use [APIObjects]
+// to produce the marshalled yaml representation from CUE data, then provide the
+// result to [HolosComponent].
+type APIObjectMap map[Kind]map[Label]string
+
+// APIObjects represents kubernetes api objects to apply to the api server.
+// Useful to mix in resources to each HolosComponent type, for example adding an
+// ExternalSecret to a HelmChart HolosComponent.
+//
+// Kind must be the resource kind, e.g. Deployment or Service.
+//
+// Label is an arbitrary internal identifier to uniquely identify the resource
+// within the context of a `holos` command.  Holos will never write the
+// intermediate label to rendered output.
+//
+// Refer to [HolosComponent] which accepts an [APIObjectMap] field provided by
+// [APIObjects].
+type APIObjects struct {
+	// APIObjects represents Kubernetes API objects defined directly from CUE
+	// code.  Useful to mix in resources, for example adding an ExternalSecret
+	// resource to a HelmChart HolosComponent.
+	APIObjects map[Kind]map[Label]structpb.Struct `json:"apiObjects"`
+	// APIObjectMap represents the marshalled yaml representation of APIObjects,
+	// useful to inspect the rendered representation of the resource which will be
+	// sent to the kubernetes API server.
+	APIObjectMap APIObjectMap `json:"apiObjectMap"`
+}

api/core/v1alpha2/buildplan.go

@@ -0,0 +1,116 @@
+package v1alpha2
+
+import (
+	"fmt"
+	"strings"
+)
+
+// FileContentMap represents a mapping of file names to file content.
+type FileContentMap map[string]string
+
+// BuildPlan represents a build plan for the holos cli to execute.  A build plan
+// is a set of zero or more holos components.  The purpose of a BuildPlan is to
+// define one or more [HolosComponent] kinds, for example a [HelmChart] or
+// [KustomizeBuild].
+//
+// A BuildPlan usually has an additional empty [KubernetesObjects] for the
+// purpose of using the [HolosComponent] DeployFiles field to deploy an ArgoCD
+// or Flux gitops resource for the holos component.
+type BuildPlan struct {
+	Kind       string        `json:"kind" cue:"\"BuildPlan\""`
+	APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	Spec       BuildPlanSpec `json:"spec"`
+}
+
+func (bp *BuildPlan) Validate() error {
+	errs := make([]string, 0, 2)
+	if bp.Kind != BuildPlanKind {
+		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
+	}
+	if bp.APIVersion != APIVersion {
+		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf("invalid BuildPlan: " + strings.Join(errs, ", "))
+	}
+	return nil
+}
+
+func (bp *BuildPlan) ResultCapacity() (count int) {
+	if bp == nil {
+		return 0
+	}
+	count = len(bp.Spec.Components.HelmChartList) +
+		len(bp.Spec.Components.KubernetesObjectsList) +
+		len(bp.Spec.Components.KustomizeBuildList) +
+		len(bp.Spec.Components.Resources)
+	return count
+}
+
+type BuildPlanSpec struct {
+	Disabled   bool                `json:"disabled,omitempty"`
+	Components BuildPlanComponents `json:"components,omitempty"`
+}
+
+type BuildPlanComponents struct {
+	Resources             map[string]KubernetesObjects `json:"resources,omitempty"`
+	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty"`
+	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty"`
+	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty"`
+}
+
+// HolosComponent defines the fields common to all holos component kinds.  Every
+// holos component kind should embed HolosComponent.
+type HolosComponent struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind"`
+	// APIVersion represents the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	// Metadata represents data about the holos component such as the Name.
+	Metadata Metadata `json:"metadata"`
+
+	// APIObjectMap holds the marshalled representation of api objects.  Useful to
+	// mix in resources to each HolosComponent type, for example adding an
+	// ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
+	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
+
+	// DeployFiles represents file paths relative to the cluster deploy directory
+	// with the value representing the file content.  Intended for defining the
+	// ArgoCD Application resource or Flux Kustomization resource from within CUE,
+	// but may be used to render any file related to the build plan from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty"`
+
+	// Kustomize represents a kubectl kustomize build post-processing step.
+	Kustomize `json:"kustomize,omitempty"`
+
+	// Skip causes holos to take no action regarding this component.
+	Skip bool `json:"skip" cue:"bool | *false"`
+}
+
+// Metadata represents data about the holos component such as the Name.
+type Metadata struct {
+	// Name represents the name of the holos component.
+	Name string `json:"name"`
+	// Namespace is the primary namespace of the holos component.  A holos
+	// component may manage resources in multiple namespaces, in this case
+	// consider setting the component namespace to default.
+	//
+	// This field is optional because not all resources require a namespace,
+	// particularly CRD's and DeployFiles functionality.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process a [KustomizeBuild] [HolosComponent] which represents raw yaml
+//     file resources in a holos component directory.
+//  2. Post process a [HelmChart] [HolosComponent] to inject istio, patch jobs,
+//     add custom labels, etc...
+type Kustomize struct {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	ResourcesFile string `json:"resourcesFile,omitempty"`
+}

api/core/v1alpha2/constants.go

@@ -0,0 +1,11 @@
+package v1alpha2
+
+const (
+	APIVersion    = "v1alpha2"
+	BuildPlanKind = "BuildPlan"
+	HelmChartKind = "HelmChart"
+	// ChartDir is the directory name created in the holos component directory to cache a chart.
+	ChartDir = "vendor"
+	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+	ResourcesFile = "resources.yaml"
+)

api/core/v1alpha2/core.go

@@ -0,0 +1,49 @@
+// Package v1alpha2 contains the core API contract between the holos cli and cue
+// configuration code.  Platform designers, operators, and software developers
+// use this API to write configuration in CUE which `holos` loads.  The overall
+// shape of the API defines imperative actions `holos` should carry out to
+// render the complete yaml that represents a Platform.
+package v1alpha2
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+type PlatformMetadata struct {
+	// Name represents the Platform name.
+	Name string `json:"name"`
+}
+
+// Platform represents a platform to manage.  A Platform resource informs holos
+// which components to build.  The platform resource also acts as a container
+// for the platform model form values provided by the PlatformService.  The
+// primary use case is to collect the cluster names, cluster types, platform
+// model, and holos components to build into one resource.
+type Platform struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind" cue:"\"Platform\""`
+	// APIVersion represents the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+	// Metadata represents data about the object such as the Name.
+	Metadata PlatformMetadata `json:"metadata"`
+
+	// Spec represents the specification.
+	Spec PlatformSpec `json:"spec"`
+}
+
+// PlatformSpec represents the specification of a Platform.  Think of a platform
+// specification as a list of platform components to apply to a list of
+// kubernetes clusters combined with the user-specified Platform Model.
+type PlatformSpec struct {
+	// Model represents the platform model holos gets from from the
+	// PlatformService.GetPlatform rpc method and provides to CUE using a tag.
+	Model structpb.Struct `json:"model"`
+	// Components represents a list of holos components to manage.
+	Components []PlatformSpecComponent `json:"components"`
+}
+
+// PlatformSpecComponent represents a holos component to build or render.
+type PlatformSpecComponent struct {
+	// Path is the path of the component relative to the platform root.
+	Path string `json:"path"`
+	// Cluster is the cluster name to provide when rendering the component.
+	Cluster string `json:"cluster"`
+}

api/core/v1alpha2/helm.go

@@ -0,0 +1,38 @@
+package v1alpha2
+
+// HelmChart represents a holos component which wraps around an upstream helm
+// chart.  Holos orchestrates helm by providing values obtained from CUE,
+// renders the output using `helm template`, then post-processes the helm output
+// yaml using the general functionality provided by [HolosComponent], for
+// example [Kustomize] post-rendering and mixing in additional kubernetes api
+// objects.
+type HelmChart struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"HelmChart\""`
+
+	// Chart represents a helm chart to manage.
+	Chart Chart `json:"chart"`
+	// ValuesContent represents the values.yaml file holos passes to the `helm
+	// template` command.
+	ValuesContent string `json:"valuesContent"`
+	// EnableHooks enables helm hooks when executing the `helm template` command.
+	EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
+}
+
+// Chart represents a helm chart.
+type Chart struct {
+	// Name represents the chart name.
+	Name string `json:"name"`
+	// Version represents the chart version.
+	Version string `json:"version"`
+	// Release represents the chart release when executing helm template.
+	Release string `json:"release"`
+	// Repository represents the repository to fetch the chart from.
+	Repository Repository `json:"repository,omitempty"`
+}
+
+// Repository represents a helm chart repository.
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}

api/core/v1alpha2/kubernetesobjects.go

@@ -0,0 +1,10 @@
+package v1alpha2
+
+const KubernetesObjectsKind = "KubernetesObjects"
+
+// KubernetesObjects represents a [HolosComponent] composed of kubernetes api
+// objects provided directly from CUE using [APIObjects].
+type KubernetesObjects struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
+}

api/core/v1alpha2/kustomizebuild.go

@@ -0,0 +1,8 @@
+package v1alpha2
+
+// KustomizeBuild renders plain yaml files in the holos component directory
+// using kubectl kustomize build.
+type KustomizeBuild struct {
+	HolosComponent `json:",inline"`
+	Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
+}

api/meta/v1alpha2/meta.go

@@ -0,0 +1,37 @@
+package v1alpha2
+
+// TypeMeta describes an individual object in an API response or request with
+// strings representing the type of the object and its API schema version.
+// Structures that are versioned or persisted should inline TypeMeta.
+type TypeMeta struct {
+	// Kind is a string value representing the resource this object represents.
+	Kind string `json:"kind"`
+	// APIVersion defines the versioned schema of this representation of an object.
+	APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
+}
+
+func (tm *TypeMeta) GetKind() string {
+	return tm.Kind
+}
+
+func (tm *TypeMeta) GetAPIVersion() string {
+	return tm.APIVersion
+}
+
+// Discriminator discriminates the kind of an api object.
+type Discriminator interface {
+	// GetKind returns Kind.
+	GetKind() string
+	// GetAPIVersion returns APIVersion.
+	GetAPIVersion() string
+}
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are holos objects distinct from
+// kubernetes api objects.
+type ObjectMeta struct {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	Name string `json:"name,omitempty"`
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	Namespace string `json:"namespace,omitempty"`
+}

api/v1alpha1/buildplan.go

@@ -0,0 +1,55 @@
+package v1alpha1
+
+import (
+	"fmt"
+	"strings"
+)
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+type BuildPlan struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
+}
+
+type BuildPlanSpec struct {
+	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
+}
+
+type BuildPlanComponents struct {
+	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
+	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
+	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
+	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
+}
+
+func (bp *BuildPlan) Validate() error {
+	errs := make([]string, 0, 2)
+	if bp.Kind != BuildPlanKind {
+		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
+	}
+	if bp.APIVersion != APIVersion {
+		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf("invalid BuildPlan: " + strings.Join(errs, ", "))
+	}
+	return nil
+}
+
+func (bp *BuildPlan) ResultCapacity() (count int) {
+	if bp == nil {
+		return 0
+	}
+	count = len(bp.Spec.Components.HelmChartList) +
+		len(bp.Spec.Components.KubernetesObjectsList) +
+		len(bp.Spec.Components.KustomizeBuildList) +
+		len(bp.Spec.Components.Resources)
+	return count
+}

api/v1alpha1/component.go

@@ -0,0 +1,30 @@
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+type HolosComponent struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
+	// Kustomization holds the marshalled representation of the flux kustomization
+	// which reconciles resources in git with the api server.
+	Kustomization `json:",inline" yaml:",inline"`
+	// Kustomize represents a kubectl kustomize build post-processing step.
+	Kustomize `json:",inline" yaml:",inline"`
+	// Skip causes holos to take no action regarding the component.
+	Skip bool
+}
+
+func (hc *HolosComponent) NewResult() *Result {
+	return &Result{HolosComponent: *hc}
+}
+
+func (hc *HolosComponent) GetAPIVersion() string {
+	return hc.APIVersion
+}
+
+func (hc *HolosComponent) GetKind() string {
+	return hc.Kind
+}

api/v1alpha1/constants.go

@@ -0,0 +1,11 @@
+package v1alpha1
+
+const (
+	APIVersion    = "holos.run/v1alpha1"
+	BuildPlanKind = "BuildPlan"
+	HelmChartKind = "HelmChart"
+	// ChartDir is the directory name created in the holos component directory to cache a chart.
+	ChartDir = "vendor"
+	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+	ResourcesFile = "resources.yaml"
+)

api/v1alpha1/doc.go

@@ -0,0 +1,2 @@
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

api/v1alpha1/form.go

@@ -0,0 +1,13 @@
+package v1alpha1
+
+import object "github.com/holos-run/holos/service/gen/holos/object/v1alpha1"
+
+// Form represents a collection of Formly json powered form.
+type Form struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	Spec     FormSpec `json:"spec" yaml:"spec"`
+}
+
+type FormSpec struct {
+	Form object.Form `json:"form" yaml:"form"`
+}

api/v1alpha1/helm.go

@@ -0,0 +1,184 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
+)
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+type HelmChart struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	Namespace     string `json:"namespace"`
+	Chart         Chart  `json:"chart"`
+	ValuesContent string `json:"valuesContent"`
+	EnableHooks   bool   `json:"enableHooks"`
+}
+
+type Chart struct {
+	Name       string     `json:"name"`
+	Version    string     `json:"version"`
+	Release    string     `json:"release"`
+	Repository Repository `json:"repository,omitempty"`
+}
+
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}
+
+func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: hc.HolosComponent}
+	if err := hc.helm(ctx, &result, path); err != nil {
+		return nil, err
+	}
+	result.addObjectMap(ctx, hc.APIObjectMap)
+	if err := result.kustomize(ctx); err != nil {
+		return nil, errors.Wrap(fmt.Errorf("could not kustomize: %w", err))
+	}
+	return &result, nil
+}
+
+// runHelm provides the values produced by CUE to helm template and returns
+// the rendered kubernetes api objects in the result.
+func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
+	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
+	if hc.Chart.Name == "" {
+		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
+		return nil
+	}
+
+	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
+	if isNotExist(cachedChartPath) {
+		// Add repositories
+		repo := hc.Chart.Repository
+		if repo.URL != "" {
+			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return errors.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
+			}
+			// Update repository
+			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return errors.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+			}
+		} else {
+			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
+		}
+
+		// Cache the chart
+		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
+			return fmt.Errorf("could not cache chart: %w", err)
+		}
+	}
+
+	// Write values file
+	tempDir, err := os.MkdirTemp("", "holos")
+	if err != nil {
+		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, tempDir)
+
+	valuesPath := filepath.Join(tempDir, "values.yaml")
+	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
+		return errors.Wrap(fmt.Errorf("could not write values: %w", err))
+	}
+	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
+
+	// Run charts
+	chart := hc.Chart
+	args := []string{"template"}
+	if !hc.EnableHooks {
+		args = append(args, "--no-hooks")
+	}
+	namespace := hc.Namespace
+	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
+	helmOut, err := util.RunCmd(ctx, "helm", args...)
+	if err != nil {
+		stderr := helmOut.Stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
+		return errors.Wrap(fmt.Errorf("could not run helm template: %w", err))
+	}
+
+	r.accumulatedOutput = helmOut.Stdout.String()
+
+	return nil
+}
+
+// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
+//
+// It is assumed that the only method responsible for writing to chartDir is
+// cacheChart itself.
+//
+// This relies on the atomicity of moving temporary directories into place on
+// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
+// renaming, it indicates that the cached chart already exists, which is an
+// expected scenario when this function is called concurrently.
+func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
+	log := logger.FromContext(ctx)
+
+	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
+	if err != nil {
+		return errors.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, cacheTemp)
+
+	chartName := chart.Name
+	if chart.Repository.Name != "" {
+		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
+	}
+	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
+	if err != nil {
+		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
+	}
+	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
+
+	cachePath := filepath.Join(string(path), chartDir)
+
+	if err := os.MkdirAll(cachePath, 0777); err != nil {
+		return errors.Wrap(fmt.Errorf("could not mkdir: %w", err))
+	}
+
+	items, err := os.ReadDir(cacheTemp)
+	if err != nil {
+		return errors.Wrap(fmt.Errorf("could not read directory: %w", err))
+	}
+
+	for _, item := range items {
+		src := filepath.Join(cacheTemp, item.Name())
+		dst := filepath.Join(cachePath, item.Name())
+		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
+		if err := os.Rename(src, dst); err != nil {
+			var linkErr *os.LinkError
+			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
+				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
+			} else {
+				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
+			}
+		}
+	}
+
+	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
+
+	return nil
+}
+func isNotExist(path string) bool {
+	_, err := os.Stat(path)
+	return os.IsNotExist(err)
+}

api/v1alpha1/kubernetesobjects.go

@@ -0,0 +1,21 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+const KubernetesObjectsKind = "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+type KubernetesObjects struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces kubernetes api objects from the APIObjectMap
+func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: o.HolosComponent}
+	result.addObjectMap(ctx, o.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/kustomization.go

@@ -0,0 +1,7 @@
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+type Kustomization struct {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
+}

api/v1alpha1/kustomize.go

@@ -0,0 +1,47 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
+)
+
+const KustomizeBuildKind = "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+type Kustomize struct {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+type KustomizeBuild struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces a Result by executing kubectl kustomize on the holos
+// component path. Useful for processing raw yaml files.
+func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	log := logger.FromContext(ctx)
+	result := Result{HolosComponent: kb.HolosComponent}
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return nil, errors.Wrap(err)
+	}
+	// Replace the accumulated output
+	result.accumulatedOutput = kOut.Stdout.String()
+	// Add CUE based api objects.
+	result.addObjectMap(ctx, kb.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/objectmap.go

@@ -0,0 +1,14 @@
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+type Label string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+type Kind string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+type APIObjectMap map[Kind]map[Label]string
+
+// FileContentMap is a map of file names to file contents.
+type FileContentMap map[string]string

api/v1alpha1/objectmeta.go

@@ -0,0 +1,15 @@
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+type ObjectMeta struct {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}

api/v1alpha1/platform.go

@@ -0,0 +1,32 @@
+package v1alpha1
+
+import "google.golang.org/protobuf/types/known/structpb"
+
+// Platform represents a platform to manage.  A Platform resource informs holos
+// which components to build.  The platform resource also acts as a container
+// for the platform model form values provided by the PlatformService.  The
+// primary use case is to collect the cluster names, cluster types, platform
+// model, and holos components to build into one resource.
+type Platform struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	Metadata ObjectMeta   `json:"metadata" yaml:"metadata"`
+	Spec     PlatformSpec `json:"spec" yaml:"spec"`
+}
+
+// PlatformSpec represents the platform build plan specification.
+type PlatformSpec struct {
+	// Model represents the platform model holos gets from from the
+	// holos.platform.v1alpha1.PlatformService.GetPlatform method and provides to
+	// CUE using a tag.
+	Model      structpb.Struct         `json:"model" yaml:"model"`
+	Components []PlatformSpecComponent `json:"components" yaml:"components"`
+}
+
+// PlatformSpecComponent represents a component to build or render with flags to
+// pass, for example the cluster name.
+type PlatformSpecComponent struct {
+	// Path is the path of the component relative to the platform root.
+	Path string `json:"path" yaml:"path"`
+	// Cluster is the cluster name to use when building the component.
+	Cluster string `json:"cluster" yaml:"cluster"`
+}

api/v1alpha1/render.go

@@ -0,0 +1,22 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+type Renderer interface {
+	GetKind() string
+	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
+}
+
+// Render produces a Result representing the kubernetes api objects to
+// configure. Each of the various holos component types, e.g. Helm, Kustomize,
+// et al, should implement the Renderer interface. This process is best
+// conceptualized as a data pipeline, for example a component may render a
+// result by first calling helm template, then passing the result through
+// kustomize, then mixing in overlay api objects.
+func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
+	return r.Render(ctx, path)
+}

api/v1alpha1/result.go

@@ -0,0 +1,165 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"slices"
+
+	"github.com/holos-run/holos/internal/errors"
+	"github.com/holos-run/holos/internal/logger"
+	"github.com/holos-run/holos/internal/util"
+)
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+type Result struct {
+	HolosComponent
+	// accumulatedOutput accumulates rendered api objects.
+	accumulatedOutput string
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
+}
+
+// Continue returns true if Skip is true indicating the result is to be skipped over.
+func (r *Result) Continue() bool {
+	if r == nil {
+		return false
+	}
+	return r.Skip
+}
+
+func (r *Result) Name() string {
+	return r.Metadata.Name
+}
+
+func (r *Result) Filename(writeTo string, cluster string) string {
+	name := r.Metadata.Name
+	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
+}
+
+func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
+}
+
+// AccumulatedOutput returns the accumulated rendered output.
+func (r *Result) AccumulatedOutput() string {
+	return r.accumulatedOutput
+}
+
+// addObjectMap renders the provided APIObjectMap into the accumulated output.
+func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
+	log := logger.FromContext(ctx)
+	b := []byte(r.AccumulatedOutput())
+	kinds := make([]Kind, 0, len(objectMap))
+	// Sort the keys
+	for kind := range objectMap {
+		kinds = append(kinds, kind)
+	}
+	slices.Sort(kinds)
+
+	for _, kind := range kinds {
+		v := objectMap[kind]
+		// Sort the keys
+		names := make([]Label, 0, len(v))
+		for name := range v {
+			names = append(names, name)
+		}
+		slices.Sort(names)
+
+		for _, name := range names {
+			yamlString := v[name]
+			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
+			b = util.EnsureNewline(b)
+			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
+			b = append(b, []byte(header+yamlString)...)
+			b = util.EnsureNewline(b)
+		}
+	}
+	r.accumulatedOutput = string(b)
+}
+
+// kustomize replaces the accumulated output with the output of kustomize build
+func (r *Result) kustomize(ctx context.Context) error {
+	log := logger.FromContext(ctx)
+	if r.ResourcesFile == "" {
+		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
+		return nil
+	}
+	if len(r.KustomizeFiles) < 1 {
+		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
+		return nil
+	}
+	tempDir, err := os.MkdirTemp("", "holos.kustomize")
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	defer util.Remove(ctx, tempDir)
+
+	// Write the main api object resources file for kustomize.
+	target := filepath.Join(tempDir, r.ResourcesFile)
+	b := []byte(r.AccumulatedOutput())
+	b = util.EnsureNewline(b)
+	if err := os.WriteFile(target, b, 0644); err != nil {
+		return errors.Wrap(fmt.Errorf("could not write resources: %w", err))
+	}
+	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+
+	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
+	for file, content := range r.KustomizeFiles {
+		target := filepath.Join(tempDir, file)
+		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+			return errors.Wrap(err)
+		}
+		b := []byte(content)
+		b = util.EnsureNewline(b)
+		if err := os.WriteFile(target, b, 0644); err != nil {
+			return errors.Wrap(fmt.Errorf("could not write: %w", err))
+		}
+		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+	}
+
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return errors.Wrap(err)
+	}
+	// Replace the accumulated output
+	r.accumulatedOutput = kOut.Stdout.String()
+	return nil
+}
+
+func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
+	log := logger.FromContext(ctx)
+	if len(r.DeployFiles) == 0 {
+		return nil
+	}
+	for k, content := range r.DeployFiles {
+		path := filepath.Join(path, k)
+		if err := r.Save(ctx, path, content); err != nil {
+			return errors.Wrap(err)
+		}
+		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
+	}
+	return nil
+}
+
+// Save writes the content to the filesystem for git ops.
+func (r *Result) Save(ctx context.Context, path string, content string) error {
+	log := logger.FromContext(ctx)
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
+		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
+		return errors.Wrap(err)
+	}
+	// Write the file content
+	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
+		log.WarnContext(ctx, "could not write", "path", path, "err", err)
+		return errors.Wrap(err)
+	}
+	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
+	return nil
+}

api/v1alpha1/typemeta.go

@@ -0,0 +1,20 @@
+package v1alpha1
+
+type TypeMeta struct {
+	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+}
+
+func (tm *TypeMeta) GetKind() string {
+	return tm.Kind
+}
+
+func (tm *TypeMeta) GetAPIVersion() string {
+	return tm.APIVersion
+}
+
+// Discriminator is an interface to discriminate the kind api object.
+type Discriminator interface {
+	GetKind() string
+	GetAPIVersion() string
+}

buf.gen.yaml

@@ -0,0 +1,20 @@
+# Generates gRPC and ConnectRPC bindings for Go and TypeScript
+#
+# Note: protoc-gen-connect-query is the primary method of wiring up the React
+# frontend.
+version: v1
+plugins:
+  - plugin: go
+    out: service/gen
+    opt: paths=source_relative
+  - plugin: connect-go
+    out: service/gen
+    opt: paths=source_relative
+  - plugin: es
+    out: internal/frontend/holos/src/app/gen
+    opt:
+      - target=ts
+  - plugin: connect-es
+    out: internal/frontend/holos/src/app/gen
+    opt:
+      - target=ts

buf.lock

@@ -0,0 +1,8 @@
+# Generated by buf. DO NOT EDIT.
+version: v1
+deps:
+  - remote: buf.build
+    owner: bufbuild
+    repository: protovalidate
+    commit: b983156c5e994cc9892e0ce3e64e17e0
+    digest: shake256:fb47a62989d38c2529bcc5cd86ded43d800eb84cee82b42b9e8a9e815d4ee8134a0fb9d0ce8299b27c2d2bbb7d6ade0c4ad5a8a4d467e1e2c7ca619ae9f634e2

buf.work.yaml

@@ -0,0 +1,3 @@
+version: v1
+directories:
+  - service

cmd/holos/main.go

@@ -1,8 +1,9 @@
 package main
 
 import (
-	"github.com/holos-run/holos/pkg/cli"
 	"os"
+
+	"github.com/holos-run/holos/internal/cli"
 )
 
 func main() {

cmd/holos/main_test.go

@@ -1,10 +1,11 @@
 package main
 
 import (
-	"github.com/holos-run/holos/pkg/cli"
-	"github.com/rogpeppe/go-internal/testscript"
 	"os"
 	"testing"
+
+	"github.com/holos-run/holos/internal/cli"
+	"github.com/rogpeppe/go-internal/testscript"
 )
 
 func TestMain(m *testing.M) {

cmd/holos/testdata/constraints.txt

@@ -0,0 +1,34 @@
+# Want support for intermediary constraints
+exec holos build ./foo/... --log-level debug
+stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- foo/constraints.cue --
+package holos
+
+metadata: name: "jeff"
+-- foo/bar/bar.cue --
+package holos
+
+spec: components: KubernetesObjectsList: [
+  #KubernetesObjects & {
+    apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
+  }
+]
+-- schema.cue --
+package holos
+
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+#KubernetesObjects: {
+	apiVersion: "holos.run/v1alpha1"
+	kind: "KubernetesObjects"
+	apiObjectMap: {...}
+}
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"

cmd/holos/testdata/issue15_cue_errors.txt

@@ -1,15 +1,20 @@
 # Want cue errors to show files and lines
 ! exec holos build .
-stderr 'could not decode: content: cannot convert non-concrete value string'
-stderr '/component.cue:6:1$'
+stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
+stderr '/component.cue:\d+:\d+$'
 
+-- platform.config.json --
+{}
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
 apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
-content: foo
-foo: string
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: foo: bar: _baz}]
+
+_baz: string

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -0,0 +1,61 @@
+# Want kube api objects in the apiObjects output.
+exec holos build .
+stdout '^kind: SecretStore$'
+stdout '# Source: CUE apiObjects.SecretStore.default'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+#SecretStore: {
+    kind: string
+    metadata: name: string
+}
+
+#APIObjects: {
+  apiObjects: {
+    SecretStore: {
+      default: #SecretStore & { metadata: name: "default" }
+    }
+  }
+}
+
+
+-- schema.cue --
+package holos
+
+// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
+import "encoding/yaml"
+
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[Name=_]: {
+				kind: Kind
+				metadata: name: Name
+			}
+		}
+	}
+
+	// apiObjectsContent holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+				  "\(name)": yaml.Marshal(obj)
+			  }
+			}
+		}
+	}
+}

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -0,0 +1,62 @@
+# Want kube api objects in the apiObjects output.
+exec holos build .
+stdout '^kind: SecretStore$'
+stdout '# Source: CUE apiObjects.SecretStore.default'
+stderr 'skipping helm: no chart name specified'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+#SecretStore: {
+    kind: string
+    metadata: name: string
+}
+
+#APIObjects: {
+  apiObjects: {
+    SecretStore: {
+      default: #SecretStore & { metadata: name: "default" }
+    }
+  }
+}
+
+
+-- schema.cue --
+package holos
+
+// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
+import "encoding/yaml"
+
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[Name=_]: {
+				kind: Kind
+				metadata: name: Name
+			}
+		}
+	}
+
+	// apiObjectsContent holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+				  "\(name)": yaml.Marshal(obj)
+			  }
+			}
+		}
+	}
+}

cmd/holos/testdata/issue25_show_object_names.txt

@@ -0,0 +1,25 @@
+# Want api object kind and name in errors
+! exec holos build .
+stderr 'apiObjects.secretstore.default.foo: field not allowed'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KubernetesObjects"
+cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+#SecretStore: {
+    metadata: name: string
+}
+
+apiObjects: {
+  secretstore: {
+    default: #SecretStore & { foo: "not allowed" }
+  }
+}

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -0,0 +1,289 @@
+# Want helm errors to show up
+! exec holos build .
+stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- zitadel.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: HelmChartList: [_HelmChart]
+
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+_HelmChart: {
+  apiVersion: "holos.run/v1alpha1"
+  kind: "HelmChart"
+  metadata: name: "zitadel"
+  namespace: "zitadel"
+  chart: {
+    name:    "zitadel"
+    version: "7.9.0"
+    release: name
+    repository: {
+      name: "zitadel"
+      url:  "https://charts.zitadel.com"
+    }
+  }
+}
+
+-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
+{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
+{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
+{{- end }}
+{{- if .Values.zitadel.masterkey -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: zitadel-masterkey
+  {{- with .Values.zitadel.masterkeyAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "zitadel.labels" . | nindent 4 }}
+stringData:
+  masterkey: {{ .Values.zitadel.masterkey }}
+{{- end -}}
+-- vendor/zitadel/Chart.yaml --
+apiVersion: v2
+appVersion: v2.46.0
+description: A Helm chart for ZITADEL
+icon: https://zitadel.com/zitadel-logo-dark.svg
+kubeVersion: '>= 1.21.0-0'
+maintainers:
+- email: support@zitadel.com
+  name: zitadel
+  url: https://zitadel.com
+name: zitadel
+type: application
+version: 7.9.0
+-- vendor/zitadel/values.yaml --
+# Default values for zitadel.
+zitadel:
+  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  configmapConfig:
+    ExternalSecure: true
+    Machine:
+      Identification:
+        Hostname:
+          Enabled: true
+        Webhook:
+          Enabled: false
+
+  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  secretConfig:
+
+  # Annotations set on secretConfig secret
+  secretConfigAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # Reference the name of a secret that contains ZITADEL configuration.
+  configSecretName:
+  # The key under which the ZITADEL configuration is located in the secret.
+  configSecretKey: config-yaml
+
+  # ZITADEL uses the masterkey for symmetric encryption.
+  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+  masterkey: ""
+  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+  masterkeySecretName: ""
+
+  # Annotations set on masterkey secret
+  masterkeyAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # The CA Certificate needed for establishing secure database connections
+  dbSslCaCrt: ""
+
+  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+  dbSslCaCrtSecret: ""
+
+  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslAdminCrtSecret: ""
+
+  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslUserCrtSecret: ""
+
+  # Generate a self-signed certificate using an init container
+  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+  selfSignedCert:
+    enabled: false
+    additionalDnsName:
+
+replicaCount: 3
+
+image:
+  repository: ghcr.io/zitadel/zitadel
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+chownImage:
+  repository: alpine
+  pullPolicy: IfNotPresent
+  tag: "3.19"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# Annotations to add to the deployment
+annotations: {}
+
+# Annotations to add to the configMap
+configMap:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podAdditionalLabels: {}
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+securityContext: {}
+
+# Additional environment variables
+env:
+  []
+  # - name: ZITADEL_DATABASE_POSTGRES_HOST
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: postgres-pguser-postgres
+  #       key: host
+
+service:
+  type: ClusterIP
+  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+  clusterIP: ""
+  port: 8080
+  protocol: http2
+  annotations: {}
+  scheme: HTTP
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts:
+    - host: localhost
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+initJob:
+  # Once ZITADEL is installed, the initJob can be disabled.
+  enabled: true
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "1"
+  resources: {}
+  backoffLimit: 5
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  # Available init commands :
+  # "": initialize ZITADEL instance (without skip anything)
+  # database: initialize only the database
+  # grant: set ALL grant to user
+  # user: initialize only the database user
+  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+  command: ""
+
+setupJob:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "2"
+  resources: {}
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  additionalArgs:
+    - "--init-projections=true"
+  machinekeyWriter:
+    image:
+      repository: bitnami/kubectl
+      tag: ""
+    resources: {}
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+startupProbe:
+  enabled: true
+  periodSeconds: 1
+  failureThreshold: 30
+
+metrics:
+  enabled: false
+  serviceMonitor:
+    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+    # The Prometheus community Helm chart installs this operator
+    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+    enabled: false
+    honorLabels: false
+    honorTimestamps: true
+
+pdb:
+  enabled: false
+  # these values are used for the PDB and are mutally exclusive
+  minAvailable: 1
+  # maxUnavailable: 1
+  annotations: {}

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -0,0 +1,39 @@
+# Kustomize is a supported holos component kind
+exec holos render component --cluster-name=mycluster . --log-level=debug
+
+# Want generated output
+cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: KustomizeBuildList: [{metadata: name: "kstest"}]
+
+-- kustomization.yaml --
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mynamespace
+resources:
+- serviceaccount.yaml
+
+-- serviceaccount.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+
+-- want.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+  namespace: mynamespace

cmd/holos/testdata/issue72_disallow_unknown_fields.txt

@@ -0,0 +1,17 @@
+# https://github.com/holos-run/holos/issues/72
+# Want holos to fail on unknown fields to catch typos and aid refactors
+! exec holos build .
+stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
+
+-- platform.config.json --
+{}
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+_cluster: string @tag(cluster, string)
+_platform_config: string @tag(platform_config, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: TypoKubernetesObjectsList: []

cmd/holos/testdata/version.txt

@@ -1,5 +1,3 @@
 exec holos --version
 # want version with no v on stdout
 stdout -count=1 '^\d+\.\d+\.\d+$'
-# want nothing on stderr
-! stderr .

docs/examples/api/ListPlatform/listplatform.json

@@ -0,0 +1,10 @@
+{
+  "org_id": "018f36fb-e3f7-7f7f-a1c5-c85fb735d215",
+  "field_mask": {
+    "paths": [
+      "id",
+      "name",
+      "displayName"
+    ]
+  }
+}

docs/examples/api/UpdatePlatform/clearform.json

@@ -0,0 +1,8 @@
+{
+  "update_mask": {
+    "paths": ["form"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
+  }
+}

docs/examples/api/UpdatePlatform/model.json

@@ -0,0 +1,11 @@
+{
+  "update_mask": {
+    "paths": ["model","name","display_name"]
+  },
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "name": "bareplatform",
+    "display_name": "Bare Platform",
+    "model": {}
+  }
+}

docs/examples/api/UpdatePlatform/nomask.json

@@ -0,0 +1,6 @@
+{
+  "update": {
+    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
+    "model": {}
+  }
+}

docs/examples/authpolicy.cue

@@ -0,0 +1,45 @@
+package holos
+
+import ap "security.istio.io/authorizationpolicy/v1"
+
+// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need
+// specialized treatment.  Entries in this struct are excluded from
+// AuthorizationPolicy/authproxy-custom in the istio-ingress namespace.  Entries
+// are added to their own AuthorizationPolicy.
+#AuthPolicyRules: {
+	// AuthProxySpec represents the identity provider configuration
+	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
+
+	// Hosts are hosts that need specialized treatment
+	hosts: {
+		[Name=_]: {
+			// name is the fully qualifed hostname, a Host: header value.
+			name: Name
+			// slug is the resource name prefix
+			slug: string
+			// NoAuthorizationPolicy disables an AuthorizationPolicy for the host
+			NoAuthorizationPolicy: true | *false
+
+			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
+			spec: ap.#AuthorizationPolicySpec & {
+				action: "CUSTOM"
+				provider: name: AuthProxySpec.provider
+				selector: matchLabels: istio: "ingressgateway"
+			}
+		}
+	}
+
+	objects: #APIObjects & {
+		for Host in hosts {
+			if Host.NoAuthorizationPolicy == false {
+				apiObjects: {
+					AuthorizationPolicy: "\(Host.slug)-custom": {
+						metadata: namespace: "istio-ingress"
+						metadata: name:      "\(Host.slug)-custom"
+						spec: Host.spec
+					}
+				}
+			}
+		}
+	}
+}

docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue

@@ -0,0 +1,82 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// Order is a type to represent an Order with an ACME server
+#Order: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "acme.cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Order"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #OrderSpec
+}
+#OrderSpec: {
+	// CommonName is the common name as specified on the DER encoded
+	// CSR. If specified, this value must also be present in
+	// `dnsNames` or `ipAddresses`. This field must match the
+	// corresponding field on the DER encoded CSR.
+	commonName?: string
+
+	// DNSNames is a list of DNS names that should be included as part
+	// of the Order validation process. This field must match the
+	// corresponding field on the DER encoded CSR.
+	dnsNames?: [...string]
+
+	// Duration is the duration for the not after date for the
+	// requested certificate. this is set on order creation as pe the
+	// ACME spec.
+	duration?: string
+
+	// IPAddresses is a list of IP addresses that should be included
+	// as part of the Order validation process. This field must match
+	// the corresponding field on the DER encoded CSR.
+	ipAddresses?: [...string]
+
+	// IssuerRef references a properly configured ACME-type Issuer
+	// which should be used to create this Order. If the Issuer does
+	// not exist, processing will be retried. If the Issuer is not an
+	// 'ACME' Issuer, an error will be returned and the Order will be
+	// marked as failed.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Certificate signing request bytes in DER encoding. This will be
+	// used when finalizing the order. This field must be set on the
+	// order.
+	request: string
+}

docs/examples/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -0,0 +1,189 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-argocd/prod-platform-argocd.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// AppProject provides a logical grouping of applications,
+// providing controls for: * where the apps may deploy to
+// (cluster whitelist) * what may be deployed (repository
+// whitelist, resource whitelist/blacklist) * who can access
+// these applications (roles, OIDC group claims bindings) * and
+// what they can do (RBAC policies) * automation access to these
+// roles (JWT tokens)
+#AppProject: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "argoproj.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "AppProject"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AppProjectSpec is the specification of an AppProject
+	spec!: #AppProjectSpec
+}
+
+// AppProjectSpec is the specification of an AppProject
+#AppProjectSpec: {
+	// ClusterResourceBlacklist contains list of blacklisted cluster
+	// level resources
+	clusterResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// ClusterResourceWhitelist contains list of whitelisted cluster
+	// level resources
+	clusterResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// Description contains optional project description
+	description?: string
+
+	// Destinations contains list of destinations available for
+	// deployment
+	destinations?: [...{
+		// Name is an alternate way of specifying the target cluster by
+		// its symbolic name. This must be set if Server is not set.
+		name?: string
+
+		// Namespace specifies the target namespace for the application's
+		// resources. The namespace will only be set for namespace-scoped
+		// resources that have not set a value for .metadata.namespace
+		namespace?: string
+
+		// Server specifies the URL of the target cluster's Kubernetes
+		// control plane API. This must be set if Name is not set.
+		server?: string
+	}]
+
+	// NamespaceResourceBlacklist contains list of blacklisted
+	// namespace level resources
+	namespaceResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// NamespaceResourceWhitelist contains list of whitelisted
+	// namespace level resources
+	namespaceResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// OrphanedResources specifies if controller should monitor
+	// orphaned resources of apps in this project
+	orphanedResources?: {
+		// Ignore contains a list of resources that are to be excluded
+		// from orphaned resources monitoring
+		ignore?: [...{
+			group?: string
+			kind?:  string
+			name?:  string
+		}]
+
+		// Warn indicates if warning condition should be created for apps
+		// which have orphaned resources
+		warn?: bool
+	}
+
+	// PermitOnlyProjectScopedClusters determines whether destinations
+	// can only reference clusters which are project-scoped
+	permitOnlyProjectScopedClusters?: bool
+
+	// Roles are user defined RBAC roles associated with this project
+	roles?: [...{
+		// Description is a description of the role
+		description?: string
+
+		// Groups are a list of OIDC group claims bound to this role
+		groups?: [...string]
+
+		// JWTTokens are a list of generated JWT tokens bound to this role
+		jwtTokens?: [...{
+			exp?: int
+			iat:  int
+			id?:  string
+		}]
+
+		// Name is a name for this role
+		name: string
+
+		// Policies Stores a list of casbin formatted strings that define
+		// access policies for the role in the project
+		policies?: [...string]
+	}]
+
+	// SignatureKeys contains a list of PGP key IDs that commits in
+	// Git must be signed with in order to be allowed for sync
+	signatureKeys?: [...{
+		// The ID of the key in hexadecimal notation
+		keyID: string
+	}]
+
+	// SourceNamespaces defines the namespaces application resources
+	// are allowed to be created in
+	sourceNamespaces?: [...string]
+
+	// SourceRepos contains list of repository URLs which can be used
+	// for deployment
+	sourceRepos?: [...string]
+
+	// SyncWindows controls when syncs can be run for apps in this
+	// project
+	syncWindows?: [...{
+		// Applications contains a list of applications that the window
+		// will apply to
+		applications?: [...string]
+
+		// Clusters contains a list of clusters that the window will apply
+		// to
+		clusters?: [...string]
+
+		// Duration is the amount of time the sync window will be open
+		duration?: string
+
+		// Kind defines if the window allows or blocks syncs
+		kind?: string
+
+		// ManualSync enables manual syncs when they would otherwise be
+		// blocked
+		manualSync?: bool
+
+		// Namespaces contains a list of namespaces that the window will
+		// apply to
+		namespaces?: [...string]
+
+		// Schedule is the time the window will begin, specified in cron
+		// format
+		schedule?: string
+
+		// TimeZone of the sync that will be applied to the schedule
+		timeZone?: string
+	}]
+}

docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -0,0 +1,422 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A Certificate resource should be created to ensure an up to
+// date and signed X.509 certificate is stored in the Kubernetes
+// Secret resource named in `spec.secretName`.
+// The stored certificate will be renewed before it expires (as
+// configured by `spec.renewBefore`).
+#Certificate: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Certificate"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the Certificate resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateSpec
+}
+
+// Specification of the desired state of the Certificate resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateSpec: {
+	// Defines extra output formats of the private key and signed
+	// certificate chain to be written to this Certificate's target
+	// Secret.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=AdditionalCertificateOutputFormats=true`
+	// option set on both the controller and webhook components.
+	additionalOutputFormats?: [...{
+		// Type is the name of the format type that should be written to
+		// the Certificate's target Secret.
+		type: "DER" | "CombinedPEM"
+	}]
+
+	// Requested common name X509 certificate subject attribute. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// NOTE: TLS clients will ignore this value when any subject
+	// alternative name is set (see
+	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
+	// Should have a length of 64 characters or fewer to avoid
+	// generating invalid CSRs. Cannot be set if the `literalSubject`
+	// field is set.
+	commonName?: string
+
+	// Requested DNS subject alternative names.
+	dnsNames?: [...string]
+
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	// If unset, this defaults to 90 days. Minimum accepted duration
+	// is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+	duration?: string
+
+	// Requested email subject alternative names.
+	emailAddresses?: [...string]
+
+	// Whether the KeyUsage and ExtKeyUsage extensions should be set
+	// in the encoded CSR.
+	// This option defaults to true, and should only be disabled if
+	// the target issuer does not support CSRs with these X509
+	// KeyUsage/ ExtKeyUsage extensions.
+	encodeUsagesInRequest?: bool
+
+	// Requested IP address subject alternative names.
+	ipAddresses?: [...string]
+
+	// Requested basic constraints isCA value. The isCA value is used
+	// to set the `isCA` field on the created CertificateRequest
+	// resources. Note that the issuer may choose to ignore the
+	// requested isCA value, just like any other requested attribute.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Additional keystore output formats to be stored in the
+	// Certificate's Secret.
+	keystores?: {
+		// JKS configures options for storing a JKS keystore in the
+		// `spec.secretName` Secret resource.
+		jks?: {
+			// Create enables JKS keystore creation for the Certificate. If
+			// true, a file named `keystore.jks` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.jks` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the JKS keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+		}
+
+		// PKCS12 configures options for storing a PKCS12 keystore in the
+		// `spec.secretName` Secret resource.
+		pkcs12?: {
+			// Create enables PKCS12 keystore creation for the Certificate. If
+			// true, a file named `keystore.p12` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.p12` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the PKCS12 keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+
+			// Profile specifies the key and certificate encryption algorithms
+			// and the HMAC algorithm used to create the PKCS12 keystore.
+			// Default value is `LegacyRC2` for backward compatibility.
+			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
+			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
+			// Less secure algorithm. Use this option for maximal
+			// compatibility. `Modern2023`: Secure algorithm. Use this option
+			// in case you have to always use secure algorithms (eg. because
+			// of company policy). Please note that the security of the
+			// algorithm is not that important in reality, because the
+			// unencrypted certificate and private key are also stored in the
+			// Secret.
+			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
+		}
+	}
+
+	// Requested X.509 certificate subject, represented using the LDAP
+	// "String Representation of a Distinguished Name" [1].
+	// Important: the LDAP string format also specifies the order of
+	// the attributes in the subject, this is important when issuing
+	// certs for LDAP authentication. Example:
+	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
+	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
+	// https://github.com/cert-manager/cert-manager/issues/3203 More
+	// info: https://github.com/cert-manager/cert-manager/issues/4424
+	// Cannot be set if the `subject` or `commonName` field is set.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=LiteralCertificateSubject=true` option set on
+	// both the controller and webhook components.
+	literalSubject?: string
+
+	// x.509 certificate NameConstraint extension which MUST NOT be
+	// used in a non-CA certificate. More Info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=NameConstraints=true` option set on both the
+	// controller and webhook components.
+	nameConstraints?: {
+		// if true then the name constraints are marked critical.
+		critical?: bool
+
+		// Excluded contains the constraints which must be disallowed. Any
+		// name matching a restriction in the excluded field is invalid
+		// regardless of information appearing in the permitted
+		excluded?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+
+		// Permitted contains the constraints in which the names must be
+		// located.
+		permitted?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+	}
+
+	// `otherNames` is an escape hatch for SAN that allows any type.
+	// We currently restrict the support to string like otherNames,
+	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
+	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
+	// somevalue for `otherName`. Most commonly this would be UPN set
+	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
+	// OID passed is valid for the UTF8String type as we do not
+	// explicitly validate this.
+	otherNames?: [...{
+		// OID is the object identifier for the otherName SAN. The object
+		// identifier must be expressed as a dotted string, for example,
+		// "1.2.840.113556.1.4.221".
+		oid?: string
+
+		// utf8Value is the string value of the otherName SAN. The
+		// utf8Value accepts any valid UTF8 string to set as value for
+		// the otherName SAN.
+		utf8Value?: string
+	}]
+
+	// Private key options. These include the key algorithm and size,
+	// the used encoding and the rotation policy.
+	privateKey?: {
+		// Algorithm is the private key algorithm of the corresponding
+		// private key for this certificate.
+		// If provided, allowed values are either `RSA`, `ECDSA` or
+		// `Ed25519`. If `algorithm` is specified and `size` is not
+		// provided, key size of 2048 will be used for `RSA` key
+		// algorithm and key size of 256 will be used for `ECDSA` key
+		// algorithm. key size is ignored when using the `Ed25519` key
+		// algorithm.
+		algorithm?: "RSA" | "ECDSA" | "Ed25519"
+
+		// The private key cryptography standards (PKCS) encoding for this
+		// certificate's private key to be encoded in.
+		// If provided, allowed values are `PKCS1` and `PKCS8` standing
+		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
+		// not specified.
+		encoding?: "PKCS1" | "PKCS8"
+
+		// RotationPolicy controls how private keys should be regenerated
+		// when a re-issuance is being processed.
+		// If set to `Never`, a private key will only be generated if one
+		// does not already exist in the target `spec.secretName`. If one
+		// does exists but it does not have the correct algorithm or
+		// size, a warning will be raised to await user intervention. If
+		// set to `Always`, a private key matching the specified
+		// requirements will be generated whenever a re-issuance occurs.
+		// Default is `Never` for backward compatibility.
+		rotationPolicy?: "Never" | "Always"
+
+		// Size is the key bit size of the corresponding private key for
+		// this certificate.
+		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
+		// or `8192`, and will default to `2048` if not specified. If
+		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
+		// or `521`, and will default to `256` if not specified. If
+		// `algorithm` is set to `Ed25519`, Size is ignored. No other
+		// values are allowed.
+		size?: int
+	}
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. For example, if a
+	// certificate is valid for 60 minutes, and `renewBefore=10m`,
+	// cert-manager will begin to attempt to renew the certificate 50
+	// minutes after it was issued (i.e. when there are 10 minutes
+	// remaining until the certificate is no longer valid).
+	// NOTE: The actual lifetime of the issued certificate is used to
+	// determine the renewal time. If an issuer returns a certificate
+	// with a different lifetime than the one requested, cert-manager
+	// will use the lifetime of the issued certificate.
+	// If unset, this defaults to 1/3 of the issued certificate's
+	// lifetime. Minimum accepted value is 5 minutes. Value must be
+	// in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration.
+	renewBefore?: string
+
+	// The maximum number of CertificateRequest revisions that are
+	// maintained in the Certificate's history. Each revision
+	// represents a single `CertificateRequest` created by this
+	// Certificate, either when it was created, renewed, or Spec was
+	// changed. Revisions will be removed by oldest first if the
+	// number of revisions exceeds this number.
+	// If set, revisionHistoryLimit must be a value of `1` or greater.
+	// If unset (`nil`), revisions will not be garbage collected.
+	// Default value is `nil`.
+	revisionHistoryLimit?: int
+
+	// Name of the Secret resource that will be automatically created
+	// and managed by this Certificate resource. It will be populated
+	// with a private key and certificate, signed by the denoted
+	// issuer. The Secret resource lives in the same namespace as the
+	// Certificate resource.
+	secretName: string
+
+	// Defines annotations and labels to be copied to the
+	// Certificate's Secret. Labels and annotations on the Secret
+	// will be changed as they appear on the SecretTemplate when
+	// added or removed. SecretTemplate annotations are added in
+	// conjunction with, and cannot overwrite, the base set of
+	// annotations cert-manager sets on the Certificate's Secret.
+	secretTemplate?: {
+		// Annotations is a key value map to be copied to the target
+		// Kubernetes Secret.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels is a key value map to be copied to the target Kubernetes
+		// Secret.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Requested set of X509 certificate subject attributes. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// The common name attribute is specified separately in the
+	// `commonName` field. Cannot be set if the `literalSubject`
+	// field is set.
+	subject?: {
+		// Countries to be used on the Certificate.
+		countries?: [...string]
+
+		// Cities to be used on the Certificate.
+		localities?: [...string]
+
+		// Organizational Units to be used on the Certificate.
+		organizationalUnits?: [...string]
+
+		// Organizations to be used on the Certificate.
+		organizations?: [...string]
+
+		// Postal codes to be used on the Certificate.
+		postalCodes?: [...string]
+
+		// State/Provinces to be used on the Certificate.
+		provinces?: [...string]
+
+		// Serial number to be used on the Certificate.
+		serialNumber?: string
+
+		// Street addresses to be used on the Certificate.
+		streetAddresses?: [...string]
+	}
+
+	// Requested URI subject alternative names.
+	uris?: [...string]
+
+	// Requested key usages and extended key usages. These usages are
+	// used to set the `usages` field on the created
+	// CertificateRequest resources. If `encodeUsagesInRequest` is
+	// unset or set to `true`, the usages will additionally be
+	// encoded in the `request` field which contains the CSR blob.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+}

docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A CertificateRequest is used to request a signed certificate
+// from one of the configured issuers.
+// All fields within the CertificateRequest's `spec` are immutable
+// after creation. A CertificateRequest will either succeed or
+// fail, as denoted by its `Ready` status condition and its
+// `status.failureTime` field.
+// A CertificateRequest is a one-shot resource, meaning it
+// represents a single point in time request for a certificate
+// and cannot be re-used.
+#CertificateRequest: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "CertificateRequest"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the CertificateRequest
+	// resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateRequestSpec
+}
+
+// Specification of the desired state of the CertificateRequest
+// resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateRequestSpec: {
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	duration?: string
+
+	// Extra contains extra attributes of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	extra?: {
+		[string]: [...string]
+	}
+
+	// Groups contains group membership of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	groups?: [...string]
+
+	// Requested basic constraints isCA value. Note that the issuer
+	// may choose to ignore the requested isCA value, just like any
+	// other requested attribute.
+	// NOTE: If the CSR in the `Request` field has a BasicConstraints
+	// extension, it must have the same isCA value as specified here.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// The PEM-encoded X.509 certificate signing request to be
+	// submitted to the issuer for signing.
+	// If the CSR has a BasicConstraints extension, its isCA attribute
+	// must match the `isCA` value of this CertificateRequest. If the
+	// CSR has a KeyUsage extension, its key usages must match the
+	// key usages in the `usages` field of this CertificateRequest.
+	// If the CSR has a ExtKeyUsage extension, its extended key
+	// usages must match the extended key usages in the `usages`
+	// field of this CertificateRequest.
+	request: string
+
+	// UID contains the uid of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	uid?: string
+
+	// Requested key usages and extended key usages.
+	// NOTE: If the CSR in the `Request` field has uses the KeyUsage
+	// or ExtKeyUsage extension, these extensions must have the same
+	// values as specified here without any additional values.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+
+	// Username contains the name of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	username?: string
+}

docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"list"
+)
+
+#WasmPlugin: {
+	// Extend the functionality provided by the Istio proxy through
+	// WebAssembly filters. See more details at:
+	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+	spec!:      #WasmPluginSpec
+	apiVersion: "extensions.istio.io/v1alpha1"
+	kind:       "WasmPlugin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Extend the functionality provided by the Istio proxy through
+// WebAssembly filters. See more details at:
+// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+#WasmPluginSpec: {
+	// Specifies the failure behavior for the plugin due to fatal
+	// errors.
+	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
+
+	// The pull behaviour to be applied when fetching Wasm module by
+	// either OCI image or http/https.
+	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
+
+	// Credentials to use for OCI image pulling.
+	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Specifies the criteria to determine which traffic is passed to
+	// WasmPlugin.
+	match?: [...{
+		// Criteria for selecting traffic by their direction.
+		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
+
+		// Criteria for selecting traffic by their destination port.
+		ports?: [...{
+			number: uint16 & >=1
+		}]
+	}]
+
+	// Determines where in the filter chain this `WasmPlugin` is to be
+	// injected.
+	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
+
+	// The configuration that will be passed on to the plugin.
+	pluginConfig?: {
+		...
+	}
+
+	// The plugin name to be used in the Envoy configuration (used to
+	// be called `rootID`).
+	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
+
+	// Determines ordering of `WasmPlugins` in the same `phase`.
+	priority?: null | int
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// SHA256 checksum that will be used to verify Wasm module or OCI
+	// container.
+	sha256?: =~"(^$|^[a-f0-9]{64}$)"
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Specifies the type of Wasm Extension to be used.
+	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
+
+	// URL of a Wasm module or OCI container.
+	url:              strings.MinRunes(1)
+	verificationKey?: string
+	vmConfig?: {
+		// Specifies environment variables to be injected to this VM.
+		env?: list.MaxItems(256) & [...{
+			// Name of the environment variable.
+			name: strings.MaxRunes(256) & strings.MinRunes(1)
+
+			// Value for the environment variable.
+			value?: strings.MaxRunes(2048)
+
+			// Source for the environment variable's value.
+			valueFrom?: "INLINE" | "HOST"
+		}]
+	}
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/buildplan_go_gen.cue

@@ -0,0 +1,26 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+#BuildPlan: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta    @go(Metadata)
+	spec?:     #BuildPlanSpec @go(Spec)
+}
+
+#BuildPlanSpec: {
+	disabled?:   bool                 @go(Disabled)
+	components?: #BuildPlanComponents @go(Components)
+}
+
+#BuildPlanComponents: {
+	helmChartList?: [...#HelmChart] @go(HelmChartList,[]HelmChart)
+	kubernetesObjectsList?: [...#KubernetesObjects] @go(KubernetesObjectsList,[]KubernetesObjects)
+	kustomizeBuildList?: [...#KustomizeBuild] @go(KustomizeBuildList,[]KustomizeBuild)
+	resources?: {[string]: #KubernetesObjects} @go(Resources,map[string]KubernetesObjects)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/component_go_gen.cue

@@ -0,0 +1,24 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+#HolosComponent: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta @go(Metadata)
+
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	apiObjectMap?: #APIObjectMap @go(APIObjectMap)
+
+	#Kustomization
+
+	#Kustomize
+
+	// Skip causes holos to take no action regarding the component.
+	Skip: bool
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/constants_go_gen.cue

@@ -0,0 +1,15 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#APIVersion:    "holos.run/v1alpha1"
+#BuildPlanKind: "BuildPlan"
+#HelmChartKind: "HelmChart"
+
+// ChartDir is the directory name created in the holos component directory to cache a chart.
+#ChartDir: "vendor"
+
+// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+#ResourcesFile: "resources.yaml"

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/helm_go_gen.cue

@@ -0,0 +1,28 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+#HelmChart: {
+	#HolosComponent
+
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	namespace:     string @go(Namespace)
+	chart:         #Chart @go(Chart)
+	valuesContent: string @go(ValuesContent)
+	enableHooks:   bool   @go(EnableHooks)
+}
+
+#Chart: {
+	name:        string      @go(Name)
+	version:     string      @go(Version)
+	release:     string      @go(Release)
+	repository?: #Repository @go(Repository)
+}
+
+#Repository: {
+	name: string @go(Name)
+	url:  string @go(URL)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kubernetesobjects_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KubernetesObjectsKind: "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+#KubernetesObjects: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomization_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+#Kustomization: {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	ksContent?: string @go(KsContent)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomize_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+#Kustomize: {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	kustomizeFiles?: #FileContentMap @go(KustomizeFiles)
+
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	resourcesFile?: string @go(ResourcesFile)
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomizebuild_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// KustomizeBuild
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmap_go_gen.cue

@@ -0,0 +1,18 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+#Label: string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+#Kind: string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+#APIObjectMap: {[string]: [string]: string}
+
+// FileContentMap is a map of file names to file contents.
+#FileContentMap: {[string]: string}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmeta_go_gen.cue

@@ -0,0 +1,22 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+#ObjectMeta: {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	name?: string @go(Name)
+
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	namespace?: string @go(Namespace)
+
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/render_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#Renderer: _

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/result_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+#Result: {
+	HolosComponent: #HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/typemeta_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#TypeMeta: {
+	kind?:       string @go(Kind)
+	apiVersion?: string @go(APIVersion)
+}

docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#IstioOperator: {
+	apiVersion: "install.istio.io/v1alpha1"
+	kind:       "IstioOperator"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	...
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue

@@ -3066,7 +3066,7 @@ import (
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
-	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
+	securityContext?: #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
@@ -3982,7 +3982,7 @@ import (
 	// SecurityContext holds pod-level security attributes and common container settings.
 	// Optional: Defaults to empty.  See type description for default values of each field.
 	// +optional
-	securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
+	securityContext?: #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
 
 	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.

docs/examples/cue.mod/gen/monitoring.coreos.com/podmonitor/v1/types_gen.cue

@@ -0,0 +1,546 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-monitoring/prod-platform-monitoring.gen.yaml
+
+package v1
+
+import "strings"
+
+// PodMonitor defines monitoring for a set of pods.
+#PodMonitor: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "monitoring.coreos.com/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PodMonitor"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of desired Pod selection for target discovery by
+	// Prometheus.
+	spec!: #PodMonitorSpec
+}
+
+// Specification of desired Pod selection for target discovery by
+// Prometheus.
+#PodMonitorSpec: {
+	attachMetadata?: {
+		// When set to true, Prometheus must have the `get` permission on
+		// the `Nodes` objects.
+		node?: bool
+	}
+
+	// The label to use to retrieve the job name from. `jobLabel`
+	// selects the label from the associated Kubernetes `Pod` object
+	// which will be used as the `job` label for all metrics.
+	// For example if `jobLabel` is set to `foo` and the Kubernetes
+	// `Pod` object is labeled with `foo: bar`, then Prometheus adds
+	// the `job="bar"` label to all ingested metrics.
+	// If the value of this field is empty, the `job` label of the
+	// metrics defaults to the namespace and name of the PodMonitor
+	// object (e.g. `<namespace>/<name>`).
+	jobLabel?: string
+
+	// Per-scrape limit on the number of targets dropped by relabeling
+	// that will be kept in memory. 0 means no limit.
+	// It requires Prometheus >= v2.47.0.
+	keepDroppedTargets?: int
+
+	// Per-scrape limit on number of labels that will be accepted for
+	// a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelLimit?: int
+
+	// Per-scrape limit on length of labels name that will be accepted
+	// for a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelNameLengthLimit?: int
+
+	// Per-scrape limit on length of labels value that will be
+	// accepted for a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelValueLengthLimit?: int
+
+	// Selector to select which namespaces the Kubernetes `Pods`
+	// objects are discovered from.
+	namespaceSelector?: {
+		// Boolean describing whether all namespaces are selected in
+		// contrast to a list restricting them.
+		any?: bool
+
+		// List of namespace names to select from.
+		matchNames?: [...string]
+	}
+
+	// List of endpoints part of this PodMonitor.
+	podMetricsEndpoints?: [...{
+		// `authorization` configures the Authorization header credentials
+		// to use when scraping the target.
+		// Cannot be set at the same time as `basicAuth`, or `oauth2`.
+		authorization?: {
+			// Selects a key of a Secret in the namespace that contains the
+			// credentials for authentication.
+			credentials?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// Defines the authentication type. The value is case-insensitive.
+			// "Basic" is not a supported value.
+			// Default: "Bearer"
+			type?: string
+		}
+
+		// `basicAuth` configures the Basic Authentication credentials to
+		// use when scraping the target.
+		// Cannot be set at the same time as `authorization`, or `oauth2`.
+		basicAuth?: {
+			// `password` specifies a key of a Secret containing the password
+			// for authentication.
+			password?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// `username` specifies a key of a Secret containing the username
+			// for authentication.
+			username?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+		}
+
+		// `bearerTokenSecret` specifies a key of a Secret containing the
+		// bearer token for scraping targets. The secret needs to be in
+		// the same namespace as the PodMonitor object and readable by
+		// the Prometheus Operator.
+		// Deprecated: use `authorization` instead.
+		bearerTokenSecret?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// `enableHttp2` can be used to disable HTTP2 when scraping the
+		// target.
+		enableHttp2?: bool
+
+		// When true, the pods which are not running (e.g. either in
+		// Failed or Succeeded state) are dropped during the target
+		// discovery.
+		// If unset, the filtering is enabled.
+		// More info:
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase
+		filterRunning?: bool
+
+		// `followRedirects` defines whether the scrape requests should
+		// follow HTTP 3xx redirects.
+		followRedirects?: bool
+
+		// When true, `honorLabels` preserves the metric's labels when
+		// they collide with the target's labels.
+		honorLabels?: bool
+
+		// `honorTimestamps` controls whether Prometheus preserves the
+		// timestamps when exposed by the target.
+		honorTimestamps?: bool
+
+		// Interval at which Prometheus scrapes the metrics from the
+		// target.
+		// If empty, Prometheus uses the global scrape interval.
+		interval?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+		// `metricRelabelings` configures the relabeling rules to apply to
+		// the samples before ingestion.
+		metricRelabelings?: [...{
+			// Action to perform based on the regex matching.
+			// `Uppercase` and `Lowercase` actions require Prometheus >=
+			// v2.36.0. `DropEqual` and `KeepEqual` actions require
+			// Prometheus >= v2.41.0.
+			// Default: "Replace"
+			action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+			// Modulus to take of the hash of the source label values.
+			// Only applicable when the action is `HashMod`.
+			modulus?: int
+
+			// Regular expression against which the extracted value is
+			// matched.
+			regex?: string
+
+			// Replacement value against which a Replace action is performed
+			// if the regular expression matches.
+			// Regex capture groups are available.
+			replacement?: string
+
+			// Separator is the string between concatenated SourceLabels.
+			separator?: string
+
+			// The source labels select values from existing labels. Their
+			// content is concatenated using the configured Separator and
+			// matched against the configured regular expression.
+			sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+			// Label to which the resulting string is written in a
+			// replacement.
+			// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+			// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+			// Regex capture groups are available.
+			targetLabel?: string
+		}]
+
+		// `oauth2` configures the OAuth2 settings to use when scraping
+		// the target.
+		// It requires Prometheus >= 2.27.0.
+		// Cannot be set at the same time as `authorization`, or
+		// `basicAuth`.
+		oauth2?: {
+			// `clientId` specifies a key of a Secret or ConfigMap containing
+			// the OAuth2 client's ID.
+			clientId: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// `clientSecret` specifies a key of a Secret containing the
+			// OAuth2 client's secret.
+			clientSecret: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// `endpointParams` configures the HTTP parameters to append to
+			// the token URL.
+			endpointParams?: {
+				[string]: string
+			}
+
+			// `scopes` defines the OAuth2 scopes used for the token request.
+			scopes?: [...string]
+
+			// `tokenURL` configures the URL to fetch the token from.
+			tokenUrl: strings.MinRunes(1)
+		}
+
+		// `params` define optional HTTP URL parameters.
+		params?: {
+			[string]: [...string]
+		}
+
+		// HTTP path from which to scrape for metrics.
+		// If empty, Prometheus uses the default value (e.g. `/metrics`).
+		path?: string
+
+		// Name of the Pod port which this endpoint refers to.
+		// It takes precedence over `targetPort`.
+		port?: string
+
+		// `proxyURL` configures the HTTP Proxy URL (e.g.
+		// "http://proxyserver:2195") to go through when scraping the
+		// target.
+		proxyUrl?: string
+
+		// `relabelings` configures the relabeling rules to apply the
+		// target's metadata labels.
+		// The Operator automatically adds relabelings for a few standard
+		// Kubernetes fields.
+		// The original scrape job's name is available via the
+		// `__tmp_prometheus_job_name` label.
+		// More info:
+		// https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
+		relabelings?: [...{
+			// Action to perform based on the regex matching.
+			// `Uppercase` and `Lowercase` actions require Prometheus >=
+			// v2.36.0. `DropEqual` and `KeepEqual` actions require
+			// Prometheus >= v2.41.0.
+			// Default: "Replace"
+			action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+			// Modulus to take of the hash of the source label values.
+			// Only applicable when the action is `HashMod`.
+			modulus?: int
+
+			// Regular expression against which the extracted value is
+			// matched.
+			regex?: string
+
+			// Replacement value against which a Replace action is performed
+			// if the regular expression matches.
+			// Regex capture groups are available.
+			replacement?: string
+
+			// Separator is the string between concatenated SourceLabels.
+			separator?: string
+
+			// The source labels select values from existing labels. Their
+			// content is concatenated using the configured Separator and
+			// matched against the configured regular expression.
+			sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+			// Label to which the resulting string is written in a
+			// replacement.
+			// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+			// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+			// Regex capture groups are available.
+			targetLabel?: string
+		}]
+
+		// HTTP scheme to use for scraping.
+		// `http` and `https` are the expected values unless you rewrite
+		// the `__scheme__` label via relabeling.
+		// If empty, Prometheus uses the default value `http`.
+		scheme?: "http" | "https"
+
+		// Timeout after which Prometheus considers the scrape to be
+		// failed.
+		// If empty, Prometheus uses the global scrape timeout unless it
+		// is less than the target's scrape interval value in which the
+		// latter is used.
+		scrapeTimeout?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+		// Name or number of the target port of the `Pod` object behind
+		// the Service, the port must be specified with container port
+		// property.
+		// Deprecated: use 'port' instead.
+		targetPort?: (int | string) & {
+			string
+		}
+
+		// TLS configuration to use when scraping the target.
+		tlsConfig?: {
+			// Certificate authority used when verifying server certificates.
+			ca?: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// Client certificate to present when doing client-authentication.
+			cert?: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// Disable target certificate validation.
+			insecureSkipVerify?: bool
+
+			// Secret containing the client key file for the targets.
+			keySecret?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// Used to verify the hostname for the targets.
+			serverName?: string
+		}
+
+		// `trackTimestampsStaleness` defines whether Prometheus tracks
+		// staleness of the metrics that have an explicit timestamp
+		// present in scraped data. Has no effect if `honorTimestamps` is
+		// false.
+		// It requires Prometheus >= v2.48.0.
+		trackTimestampsStaleness?: bool
+	}]
+
+	// `podTargetLabels` defines the labels which are transferred from
+	// the associated Kubernetes `Pod` object onto the ingested
+	// metrics.
+	podTargetLabels?: [...string]
+
+	// `sampleLimit` defines a per-scrape limit on the number of
+	// scraped samples that will be accepted.
+	sampleLimit?: int
+
+	// The scrape class to apply.
+	scrapeClass?: strings.MinRunes(1)
+
+	// `scrapeProtocols` defines the protocols to negotiate during a
+	// scrape. It tells clients the protocols supported by Prometheus
+	// in order of preference (from most to least preferred).
+	// If unset, Prometheus uses its default value.
+	// It requires Prometheus >= v2.49.0.
+	scrapeProtocols?: [..."PrometheusProto" | "OpenMetricsText0.0.1" | "OpenMetricsText1.0.0" | "PrometheusText0.0.4"]
+
+	// Label selector to select the Kubernetes `Pod` objects.
+	selector: {
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn, the values array must be non-empty. If the operator is
+			// Exists or DoesNotExist, the values array must be empty. This
+			// array is replaced during a strategic merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// `targetLimit` defines a limit on the number of scraped targets
+	// that will be accepted.
+	targetLimit?: int
+}

docs/examples/cue.mod/gen/monitoring.coreos.com/probe/v1/types_gen.cue

@@ -0,0 +1,536 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-monitoring/prod-platform-monitoring.gen.yaml
+
+package v1
+
+import "strings"
+
+// Probe defines monitoring for a set of static targets or
+// ingresses.
+#Probe: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "monitoring.coreos.com/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Probe"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of desired Ingress selection for target discovery
+	// by Prometheus.
+	spec!: #ProbeSpec
+}
+
+// Specification of desired Ingress selection for target discovery
+// by Prometheus.
+#ProbeSpec: {
+	// Authorization section for this endpoint
+	authorization?: {
+		// Selects a key of a Secret in the namespace that contains the
+		// credentials for authentication.
+		credentials?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// Defines the authentication type. The value is case-insensitive.
+		// "Basic" is not a supported value.
+		// Default: "Bearer"
+		type?: string
+	}
+
+	// BasicAuth allow an endpoint to authenticate over basic
+	// authentication. More info:
+	// https://prometheus.io/docs/operating/configuration/#endpoint
+	basicAuth?: {
+		// `password` specifies a key of a Secret containing the password
+		// for authentication.
+		password?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// `username` specifies a key of a Secret containing the username
+		// for authentication.
+		username?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+	}
+
+	// Secret to mount to read bearer token for scraping targets. The
+	// secret needs to be in the same namespace as the probe and
+	// accessible by the Prometheus Operator.
+	bearerTokenSecret?: {
+		// The key of the secret to select from. Must be a valid secret
+		// key.
+		key: string
+
+		// Name of the referent. More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		// TODO: Add other useful fields. apiVersion, kind, uid?
+		name?: string
+
+		// Specify whether the Secret or its key must be defined
+		optional?: bool
+	}
+
+	// Interval at which targets are probed using the configured
+	// prober. If not specified Prometheus' global scrape interval is
+	// used.
+	interval?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+	// The job name assigned to scraped metrics by default.
+	jobName?: string
+
+	// Per-scrape limit on the number of targets dropped by relabeling
+	// that will be kept in memory. 0 means no limit.
+	// It requires Prometheus >= v2.47.0.
+	keepDroppedTargets?: int
+
+	// Per-scrape limit on number of labels that will be accepted for
+	// a sample. Only valid in Prometheus versions 2.27.0 and newer.
+	labelLimit?: int
+
+	// Per-scrape limit on length of labels name that will be accepted
+	// for a sample. Only valid in Prometheus versions 2.27.0 and
+	// newer.
+	labelNameLengthLimit?: int
+
+	// Per-scrape limit on length of labels value that will be
+	// accepted for a sample. Only valid in Prometheus versions
+	// 2.27.0 and newer.
+	labelValueLengthLimit?: int
+
+	// MetricRelabelConfigs to apply to samples before ingestion.
+	metricRelabelings?: [...{
+		// Action to perform based on the regex matching.
+		// `Uppercase` and `Lowercase` actions require Prometheus >=
+		// v2.36.0. `DropEqual` and `KeepEqual` actions require
+		// Prometheus >= v2.41.0.
+		// Default: "Replace"
+		action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+		// Modulus to take of the hash of the source label values.
+		// Only applicable when the action is `HashMod`.
+		modulus?: int
+
+		// Regular expression against which the extracted value is
+		// matched.
+		regex?: string
+
+		// Replacement value against which a Replace action is performed
+		// if the regular expression matches.
+		// Regex capture groups are available.
+		replacement?: string
+
+		// Separator is the string between concatenated SourceLabels.
+		separator?: string
+
+		// The source labels select values from existing labels. Their
+		// content is concatenated using the configured Separator and
+		// matched against the configured regular expression.
+		sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+		// Label to which the resulting string is written in a
+		// replacement.
+		// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+		// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+		// Regex capture groups are available.
+		targetLabel?: string
+	}]
+
+	// The module to use for probing specifying how to probe the
+	// target. Example module configuring in the blackbox exporter:
+	// https://github.com/prometheus/blackbox_exporter/blob/master/example.yml
+	module?: string
+
+	// OAuth2 for the URL. Only valid in Prometheus versions 2.27.0
+	// and newer.
+	oauth2?: {
+		// `clientId` specifies a key of a Secret or ConfigMap containing
+		// the OAuth2 client's ID.
+		clientId: {
+			// ConfigMap containing data to use for the targets.
+			configMap?: {
+				// The key to select.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the ConfigMap or its key must be defined
+				optional?: bool
+			}
+
+			// Secret containing data to use for the targets.
+			secret?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+		}
+
+		// `clientSecret` specifies a key of a Secret containing the
+		// OAuth2 client's secret.
+		clientSecret: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// `endpointParams` configures the HTTP parameters to append to
+		// the token URL.
+		endpointParams?: {
+			[string]: string
+		}
+
+		// `scopes` defines the OAuth2 scopes used for the token request.
+		scopes?: [...string]
+
+		// `tokenURL` configures the URL to fetch the token from.
+		tokenUrl: strings.MinRunes(1)
+	}
+
+	// Specification for the prober to use for probing targets. The
+	// prober.URL parameter is required. Targets cannot be probed if
+	// left empty.
+	prober?: {
+		// Path to collect metrics from. Defaults to `/probe`.
+		path?: string | *"/probe"
+
+		// Optional ProxyURL.
+		proxyUrl?: string
+
+		// HTTP scheme to use for scraping. `http` and `https` are the
+		// expected values unless you rewrite the `__scheme__` label via
+		// relabeling. If empty, Prometheus uses the default value
+		// `http`.
+		scheme?: "http" | "https"
+
+		// Mandatory URL of the prober.
+		url: string
+	}
+
+	// SampleLimit defines per-scrape limit on number of scraped
+	// samples that will be accepted.
+	sampleLimit?: int
+
+	// The scrape class to apply.
+	scrapeClass?: strings.MinRunes(1)
+
+	// `scrapeProtocols` defines the protocols to negotiate during a
+	// scrape. It tells clients the protocols supported by Prometheus
+	// in order of preference (from most to least preferred).
+	// If unset, Prometheus uses its default value.
+	// It requires Prometheus >= v2.49.0.
+	scrapeProtocols?: [..."PrometheusProto" | "OpenMetricsText0.0.1" | "OpenMetricsText1.0.0" | "PrometheusText0.0.4"]
+
+	// Timeout for scraping metrics from the Prometheus exporter. If
+	// not specified, the Prometheus global scrape timeout is used.
+	scrapeTimeout?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+	// TargetLimit defines a limit on the number of scraped targets
+	// that will be accepted.
+	targetLimit?: int
+
+	// Targets defines a set of static or dynamically discovered
+	// targets to probe.
+	targets?: {
+		// ingress defines the Ingress objects to probe and the relabeling
+		// configuration. If `staticConfig` is also defined,
+		// `staticConfig` takes precedence.
+		ingress?: {
+			// From which namespaces to select Ingress objects.
+			namespaceSelector?: {
+				// Boolean describing whether all namespaces are selected in
+				// contrast to a list restricting them.
+				any?: bool
+
+				// List of namespace names to select from.
+				matchNames?: [...string]
+			}
+
+			// RelabelConfigs to apply to the label set of the target before
+			// it gets scraped. The original ingress address is available via
+			// the `__tmp_prometheus_ingress_address` label. It can be used
+			// to customize the probed URL. The original scrape job's name is
+			// available via the `__tmp_prometheus_job_name` label. More
+			// info:
+			// https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
+			relabelingConfigs?: [...{
+				// Action to perform based on the regex matching.
+				// `Uppercase` and `Lowercase` actions require Prometheus >=
+				// v2.36.0. `DropEqual` and `KeepEqual` actions require
+				// Prometheus >= v2.41.0.
+				// Default: "Replace"
+				action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+				// Modulus to take of the hash of the source label values.
+				// Only applicable when the action is `HashMod`.
+				modulus?: int
+
+				// Regular expression against which the extracted value is
+				// matched.
+				regex?: string
+
+				// Replacement value against which a Replace action is performed
+				// if the regular expression matches.
+				// Regex capture groups are available.
+				replacement?: string
+
+				// Separator is the string between concatenated SourceLabels.
+				separator?: string
+
+				// The source labels select values from existing labels. Their
+				// content is concatenated using the configured Separator and
+				// matched against the configured regular expression.
+				sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+				// Label to which the resulting string is written in a
+				// replacement.
+				// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+				// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+				// Regex capture groups are available.
+				targetLabel?: string
+			}]
+
+			// Selector to select the Ingress objects.
+			selector?: {
+				// matchExpressions is a list of label selector requirements. The
+				// requirements are ANDed.
+				matchExpressions?: [...{
+					// key is the label key that the selector applies to.
+					key: string
+
+					// operator represents a key's relationship to a set of values.
+					// Valid operators are In, NotIn, Exists and DoesNotExist.
+					operator: string
+
+					// values is an array of string values. If the operator is In or
+					// NotIn, the values array must be non-empty. If the operator is
+					// Exists or DoesNotExist, the values array must be empty. This
+					// array is replaced during a strategic merge patch.
+					values?: [...string]
+				}]
+
+				// matchLabels is a map of {key,value} pairs. A single {key,value}
+				// in the matchLabels map is equivalent to an element of
+				// matchExpressions, whose key field is "key", the operator is
+				// "In", and the values array contains only "value". The
+				// requirements are ANDed.
+				matchLabels?: {
+					[string]: string
+				}
+			}
+		}
+
+		// staticConfig defines the static list of targets to probe and
+		// the relabeling configuration. If `ingress` is also defined,
+		// `staticConfig` takes precedence. More info:
+		// https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config.
+		staticConfig?: {
+			// Labels assigned to all metrics scraped from the targets.
+			labels?: {
+				[string]: string
+			}
+
+			// RelabelConfigs to apply to the label set of the targets before
+			// it gets scraped. More info:
+			// https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
+			relabelingConfigs?: [...{
+				// Action to perform based on the regex matching.
+				// `Uppercase` and `Lowercase` actions require Prometheus >=
+				// v2.36.0. `DropEqual` and `KeepEqual` actions require
+				// Prometheus >= v2.41.0.
+				// Default: "Replace"
+				action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+				// Modulus to take of the hash of the source label values.
+				// Only applicable when the action is `HashMod`.
+				modulus?: int
+
+				// Regular expression against which the extracted value is
+				// matched.
+				regex?: string
+
+				// Replacement value against which a Replace action is performed
+				// if the regular expression matches.
+				// Regex capture groups are available.
+				replacement?: string
+
+				// Separator is the string between concatenated SourceLabels.
+				separator?: string
+
+				// The source labels select values from existing labels. Their
+				// content is concatenated using the configured Separator and
+				// matched against the configured regular expression.
+				sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+				// Label to which the resulting string is written in a
+				// replacement.
+				// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+				// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+				// Regex capture groups are available.
+				targetLabel?: string
+			}]
+
+			// The list of hosts to probe.
+			static?: [...string]
+		}
+	}
+
+	// TLS configuration to use when scraping the endpoint.
+	tlsConfig?: {
+		// Certificate authority used when verifying server certificates.
+		ca?: {
+			// ConfigMap containing data to use for the targets.
+			configMap?: {
+				// The key to select.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the ConfigMap or its key must be defined
+				optional?: bool
+			}
+
+			// Secret containing data to use for the targets.
+			secret?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+		}
+
+		// Client certificate to present when doing client-authentication.
+		cert?: {
+			// ConfigMap containing data to use for the targets.
+			configMap?: {
+				// The key to select.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the ConfigMap or its key must be defined
+				optional?: bool
+			}
+
+			// Secret containing data to use for the targets.
+			secret?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+		}
+
+		// Disable target certificate validation.
+		insecureSkipVerify?: bool
+
+		// Secret containing the client key file for the targets.
+		keySecret?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// Used to verify the hostname for the targets.
+		serverName?: string
+	}
+}

docs/examples/cue.mod/gen/monitoring.coreos.com/prometheusrule/v1/types_gen.cue

@@ -0,0 +1,100 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-monitoring/prod-platform-monitoring.gen.yaml
+
+package v1
+
+import "strings"
+
+// PrometheusRule defines recording and alerting rules for a
+// Prometheus instance
+#PrometheusRule: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "monitoring.coreos.com/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PrometheusRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of desired alerting rule definitions for
+	// Prometheus.
+	spec!: #PrometheusRuleSpec
+}
+#PrometheusRuleSpec: {
+	// Content of Prometheus rule file
+	groups?: [...{
+		// Interval determines how often rules in the group are evaluated.
+		interval?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+		// Limit the number of alerts an alerting rule and series a
+		// recording rule can produce. Limit is supported starting with
+		// Prometheus >= 2.31 and Thanos Ruler >= 0.24.
+		limit?: int
+
+		// Name of the rule group.
+		name: strings.MinRunes(1)
+
+		// PartialResponseStrategy is only used by ThanosRuler and will be
+		// ignored by Prometheus instances. More info:
+		// https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response
+		partial_response_strategy?: =~"^(?i)(abort|warn)?$"
+
+		// List of alerting and recording rules.
+		rules?: [...{
+			// Name of the alert. Must be a valid label value. Only one of
+			// `record` and `alert` must be set.
+			alert?: string
+
+			// Annotations to add to each alert. Only valid for alerting
+			// rules.
+			annotations?: {
+				[string]: string
+			}
+
+			// PromQL expression to evaluate.
+			expr: (int | string) & {
+				string
+			}
+
+			// Alerts are considered firing once they have been returned for
+			// this long.
+			for?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+			// KeepFiringFor defines how long an alert will continue firing
+			// after the condition that triggered it has cleared.
+			keep_firing_for?: strings.MinRunes(1) & {
+				=~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+			}
+
+			// Labels to add or overwrite.
+			labels?: {
+				[string]: string
+			}
+
+			// Name of the time series to output to. Must be a valid metric
+			// name. Only one of `record` and `alert` must be set.
+			record?: string
+		}]
+	}]
+}

docs/examples/cue.mod/gen/monitoring.coreos.com/servicemonitor/v1/types_gen.cue

@@ -0,0 +1,566 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-monitoring/prod-platform-monitoring.gen.yaml
+
+package v1
+
+import "strings"
+
+// ServiceMonitor defines monitoring for a set of services.
+#ServiceMonitor: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "monitoring.coreos.com/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ServiceMonitor"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of desired Service selection for target discovery
+	// by Prometheus.
+	spec!: #ServiceMonitorSpec
+}
+
+// Specification of desired Service selection for target discovery
+// by Prometheus.
+#ServiceMonitorSpec: {
+	attachMetadata?: {
+		// When set to true, Prometheus must have the `get` permission on
+		// the `Nodes` objects.
+		node?: bool
+	}
+
+	// List of endpoints part of this ServiceMonitor.
+	endpoints?: [...{
+		// `authorization` configures the Authorization header credentials
+		// to use when scraping the target.
+		// Cannot be set at the same time as `basicAuth`, or `oauth2`.
+		authorization?: {
+			// Selects a key of a Secret in the namespace that contains the
+			// credentials for authentication.
+			credentials?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// Defines the authentication type. The value is case-insensitive.
+			// "Basic" is not a supported value.
+			// Default: "Bearer"
+			type?: string
+		}
+
+		// `basicAuth` configures the Basic Authentication credentials to
+		// use when scraping the target.
+		// Cannot be set at the same time as `authorization`, or `oauth2`.
+		basicAuth?: {
+			// `password` specifies a key of a Secret containing the password
+			// for authentication.
+			password?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// `username` specifies a key of a Secret containing the username
+			// for authentication.
+			username?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+		}
+
+		// File to read bearer token for scraping the target.
+		// Deprecated: use `authorization` instead.
+		bearerTokenFile?: string
+
+		// `bearerTokenSecret` specifies a key of a Secret containing the
+		// bearer token for scraping targets. The secret needs to be in
+		// the same namespace as the ServiceMonitor object and readable
+		// by the Prometheus Operator.
+		// Deprecated: use `authorization` instead.
+		bearerTokenSecret?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			// TODO: Add other useful fields. apiVersion, kind, uid?
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// `enableHttp2` can be used to disable HTTP2 when scraping the
+		// target.
+		enableHttp2?: bool
+
+		// When true, the pods which are not running (e.g. either in
+		// Failed or Succeeded state) are dropped during the target
+		// discovery.
+		// If unset, the filtering is enabled.
+		// More info:
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase
+		filterRunning?: bool
+
+		// `followRedirects` defines whether the scrape requests should
+		// follow HTTP 3xx redirects.
+		followRedirects?: bool
+
+		// When true, `honorLabels` preserves the metric's labels when
+		// they collide with the target's labels.
+		honorLabels?: bool
+
+		// `honorTimestamps` controls whether Prometheus preserves the
+		// timestamps when exposed by the target.
+		honorTimestamps?: bool
+
+		// Interval at which Prometheus scrapes the metrics from the
+		// target.
+		// If empty, Prometheus uses the global scrape interval.
+		interval?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+		// `metricRelabelings` configures the relabeling rules to apply to
+		// the samples before ingestion.
+		metricRelabelings?: [...{
+			// Action to perform based on the regex matching.
+			// `Uppercase` and `Lowercase` actions require Prometheus >=
+			// v2.36.0. `DropEqual` and `KeepEqual` actions require
+			// Prometheus >= v2.41.0.
+			// Default: "Replace"
+			action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+			// Modulus to take of the hash of the source label values.
+			// Only applicable when the action is `HashMod`.
+			modulus?: int
+
+			// Regular expression against which the extracted value is
+			// matched.
+			regex?: string
+
+			// Replacement value against which a Replace action is performed
+			// if the regular expression matches.
+			// Regex capture groups are available.
+			replacement?: string
+
+			// Separator is the string between concatenated SourceLabels.
+			separator?: string
+
+			// The source labels select values from existing labels. Their
+			// content is concatenated using the configured Separator and
+			// matched against the configured regular expression.
+			sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+			// Label to which the resulting string is written in a
+			// replacement.
+			// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+			// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+			// Regex capture groups are available.
+			targetLabel?: string
+		}]
+
+		// `oauth2` configures the OAuth2 settings to use when scraping
+		// the target.
+		// It requires Prometheus >= 2.27.0.
+		// Cannot be set at the same time as `authorization`, or
+		// `basicAuth`.
+		oauth2?: {
+			// `clientId` specifies a key of a Secret or ConfigMap containing
+			// the OAuth2 client's ID.
+			clientId: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// `clientSecret` specifies a key of a Secret containing the
+			// OAuth2 client's secret.
+			clientSecret: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// `endpointParams` configures the HTTP parameters to append to
+			// the token URL.
+			endpointParams?: {
+				[string]: string
+			}
+
+			// `scopes` defines the OAuth2 scopes used for the token request.
+			scopes?: [...string]
+
+			// `tokenURL` configures the URL to fetch the token from.
+			tokenUrl: strings.MinRunes(1)
+		}
+
+		// params define optional HTTP URL parameters.
+		params?: {
+			[string]: [...string]
+		}
+
+		// HTTP path from which to scrape for metrics.
+		// If empty, Prometheus uses the default value (e.g. `/metrics`).
+		path?: string
+
+		// Name of the Service port which this endpoint refers to.
+		// It takes precedence over `targetPort`.
+		port?: string
+
+		// `proxyURL` configures the HTTP Proxy URL (e.g.
+		// "http://proxyserver:2195") to go through when scraping the
+		// target.
+		proxyUrl?: string
+
+		// `relabelings` configures the relabeling rules to apply the
+		// target's metadata labels.
+		// The Operator automatically adds relabelings for a few standard
+		// Kubernetes fields.
+		// The original scrape job's name is available via the
+		// `__tmp_prometheus_job_name` label.
+		// More info:
+		// https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
+		relabelings?: [...{
+			// Action to perform based on the regex matching.
+			// `Uppercase` and `Lowercase` actions require Prometheus >=
+			// v2.36.0. `DropEqual` and `KeepEqual` actions require
+			// Prometheus >= v2.41.0.
+			// Default: "Replace"
+			action?: "replace" | "Replace" | "keep" | "Keep" | "drop" | "Drop" | "hashmod" | "HashMod" | "labelmap" | "LabelMap" | "labeldrop" | "LabelDrop" | "labelkeep" | "LabelKeep" | "lowercase" | "Lowercase" | "uppercase" | "Uppercase" | "keepequal" | "KeepEqual" | "dropequal" | "DropEqual" | *"replace"
+
+			// Modulus to take of the hash of the source label values.
+			// Only applicable when the action is `HashMod`.
+			modulus?: int
+
+			// Regular expression against which the extracted value is
+			// matched.
+			regex?: string
+
+			// Replacement value against which a Replace action is performed
+			// if the regular expression matches.
+			// Regex capture groups are available.
+			replacement?: string
+
+			// Separator is the string between concatenated SourceLabels.
+			separator?: string
+
+			// The source labels select values from existing labels. Their
+			// content is concatenated using the configured Separator and
+			// matched against the configured regular expression.
+			sourceLabels?: [...=~"^[a-zA-Z_][a-zA-Z0-9_]*$"]
+
+			// Label to which the resulting string is written in a
+			// replacement.
+			// It is mandatory for `Replace`, `HashMod`, `Lowercase`,
+			// `Uppercase`, `KeepEqual` and `DropEqual` actions.
+			// Regex capture groups are available.
+			targetLabel?: string
+		}]
+
+		// HTTP scheme to use for scraping.
+		// `http` and `https` are the expected values unless you rewrite
+		// the `__scheme__` label via relabeling.
+		// If empty, Prometheus uses the default value `http`.
+		scheme?: "http" | "https"
+
+		// Timeout after which Prometheus considers the scrape to be
+		// failed.
+		// If empty, Prometheus uses the global scrape timeout unless it
+		// is less than the target's scrape interval value in which the
+		// latter is used.
+		scrapeTimeout?: =~"^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$"
+
+		// Name or number of the target port of the `Pod` object behind
+		// the Service. The port must be specified with the container's
+		// port property.
+		targetPort?: (int | string) & {
+			string
+		}
+
+		// TLS configuration to use when scraping the target.
+		tlsConfig?: {
+			// Certificate authority used when verifying server certificates.
+			ca?: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// Path to the CA cert in the Prometheus container to use for the
+			// targets.
+			caFile?: string
+
+			// Client certificate to present when doing client-authentication.
+			cert?: {
+				// ConfigMap containing data to use for the targets.
+				configMap?: {
+					// The key to select.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the ConfigMap or its key must be defined
+					optional?: bool
+				}
+
+				// Secret containing data to use for the targets.
+				secret?: {
+					// The key of the secret to select from. Must be a valid secret
+					// key.
+					key: string
+
+					// Name of the referent. More info:
+					// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+					// TODO: Add other useful fields. apiVersion, kind, uid?
+					name?: string
+
+					// Specify whether the Secret or its key must be defined
+					optional?: bool
+				}
+			}
+
+			// Path to the client cert file in the Prometheus container for
+			// the targets.
+			certFile?: string
+
+			// Disable target certificate validation.
+			insecureSkipVerify?: bool
+
+			// Path to the client key file in the Prometheus container for the
+			// targets.
+			keyFile?: string
+
+			// Secret containing the client key file for the targets.
+			keySecret?: {
+				// The key of the secret to select from. Must be a valid secret
+				// key.
+				key: string
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				// TODO: Add other useful fields. apiVersion, kind, uid?
+				name?: string
+
+				// Specify whether the Secret or its key must be defined
+				optional?: bool
+			}
+
+			// Used to verify the hostname for the targets.
+			serverName?: string
+		}
+
+		// `trackTimestampsStaleness` defines whether Prometheus tracks
+		// staleness of the metrics that have an explicit timestamp
+		// present in scraped data. Has no effect if `honorTimestamps` is
+		// false.
+		// It requires Prometheus >= v2.48.0.
+		trackTimestampsStaleness?: bool
+	}]
+
+	// `jobLabel` selects the label from the associated Kubernetes
+	// `Service` object which will be used as the `job` label for all
+	// metrics.
+	// For example if `jobLabel` is set to `foo` and the Kubernetes
+	// `Service` object is labeled with `foo: bar`, then Prometheus
+	// adds the `job="bar"` label to all ingested metrics.
+	// If the value of this field is empty or if the label doesn't
+	// exist for the given Service, the `job` label of the metrics
+	// defaults to the name of the associated Kubernetes `Service`.
+	jobLabel?: string
+
+	// Per-scrape limit on the number of targets dropped by relabeling
+	// that will be kept in memory. 0 means no limit.
+	// It requires Prometheus >= v2.47.0.
+	keepDroppedTargets?: int
+
+	// Per-scrape limit on number of labels that will be accepted for
+	// a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelLimit?: int
+
+	// Per-scrape limit on length of labels name that will be accepted
+	// for a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelNameLengthLimit?: int
+
+	// Per-scrape limit on length of labels value that will be
+	// accepted for a sample.
+	// It requires Prometheus >= v2.27.0.
+	labelValueLengthLimit?: int
+
+	// Selector to select which namespaces the Kubernetes `Endpoints`
+	// objects are discovered from.
+	namespaceSelector?: {
+		// Boolean describing whether all namespaces are selected in
+		// contrast to a list restricting them.
+		any?: bool
+
+		// List of namespace names to select from.
+		matchNames?: [...string]
+	}
+
+	// `podTargetLabels` defines the labels which are transferred from
+	// the associated Kubernetes `Pod` object onto the ingested
+	// metrics.
+	podTargetLabels?: [...string]
+
+	// `sampleLimit` defines a per-scrape limit on the number of
+	// scraped samples that will be accepted.
+	sampleLimit?: int
+
+	// The scrape class to apply.
+	scrapeClass?: strings.MinRunes(1)
+
+	// `scrapeProtocols` defines the protocols to negotiate during a
+	// scrape. It tells clients the protocols supported by Prometheus
+	// in order of preference (from most to least preferred).
+	// If unset, Prometheus uses its default value.
+	// It requires Prometheus >= v2.49.0.
+	scrapeProtocols?: [..."PrometheusProto" | "OpenMetricsText0.0.1" | "OpenMetricsText1.0.0" | "PrometheusText0.0.4"]
+
+	// Label selector to select the Kubernetes `Endpoints` objects.
+	selector: {
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn, the values array must be non-empty. If the operator is
+			// Exists or DoesNotExist, the values array must be empty. This
+			// array is replaced during a strategic merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels map is equivalent to an element of
+		// matchExpressions, whose key field is "key", the operator is
+		// "In", and the values array contains only "value". The
+		// requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// `targetLabels` defines the labels which are transferred from
+	// the associated Kubernetes `Service` object onto the ingested
+	// metrics.
+	targetLabels?: [...string]
+
+	// `targetLimit` defines a limit on the number of scraped targets
+	// that will be accepted.
+	targetLimit?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue

@@ -0,0 +1,185 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#EnvoyFilter: {
+	// Customizing Envoy configuration generated by Istio. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/envoy-filter.html
+	spec!:      #EnvoyFilterSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "EnvoyFilter"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Customizing Envoy configuration generated by Istio. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/envoy-filter.html
+#EnvoyFilterSpec: {
+	// One or more patches with match conditions.
+	configPatches?: [...{
+		// Specifies where in the Envoy configuration, the patch should be
+		// applied.
+		applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
+
+		// Match on listener/route configuration/cluster.
+		match?: ({} | {
+			listener: _
+		} | {
+			routeConfiguration: _
+		} | {
+			cluster: _
+		}) & {
+			// Match on envoy cluster attributes.
+			cluster?: {
+				// The exact name of the cluster to match.
+				name?: string
+
+				// The service port for which this cluster was generated.
+				portNumber?: int
+
+				// The fully qualified service name for this cluster.
+				service?: string
+
+				// The subset associated with the service.
+				subset?: string
+			}
+
+			// The specific config generation context to match on.
+			context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
+
+			// Match on envoy listener attributes.
+			listener?: {
+				// Match a specific filter chain in a listener.
+				filterChain?: {
+					// Applies only to sidecars.
+					applicationProtocols?: string
+
+					// The destination_port value used by a filter chain's match
+					// condition.
+					destinationPort?: int
+
+					// The name of a specific filter to apply the patch to.
+					filter?: {
+						// The filter name to match on.
+						name?: string
+						subFilter?: {
+							// The filter name to match on.
+							name?: string
+						}
+					}
+
+					// The name assigned to the filter chain.
+					name?: string
+
+					// The SNI value used by a filter chain's match condition.
+					sni?: string
+
+					// Applies only to `SIDECAR_INBOUND` context.
+					transportProtocol?: string
+				}
+
+				// Match a specific listener filter.
+				listenerFilter?: string
+
+				// Match a specific listener by its name.
+				name?:     string
+				portName?: string
+
+				// The service port/gateway port to which traffic is being
+				// sent/received.
+				portNumber?: int
+			}
+
+			// Match on properties associated with a proxy.
+			proxy?: {
+				// Match on the node metadata supplied by a proxy when connecting
+				// to Istio Pilot.
+				metadata?: {
+					[string]: string
+				}
+
+				// A regular expression in golang regex format (RE2) that can be
+				// used to select proxies using a specific version of istio
+				// proxy.
+				proxyVersion?: string
+			}
+
+			// Match on envoy HTTP route configuration attributes.
+			routeConfiguration?: {
+				// The Istio gateway config's namespace/name for which this route
+				// configuration was generated.
+				gateway?: string
+
+				// Route configuration name to match on.
+				name?: string
+
+				// Applicable only for GATEWAY context.
+				portName?: string
+
+				// The service port number or gateway server port number for which
+				// this route configuration was generated.
+				portNumber?: int
+
+				// Match a specific virtual host in a route configuration and
+				// apply the patch to the virtual host.
+				vhost?: {
+					// The VirtualHosts objects generated by Istio are named as
+					// host:port, where the host typically corresponds to the
+					// VirtualService's host field or the hostname of a service in
+					// the registry.
+					name?: string
+
+					// Match a specific route within the virtual host.
+					route?: {
+						// Match a route with specific action type.
+						action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
+
+						// The Route objects generated by default are named as default.
+						name?: string
+					}
+				}
+			}
+		}
+
+		// The patch to apply along with the operation.
+		patch?: {
+			// Determines the filter insertion order.
+			filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
+
+			// Determines how the patch should be applied.
+			operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
+
+			// The JSON config of the object being patched.
+			value?: {}
+		}
+	}]
+
+	// Priority defines the order in which patch sets are applied
+	// within a context.
+	priority?: int
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue

@@ -0,0 +1,54 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ProxyConfig: {
+	// Provides configuration for individual workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/proxy-config.html
+	spec!:      #ProxyConfigSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ProxyConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Provides configuration for individual workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/proxy-config.html
+#ProxyConfigSpec: {
+	// The number of worker threads to run.
+	concurrency?: null | int
+
+	// Additional environment variables for the proxy.
+	environmentVariables?: {
+		[string]: string
+	}
+	image?: {
+		// The image type of the image.
+		imageType?: string
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue

@@ -0,0 +1,594 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -0,0 +1,575 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: {
+				exact?:  string
+				prefix?: string
+				regex?:  string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}