(#31) Add tls cert for zitadel to connect to cockroach db

Cockroach DB uses tls certs for client authentication.  Issue one for
Zitadel.

With this patch Zitadel starts up bit is not yet exposted with a
VirtualService.

Refer to https://zitadel.com/docs/self-hosting/manage/configure

.golangci.yaml

@@ -0,0 +1,2 @@
+run:
+  timeout: 5m

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -0,0 +1,280 @@
+# Want helm errors to show up
+! exec holos build .
+stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
+
+-- cue.mod --
+package holos
+-- zitadel.cue --
+package holos
+
+cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "HelmChart"
+metadata: name: "zitadel"
+namespace: "zitadel"
+chart: {
+	name:    "zitadel"
+	version: "7.9.0"
+	repository: {
+		name: "zitadel"
+		url:  "https://charts.zitadel.com"
+	}
+}
+
+
+-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
+{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
+{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
+{{- end }}
+{{- if .Values.zitadel.masterkey -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: zitadel-masterkey
+  {{- with .Values.zitadel.masterkeyAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "zitadel.labels" . | nindent 4 }}
+stringData:
+  masterkey: {{ .Values.zitadel.masterkey }}
+{{- end -}}
+-- vendor/zitadel/Chart.yaml --
+apiVersion: v2
+appVersion: v2.46.0
+description: A Helm chart for ZITADEL
+icon: https://zitadel.com/zitadel-logo-dark.svg
+kubeVersion: '>= 1.21.0-0'
+maintainers:
+- email: support@zitadel.com
+  name: zitadel
+  url: https://zitadel.com
+name: zitadel
+type: application
+version: 7.9.0
+-- vendor/zitadel/values.yaml --
+# Default values for zitadel.
+zitadel:
+  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  configmapConfig:
+    ExternalSecure: true
+    Machine:
+      Identification:
+        Hostname:
+          Enabled: true
+        Webhook:
+          Enabled: false
+
+  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  secretConfig:
+
+  # Annotations set on secretConfig secret
+  secretConfigAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # Reference the name of a secret that contains ZITADEL configuration.
+  configSecretName:
+  # The key under which the ZITADEL configuration is located in the secret.
+  configSecretKey: config-yaml
+
+  # ZITADEL uses the masterkey for symmetric encryption.
+  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+  masterkey: ""
+  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+  masterkeySecretName: ""
+
+  # Annotations set on masterkey secret
+  masterkeyAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # The CA Certificate needed for establishing secure database connections
+  dbSslCaCrt: ""
+
+  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+  dbSslCaCrtSecret: ""
+
+  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslAdminCrtSecret: ""
+
+  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslUserCrtSecret: ""
+
+  # Generate a self-signed certificate using an init container
+  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+  selfSignedCert:
+    enabled: false
+    additionalDnsName:
+
+replicaCount: 3
+
+image:
+  repository: ghcr.io/zitadel/zitadel
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+chownImage:
+  repository: alpine
+  pullPolicy: IfNotPresent
+  tag: "3.19"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# Annotations to add to the deployment
+annotations: {}
+
+# Annotations to add to the configMap
+configMap:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podAdditionalLabels: {}
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+securityContext: {}
+
+# Additional environment variables
+env:
+  []
+  # - name: ZITADEL_DATABASE_POSTGRES_HOST
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: postgres-pguser-postgres
+  #       key: host
+
+service:
+  type: ClusterIP
+  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+  clusterIP: ""
+  port: 8080
+  protocol: http2
+  annotations: {}
+  scheme: HTTP
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts:
+    - host: localhost
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+initJob:
+  # Once ZITADEL is installed, the initJob can be disabled.
+  enabled: true
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "1"
+  resources: {}
+  backoffLimit: 5
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  # Available init commands :
+  # "": initialize ZITADEL instance (without skip anything)
+  # database: initialize only the database
+  # grant: set ALL grant to user
+  # user: initialize only the database user
+  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+  command: ""
+
+setupJob:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "2"
+  resources: {}
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  additionalArgs:
+    - "--init-projections=true"
+  machinekeyWriter:
+    image:
+      repository: bitnami/kubectl
+      tag: ""
+    resources: {}
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+startupProbe:
+  enabled: true
+  periodSeconds: 1
+  failureThreshold: 30
+
+metrics:
+  enabled: false
+  serviceMonitor:
+    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+    # The Prometheus community Helm chart installs this operator
+    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+    enabled: false
+    honorLabels: false
+    honorTimestamps: true
+
+pdb:
+  enabled: false
+  # these values are used for the PDB and are mutally exclusive
+  minAvailable: 1
+  # maxUnavailable: 1
+  annotations: {}

docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue

@@ -0,0 +1,82 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// Order is a type to represent an Order with an ACME server
+#Order: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "acme.cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Order"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #OrderSpec
+}
+#OrderSpec: {
+	// CommonName is the common name as specified on the DER encoded
+	// CSR. If specified, this value must also be present in
+	// `dnsNames` or `ipAddresses`. This field must match the
+	// corresponding field on the DER encoded CSR.
+	commonName?: string
+
+	// DNSNames is a list of DNS names that should be included as part
+	// of the Order validation process. This field must match the
+	// corresponding field on the DER encoded CSR.
+	dnsNames?: [...string]
+
+	// Duration is the duration for the not after date for the
+	// requested certificate. this is set on order creation as pe the
+	// ACME spec.
+	duration?: string
+
+	// IPAddresses is a list of IP addresses that should be included
+	// as part of the Order validation process. This field must match
+	// the corresponding field on the DER encoded CSR.
+	ipAddresses?: [...string]
+
+	// IssuerRef references a properly configured ACME-type Issuer
+	// which should be used to create this Order. If the Issuer does
+	// not exist, processing will be retried. If the Issuer is not an
+	// 'ACME' Issuer, an error will be returned and the Order will be
+	// marked as failed.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Certificate signing request bytes in DER encoding. This will be
+	// used when finalizing the order. This field must be set on the
+	// order.
+	request: string
+}

docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -0,0 +1,422 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A Certificate resource should be created to ensure an up to
+// date and signed X.509 certificate is stored in the Kubernetes
+// Secret resource named in `spec.secretName`.
+// The stored certificate will be renewed before it expires (as
+// configured by `spec.renewBefore`).
+#Certificate: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Certificate"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the Certificate resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateSpec
+}
+
+// Specification of the desired state of the Certificate resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateSpec: {
+	// Defines extra output formats of the private key and signed
+	// certificate chain to be written to this Certificate's target
+	// Secret.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=AdditionalCertificateOutputFormats=true`
+	// option set on both the controller and webhook components.
+	additionalOutputFormats?: [...{
+		// Type is the name of the format type that should be written to
+		// the Certificate's target Secret.
+		type: "DER" | "CombinedPEM"
+	}]
+
+	// Requested common name X509 certificate subject attribute. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// NOTE: TLS clients will ignore this value when any subject
+	// alternative name is set (see
+	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
+	// Should have a length of 64 characters or fewer to avoid
+	// generating invalid CSRs. Cannot be set if the `literalSubject`
+	// field is set.
+	commonName?: string
+
+	// Requested DNS subject alternative names.
+	dnsNames?: [...string]
+
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	// If unset, this defaults to 90 days. Minimum accepted duration
+	// is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+	duration?: string
+
+	// Requested email subject alternative names.
+	emailAddresses?: [...string]
+
+	// Whether the KeyUsage and ExtKeyUsage extensions should be set
+	// in the encoded CSR.
+	// This option defaults to true, and should only be disabled if
+	// the target issuer does not support CSRs with these X509
+	// KeyUsage/ ExtKeyUsage extensions.
+	encodeUsagesInRequest?: bool
+
+	// Requested IP address subject alternative names.
+	ipAddresses?: [...string]
+
+	// Requested basic constraints isCA value. The isCA value is used
+	// to set the `isCA` field on the created CertificateRequest
+	// resources. Note that the issuer may choose to ignore the
+	// requested isCA value, just like any other requested attribute.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Additional keystore output formats to be stored in the
+	// Certificate's Secret.
+	keystores?: {
+		// JKS configures options for storing a JKS keystore in the
+		// `spec.secretName` Secret resource.
+		jks?: {
+			// Create enables JKS keystore creation for the Certificate. If
+			// true, a file named `keystore.jks` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.jks` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the JKS keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+		}
+
+		// PKCS12 configures options for storing a PKCS12 keystore in the
+		// `spec.secretName` Secret resource.
+		pkcs12?: {
+			// Create enables PKCS12 keystore creation for the Certificate. If
+			// true, a file named `keystore.p12` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.p12` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the PKCS12 keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+
+			// Profile specifies the key and certificate encryption algorithms
+			// and the HMAC algorithm used to create the PKCS12 keystore.
+			// Default value is `LegacyRC2` for backward compatibility.
+			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
+			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
+			// Less secure algorithm. Use this option for maximal
+			// compatibility. `Modern2023`: Secure algorithm. Use this option
+			// in case you have to always use secure algorithms (eg. because
+			// of company policy). Please note that the security of the
+			// algorithm is not that important in reality, because the
+			// unencrypted certificate and private key are also stored in the
+			// Secret.
+			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
+		}
+	}
+
+	// Requested X.509 certificate subject, represented using the LDAP
+	// "String Representation of a Distinguished Name" [1].
+	// Important: the LDAP string format also specifies the order of
+	// the attributes in the subject, this is important when issuing
+	// certs for LDAP authentication. Example:
+	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
+	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
+	// https://github.com/cert-manager/cert-manager/issues/3203 More
+	// info: https://github.com/cert-manager/cert-manager/issues/4424
+	// Cannot be set if the `subject` or `commonName` field is set.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=LiteralCertificateSubject=true` option set on
+	// both the controller and webhook components.
+	literalSubject?: string
+
+	// x.509 certificate NameConstraint extension which MUST NOT be
+	// used in a non-CA certificate. More Info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=NameConstraints=true` option set on both the
+	// controller and webhook components.
+	nameConstraints?: {
+		// if true then the name constraints are marked critical.
+		critical?: bool
+
+		// Excluded contains the constraints which must be disallowed. Any
+		// name matching a restriction in the excluded field is invalid
+		// regardless of information appearing in the permitted
+		excluded?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+
+		// Permitted contains the constraints in which the names must be
+		// located.
+		permitted?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+	}
+
+	// `otherNames` is an escape hatch for SAN that allows any type.
+	// We currently restrict the support to string like otherNames,
+	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
+	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
+	// somevalue for `otherName`. Most commonly this would be UPN set
+	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
+	// OID passed is valid for the UTF8String type as we do not
+	// explicitly validate this.
+	otherNames?: [...{
+		// OID is the object identifier for the otherName SAN. The object
+		// identifier must be expressed as a dotted string, for example,
+		// "1.2.840.113556.1.4.221".
+		oid?: string
+
+		// utf8Value is the string value of the otherName SAN. The
+		// utf8Value accepts any valid UTF8 string to set as value for
+		// the otherName SAN.
+		utf8Value?: string
+	}]
+
+	// Private key options. These include the key algorithm and size,
+	// the used encoding and the rotation policy.
+	privateKey?: {
+		// Algorithm is the private key algorithm of the corresponding
+		// private key for this certificate.
+		// If provided, allowed values are either `RSA`, `ECDSA` or
+		// `Ed25519`. If `algorithm` is specified and `size` is not
+		// provided, key size of 2048 will be used for `RSA` key
+		// algorithm and key size of 256 will be used for `ECDSA` key
+		// algorithm. key size is ignored when using the `Ed25519` key
+		// algorithm.
+		algorithm?: "RSA" | "ECDSA" | "Ed25519"
+
+		// The private key cryptography standards (PKCS) encoding for this
+		// certificate's private key to be encoded in.
+		// If provided, allowed values are `PKCS1` and `PKCS8` standing
+		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
+		// not specified.
+		encoding?: "PKCS1" | "PKCS8"
+
+		// RotationPolicy controls how private keys should be regenerated
+		// when a re-issuance is being processed.
+		// If set to `Never`, a private key will only be generated if one
+		// does not already exist in the target `spec.secretName`. If one
+		// does exists but it does not have the correct algorithm or
+		// size, a warning will be raised to await user intervention. If
+		// set to `Always`, a private key matching the specified
+		// requirements will be generated whenever a re-issuance occurs.
+		// Default is `Never` for backward compatibility.
+		rotationPolicy?: "Never" | "Always"
+
+		// Size is the key bit size of the corresponding private key for
+		// this certificate.
+		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
+		// or `8192`, and will default to `2048` if not specified. If
+		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
+		// or `521`, and will default to `256` if not specified. If
+		// `algorithm` is set to `Ed25519`, Size is ignored. No other
+		// values are allowed.
+		size?: int
+	}
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. For example, if a
+	// certificate is valid for 60 minutes, and `renewBefore=10m`,
+	// cert-manager will begin to attempt to renew the certificate 50
+	// minutes after it was issued (i.e. when there are 10 minutes
+	// remaining until the certificate is no longer valid).
+	// NOTE: The actual lifetime of the issued certificate is used to
+	// determine the renewal time. If an issuer returns a certificate
+	// with a different lifetime than the one requested, cert-manager
+	// will use the lifetime of the issued certificate.
+	// If unset, this defaults to 1/3 of the issued certificate's
+	// lifetime. Minimum accepted value is 5 minutes. Value must be
+	// in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration.
+	renewBefore?: string
+
+	// The maximum number of CertificateRequest revisions that are
+	// maintained in the Certificate's history. Each revision
+	// represents a single `CertificateRequest` created by this
+	// Certificate, either when it was created, renewed, or Spec was
+	// changed. Revisions will be removed by oldest first if the
+	// number of revisions exceeds this number.
+	// If set, revisionHistoryLimit must be a value of `1` or greater.
+	// If unset (`nil`), revisions will not be garbage collected.
+	// Default value is `nil`.
+	revisionHistoryLimit?: int
+
+	// Name of the Secret resource that will be automatically created
+	// and managed by this Certificate resource. It will be populated
+	// with a private key and certificate, signed by the denoted
+	// issuer. The Secret resource lives in the same namespace as the
+	// Certificate resource.
+	secretName: string
+
+	// Defines annotations and labels to be copied to the
+	// Certificate's Secret. Labels and annotations on the Secret
+	// will be changed as they appear on the SecretTemplate when
+	// added or removed. SecretTemplate annotations are added in
+	// conjunction with, and cannot overwrite, the base set of
+	// annotations cert-manager sets on the Certificate's Secret.
+	secretTemplate?: {
+		// Annotations is a key value map to be copied to the target
+		// Kubernetes Secret.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels is a key value map to be copied to the target Kubernetes
+		// Secret.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Requested set of X509 certificate subject attributes. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// The common name attribute is specified separately in the
+	// `commonName` field. Cannot be set if the `literalSubject`
+	// field is set.
+	subject?: {
+		// Countries to be used on the Certificate.
+		countries?: [...string]
+
+		// Cities to be used on the Certificate.
+		localities?: [...string]
+
+		// Organizational Units to be used on the Certificate.
+		organizationalUnits?: [...string]
+
+		// Organizations to be used on the Certificate.
+		organizations?: [...string]
+
+		// Postal codes to be used on the Certificate.
+		postalCodes?: [...string]
+
+		// State/Provinces to be used on the Certificate.
+		provinces?: [...string]
+
+		// Serial number to be used on the Certificate.
+		serialNumber?: string
+
+		// Street addresses to be used on the Certificate.
+		streetAddresses?: [...string]
+	}
+
+	// Requested URI subject alternative names.
+	uris?: [...string]
+
+	// Requested key usages and extended key usages. These usages are
+	// used to set the `usages` field on the created
+	// CertificateRequest resources. If `encodeUsagesInRequest` is
+	// unset or set to `true`, the usages will additionally be
+	// encoded in the `request` field which contains the CSR blob.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+}

docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A CertificateRequest is used to request a signed certificate
+// from one of the configured issuers.
+// All fields within the CertificateRequest's `spec` are immutable
+// after creation. A CertificateRequest will either succeed or
+// fail, as denoted by its `Ready` status condition and its
+// `status.failureTime` field.
+// A CertificateRequest is a one-shot resource, meaning it
+// represents a single point in time request for a certificate
+// and cannot be re-used.
+#CertificateRequest: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "CertificateRequest"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the CertificateRequest
+	// resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateRequestSpec
+}
+
+// Specification of the desired state of the CertificateRequest
+// resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateRequestSpec: {
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	duration?: string
+
+	// Extra contains extra attributes of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	extra?: {
+		[string]: [...string]
+	}
+
+	// Groups contains group membership of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	groups?: [...string]
+
+	// Requested basic constraints isCA value. Note that the issuer
+	// may choose to ignore the requested isCA value, just like any
+	// other requested attribute.
+	// NOTE: If the CSR in the `Request` field has a BasicConstraints
+	// extension, it must have the same isCA value as specified here.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// The PEM-encoded X.509 certificate signing request to be
+	// submitted to the issuer for signing.
+	// If the CSR has a BasicConstraints extension, its isCA attribute
+	// must match the `isCA` value of this CertificateRequest. If the
+	// CSR has a KeyUsage extension, its key usages must match the
+	// key usages in the `usages` field of this CertificateRequest.
+	// If the CSR has a ExtKeyUsage extension, its extended key
+	// usages must match the extended key usages in the `usages`
+	// field of this CertificateRequest.
+	request: string
+
+	// UID contains the uid of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	uid?: string
+
+	// Requested key usages and extended key usages.
+	// NOTE: If the CSR in the `Request` field has uses the KeyUsage
+	// or ExtKeyUsage extension, these extensions must have the same
+	// values as specified here without any additional values.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+
+	// Username contains the name of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	username?: string
+}

docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"list"
+)
+
+#WasmPlugin: {
+	// Extend the functionality provided by the Istio proxy through
+	// WebAssembly filters. See more details at:
+	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+	spec!:      #WasmPluginSpec
+	apiVersion: "extensions.istio.io/v1alpha1"
+	kind:       "WasmPlugin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Extend the functionality provided by the Istio proxy through
+// WebAssembly filters. See more details at:
+// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+#WasmPluginSpec: {
+	// Specifies the failure behavior for the plugin due to fatal
+	// errors.
+	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
+
+	// The pull behaviour to be applied when fetching Wasm module by
+	// either OCI image or http/https.
+	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
+
+	// Credentials to use for OCI image pulling.
+	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Specifies the criteria to determine which traffic is passed to
+	// WasmPlugin.
+	match?: [...{
+		// Criteria for selecting traffic by their direction.
+		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
+
+		// Criteria for selecting traffic by their destination port.
+		ports?: [...{
+			number: uint16 & >=1
+		}]
+	}]
+
+	// Determines where in the filter chain this `WasmPlugin` is to be
+	// injected.
+	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
+
+	// The configuration that will be passed on to the plugin.
+	pluginConfig?: {
+		...
+	}
+
+	// The plugin name to be used in the Envoy configuration (used to
+	// be called `rootID`).
+	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
+
+	// Determines ordering of `WasmPlugins` in the same `phase`.
+	priority?: null | int
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// SHA256 checksum that will be used to verify Wasm module or OCI
+	// container.
+	sha256?: =~"(^$|^[a-f0-9]{64}$)"
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Specifies the type of Wasm Extension to be used.
+	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
+
+	// URL of a Wasm module or OCI container.
+	url:              strings.MinRunes(1)
+	verificationKey?: string
+	vmConfig?: {
+		// Specifies environment variables to be injected to this VM.
+		env?: list.MaxItems(256) & [...{
+			// Name of the environment variable.
+			name: strings.MaxRunes(256) & strings.MinRunes(1)
+
+			// Value for the environment variable.
+			value?: strings.MaxRunes(2048)
+
+			// Source for the environment variable's value.
+			valueFrom?: "INLINE" | "HOST"
+		}]
+	}
+}

docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#IstioOperator: {
+	apiVersion: "install.istio.io/v1alpha1"
+	kind:       "IstioOperator"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	...
+}

docs/examples/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue

@@ -3066,7 +3066,7 @@ import (
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
-	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
+	securityContext?: #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
@@ -3982,7 +3982,7 @@ import (
 	// SecurityContext holds pod-level security attributes and common container settings.
 	// Optional: Defaults to empty.  See type description for default values of each field.
 	// +optional
-	securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
+	securityContext?: #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
 
 	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue

@@ -0,0 +1,185 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#EnvoyFilter: {
+	// Customizing Envoy configuration generated by Istio. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/envoy-filter.html
+	spec!:      #EnvoyFilterSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "EnvoyFilter"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Customizing Envoy configuration generated by Istio. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/envoy-filter.html
+#EnvoyFilterSpec: {
+	// One or more patches with match conditions.
+	configPatches?: [...{
+		// Specifies where in the Envoy configuration, the patch should be
+		// applied.
+		applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
+
+		// Match on listener/route configuration/cluster.
+		match?: ({} | {
+			listener: _
+		} | {
+			routeConfiguration: _
+		} | {
+			cluster: _
+		}) & {
+			// Match on envoy cluster attributes.
+			cluster?: {
+				// The exact name of the cluster to match.
+				name?: string
+
+				// The service port for which this cluster was generated.
+				portNumber?: int
+
+				// The fully qualified service name for this cluster.
+				service?: string
+
+				// The subset associated with the service.
+				subset?: string
+			}
+
+			// The specific config generation context to match on.
+			context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
+
+			// Match on envoy listener attributes.
+			listener?: {
+				// Match a specific filter chain in a listener.
+				filterChain?: {
+					// Applies only to sidecars.
+					applicationProtocols?: string
+
+					// The destination_port value used by a filter chain's match
+					// condition.
+					destinationPort?: int
+
+					// The name of a specific filter to apply the patch to.
+					filter?: {
+						// The filter name to match on.
+						name?: string
+						subFilter?: {
+							// The filter name to match on.
+							name?: string
+						}
+					}
+
+					// The name assigned to the filter chain.
+					name?: string
+
+					// The SNI value used by a filter chain's match condition.
+					sni?: string
+
+					// Applies only to `SIDECAR_INBOUND` context.
+					transportProtocol?: string
+				}
+
+				// Match a specific listener filter.
+				listenerFilter?: string
+
+				// Match a specific listener by its name.
+				name?:     string
+				portName?: string
+
+				// The service port/gateway port to which traffic is being
+				// sent/received.
+				portNumber?: int
+			}
+
+			// Match on properties associated with a proxy.
+			proxy?: {
+				// Match on the node metadata supplied by a proxy when connecting
+				// to Istio Pilot.
+				metadata?: {
+					[string]: string
+				}
+
+				// A regular expression in golang regex format (RE2) that can be
+				// used to select proxies using a specific version of istio
+				// proxy.
+				proxyVersion?: string
+			}
+
+			// Match on envoy HTTP route configuration attributes.
+			routeConfiguration?: {
+				// The Istio gateway config's namespace/name for which this route
+				// configuration was generated.
+				gateway?: string
+
+				// Route configuration name to match on.
+				name?: string
+
+				// Applicable only for GATEWAY context.
+				portName?: string
+
+				// The service port number or gateway server port number for which
+				// this route configuration was generated.
+				portNumber?: int
+
+				// Match a specific virtual host in a route configuration and
+				// apply the patch to the virtual host.
+				vhost?: {
+					// The VirtualHosts objects generated by Istio are named as
+					// host:port, where the host typically corresponds to the
+					// VirtualService's host field or the hostname of a service in
+					// the registry.
+					name?: string
+
+					// Match a specific route within the virtual host.
+					route?: {
+						// Match a route with specific action type.
+						action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
+
+						// The Route objects generated by default are named as default.
+						name?: string
+					}
+				}
+			}
+		}
+
+		// The patch to apply along with the operation.
+		patch?: {
+			// Determines the filter insertion order.
+			filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
+
+			// Determines how the patch should be applied.
+			operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
+
+			// The JSON config of the object being patched.
+			value?: {}
+		}
+	}]
+
+	// Priority defines the order in which patch sets are applied
+	// within a context.
+	priority?: int
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue

@@ -0,0 +1,54 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ProxyConfig: {
+	// Provides configuration for individual workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/proxy-config.html
+	spec!:      #ProxyConfigSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ProxyConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Provides configuration for individual workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/proxy-config.html
+#ProxyConfigSpec: {
+	// The number of worker threads to run.
+	concurrency?: null | int
+
+	// Additional environment variables for the proxy.
+	environmentVariables?: {
+		[string]: string
+	}
+	image?: {
+		// The image type of the image.
+		imageType?: string
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue

@@ -0,0 +1,594 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -0,0 +1,584 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadGroup: {
+	// Describes a collection of workload instances. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/workload-group.html
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Describes a collection of workload instances. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/workload-group.html
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue

@@ -0,0 +1,138 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadGroup: {
+	// `WorkloadGroup` enables specifying the properties of a single
+	// workload for bootstrap and provides a template for
+	// `WorkloadEntry`, similar to how `Deployment` specifies
+	// properties of workloads via `Pod` templates.
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// `WorkloadGroup` enables specifying the properties of a single
+// workload for bootstrap and provides a template for
+// `WorkloadEntry`, similar to how `Deployment` specifies
+// properties of workloads via `Pod` templates.
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/peerauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,55 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#PeerAuthentication: {
+	// Peer authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/peer_authentication.html
+	spec!:      #PeerAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "PeerAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Peer authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/peer_authentication.html
+#PeerAuthenticationSpec: {
+	mtls?: {
+		// Defines the mTLS mode used for peer authentication.
+		mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+	}
+
+	// Port specific mutual TLS settings.
+	portLevelMtls?: {
+		[string]: {
+			// Defines the mTLS mode used for peer authentication.
+			mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+		}
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/telemetry.istio.io/telemetry/v1alpha1/types_gen.cue

@@ -0,0 +1,184 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#Telemetry: {
+	// Telemetry configuration for workloads. See more details at:
+	// https://istio.io/docs/reference/config/telemetry.html
+	spec!:      #TelemetrySpec
+	apiVersion: "telemetry.istio.io/v1alpha1"
+	kind:       "Telemetry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Telemetry configuration for workloads. See more details at:
+// https://istio.io/docs/reference/config/telemetry.html
+#TelemetrySpec: {
+	// Optional.
+	accessLogging?: [...{
+		// Controls logging.
+		disabled?: null | bool
+		filter?: {
+			// CEL expression for selecting when requests/connections should
+			// be logged.
+			expression?: string
+		}
+		match?: {
+			// This determines whether or not to apply the access logging
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+	}]
+
+	// Optional.
+	metrics?: [...{
+		// Optional.
+		overrides?: [...{
+			// Optional.
+			disabled?: null | bool
+
+			// Match allows provides the scope of the override.
+			match?: ({} | {
+				metric: _
+			} | {
+				customMetric: _
+			}) & {
+				// Allows free-form specification of a metric.
+				customMetric?: string
+
+				// One of the well-known Istio Standard Metrics.
+				metric?: "ALL_METRICS" | "REQUEST_COUNT" | "REQUEST_DURATION" | "REQUEST_SIZE" | "RESPONSE_SIZE" | "TCP_OPENED_CONNECTIONS" | "TCP_CLOSED_CONNECTIONS" | "TCP_SENT_BYTES" | "TCP_RECEIVED_BYTES" | "GRPC_REQUEST_MESSAGES" | "GRPC_RESPONSE_MESSAGES"
+
+				// Controls which mode of metrics generation is selected: CLIENT
+				// and/or SERVER.
+				mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+			}
+
+			// Optional.
+			tagOverrides?: {
+				[string]: {
+					// Operation controls whether or not to update/add a tag, or to
+					// remove it.
+					operation?: "UPSERT" | "REMOVE"
+
+					// Value is only considered if the operation is `UPSERT`.
+					value?: string
+				}
+			}
+		}]
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Optional.
+		reportingInterval?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	tracing?: [...{
+		// Optional.
+		customTags?: {
+			[string]: ({} | {
+				literal: _
+			} | {
+				environment: _
+			} | {
+				header: _
+			}) & {
+				// Environment adds the value of an environment variable to each
+				// span.
+				environment?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the environment variable from which to extract the tag
+					// value.
+					name?: string
+				}
+
+				// RequestHeader adds the value of an header from the request to
+				// each span.
+				header?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the header from which to extract the tag value.
+					name?: string
+				}
+				literal?: {
+					// The tag value to use.
+					value?: string
+				}
+			}
+		}
+
+		// Controls span reporting.
+		disableSpanReporting?: null | bool
+		match?: {
+			// This determines whether or not to apply the tracing
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Controls the rate at which traffic will be selected for tracing
+		// if no prior sampling decision has been made.
+		randomSamplingPercentage?:     null | number
+		useRequestIdForTraceSampling?: null | bool
+	}]
+}

docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue

@@ -0,0 +1,6 @@
+package v1
+
+#Deployment: {
+  apiVersion: "apps/v1"
+  kind: "Deployment"
+}

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -19,3 +19,8 @@ package v1
   apiVersion: "v1"
   kind: "Pod"
 }
+
+#Service: {
+  apiVersion: "v1"
+  kind: "Service"
+}

docs/examples/namespaces.cue

@@ -4,6 +4,7 @@ package holos
 #PlatformNamespace: {
 	name: string
 	labels?: {[string]: string}
+	annotations?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/clusters/workload/cloud/iam/iam.cue

@@ -0,0 +1,10 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/workload/cloud/iam/readme.md

@@ -0,0 +1,17 @@
+# IAM
+
+The IAM service provides identity and access management for a holos managed platform.  Zitadel is the identity provider which integrates tightly with:
+
+ 1. AuthorizationPolicy at the level of the service mesh.
+ 2. Application level oidc login (ArgoCD, Grafana, etc...)
+ 3. Cloud provider IAM via oidc.
+
+## Preflight
+
+The zitadel master key needs to have a data key named `masterkey` with a Secret name of `zitadel-masterkey`.
+
+```bash
+holos create secret zitadel-masterkey --namespace prod-iam-zitadel --append-hash=false --data-stdin <<EOF
+{"masterkey":"$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"}
+EOF
+```

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,26 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		Issuer: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
+			cockroachdb: #Issuer & {
+				metadata: name:      #ComponentName
+				metadata: namespace: #TargetNamespace
+				spec: selfSigned: {}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.cue

@@ -0,0 +1,606 @@
+package holos
+
+#Values: {
+
+	// Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+	// Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+	nameOverride: ""
+
+	// Override the resource names created by this chart which originally is generated using release and chart name.
+	fullnameOverride: string | *""
+
+	image: {
+		repository: string | *"cockroachdb/cockroach"
+		tag:        "v23.1.13"
+		pullPolicy: "IfNotPresent"
+		credentials: {}
+	}
+	// registry: docker.io
+	// username: john_doe
+	// password: changeme
+	// Additional labels to apply to all Kubernetes resources created by this chart.
+	labels: {}
+	// app.kubernetes.io/part-of: my-app
+	// Cluster's default DNS domain.
+	// You should overwrite it if you're using a different one,
+	// otherwise CockroachDB nodes discovery won't work.
+	clusterDomain: "cluster.local"
+
+	conf: {
+		// An ordered list of CockroachDB node attributes.
+		// Attributes are arbitrary strings specifying machine capabilities.
+		// Machine capabilities might include specialized hardware or number of cores
+		// (e.g. "gpu", "x16c").
+		attrs: []
+		// - x16c
+		// - gpu
+		// Total size in bytes for caches, shared evenly if there are multiple
+		// storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+		// A percentage of physical memory can also be specified (e.g. `.25`).
+		cache: "25%"
+
+		// Sets a name to verify the identity of a cluster.
+		// The value must match between all nodes specified via `conf.join`.
+		// This can be used as an additional verification when either the node or
+		// cluster, or both, have not yet been initialized and do not yet know their
+		// cluster ID.
+		// To introduce a cluster name into an already-initialized cluster, pair this
+		// option with `conf.disable-cluster-name-verification: yes`.
+		"cluster-name": ""
+
+		// Tell the server to ignore `conf.cluster-name` mismatches.
+		// This is meant for use when opting an existing cluster into starting to use
+		// cluster name verification, or when changing the cluster name.
+		// The cluster should be restarted once with `conf.cluster-name` and
+		// `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+		// have been updated to know the new cluster name, the cluster can be restarted
+		// again with `conf.disable-cluster-name-verification: no`.
+		// This option has no effect if `conf.cluster-name` is not specified.
+		"disable-cluster-name-verification": false
+
+		// The addresses for connecting a CockroachDB nodes to an existing cluster.
+		// If you are deploying a second CockroachDB instance that should join a first
+		// one, use the below list to join to the existing instance.
+		// Each item in the array should be a FQDN (and port if needed) resolvable by
+		// new Pods.
+		join: []
+
+		// New logging configuration.
+		log: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/v21.1/configure-logs
+			config: {}
+		}
+		// file-defaults:
+		//   dir: /custom/dir/path/
+		// fluent-defaults:
+		//   format: json-fluent
+		// sinks:
+		//   stderr:
+		//     channels: [DEV]
+		// Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+		logtostderr: "INFO"
+
+		// Maximum storage capacity available to store temporary disk-based data for
+		// SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+		// sometimes able to spill intermediate results to disk).
+		// Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+		// `32GiB`) or a percentage of disk size (e.g. `10%`).
+		// The location of the temporary files is within the first store dir.
+		// If expressed as a percentage, `max-disk-temp-storage` is interpreted
+		// relative to the size of the storage device on which the first store is
+		// placed. The temp space usage is never counted towards any store usage
+		// (although it does share the device with the first store) so, when
+		// configuring this, make sure that the size of this temp storage plus the size
+		// of the first store don't exceed the capacity of the storage device.
+		// If the first store is an in-memory one (i.e. `type=mem`), then this
+		// temporary "disk" data is also kept in-memory.
+		// A percentage value is interpreted as a percentage of the available internal
+		// memory.
+		// max-disk-temp-storage: 0GB
+		// Maximum allowed clock offset for the cluster. If observed clock offsets
+		// exceed this limit, servers will crash to minimize the likelihood of
+		// reading inconsistent data. Increasing this value will increase the time
+		// to recovery of failures as well as the frequency of uncertainty-based
+		// read restarts.
+		// Note, that this value must be the same on all nodes in the cluster.
+		// In order to change it, all nodes in the cluster must be stopped
+		// simultaneously and restarted with the new value.
+		// max-offset: 500ms
+		// Maximum memory capacity available to store temporary data for SQL clients,
+		// including prepared queries and intermediate data rows during query
+		// execution. Accepts numbers interpreted as bytes, size suffixes
+		// (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+		"max-sql-memory": "25%"
+
+		// An ordered, comma-separated list of key-value pairs that describe the
+		// topography of the machine. Topography might include country, datacenter
+		// or rack designations. Data is automatically replicated to maximize
+		// diversities of each tier. The order of tiers is used to determine
+		// the priority of the diversity, so the more inclusive localities like
+		// country should come before less inclusive localities like datacenter.
+		// The tiers and order must be the same on all nodes. Including more tiers
+		// is better than including fewer. For example:
+		//   locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+		//   locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+		//   locality: planet=earth,province=manitoba,colo=secondary,power=3
+		locality: ""
+
+		// Run CockroachDB instances in standalone mode with replication disabled
+		// (replication factor = 1).
+		// Enabling this option makes the following values to be ignored:
+		// - `conf.cluster-name`
+		// - `conf.disable-cluster-name-verification`
+		// - `conf.join`
+		//
+		// WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+		//          CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+		//          Don't use this option for production deployments unless you clearly
+		//          understand what you're doing.
+		//          Usually, this option is intended to be used in conjunction with
+		//          `statefulset.replicas: 1` for temporary one-time deployments (like
+		//          running E2E tests, for example).
+		"single-node": false
+
+		// If non-empty, create a SQL audit log in the specified directory.
+		"sql-audit-dir": ""
+
+		// CockroachDB's port to listen to inter-communications and client connections.
+		port: 26257
+
+		// CockroachDB's port to listen to HTTP requests.
+		"http-port": 8080
+
+		// CockroachDB's data mount path.
+		path: "cockroach-data"
+
+		// CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+		// Uses --store flag
+		store: {
+			enabled: false
+			// Should be empty or 'mem'
+			type: null
+			// Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+			size: null
+			// Arbitrary strings, separated by colons, specifying disk type or capability
+			attrs: null
+		}
+	}
+
+	statefulset: {
+		replicas: 3
+		updateStrategy: type: "RollingUpdate"
+		podManagementPolicy: "Parallel"
+		budget: maxUnavailable: 1
+
+		// List of additional command-line arguments you want to pass to the
+		// `cockroach start` command.
+		args: []
+		// - --disable-cluster-name-verification
+		// List of extra environment variables to pass into container
+		env: []
+		// - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+		//   value: "24h"
+		// List of Secrets names in the same Namespace as the CockroachDB cluster,
+		// which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+		// member.
+		secretMounts: []
+
+		// Additional labels to apply to this StatefulSet and all its Pods.
+		labels: {
+			"app.kubernetes.io/component": "cockroachdb"
+		}
+
+		// Additional annotations to apply to the Pods of this StatefulSet.
+		annotations: {}
+
+		// Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		nodeAffinity: {}
+		// Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		podAffinity: {}
+		// Anti-affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		// You may either toggle options below for default anti-affinity rules,
+		// or specify the whole set of anti-affinity rules instead of them.
+		podAntiAffinity: {
+			// The topologyKey to be used.
+			// Can be used to spread across different nodes, AZs, regions etc.
+			topologyKey: "kubernetes.io/hostname"
+			// Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+			// disables anti-affinity rules).
+			type: "soft"
+			// Weight for `soft` anti-affinity rules.
+			// Does not apply for other anti-affinity types.
+			weight: 100
+		}
+
+		// Node selection constraints for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// PriorityClassName given to Pods of this StatefulSet
+		// https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		priorityClassName: ""
+
+		// Taints to be tolerated by Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+		topologySpreadConstraints: {
+			maxSkew:           1
+			topologyKey:       "topology.kubernetes.io/zone"
+			whenUnsatisfiable: "ScheduleAnyway"
+		}
+
+		// Uncomment the following resources definitions or pass them from
+		// command line to control the CPU and memory resources allocated
+		// by Pods of this StatefulSet.
+		resources: {}
+		// limits:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// requests:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// Custom Liveness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+		customLivenessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+		// Custom Rediness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+		customReadinessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+
+		securityContext: {
+			enabled: true
+		}
+
+		serviceAccount: {
+			// Specifies whether this ServiceAccount should be created.
+			create: true
+			// The name of this ServiceAccount to use.
+			// If not set and `create` is `true`, then service account is auto-generated.
+			// If not set and `create` is `false`, then it uses default service account.
+			name: ""
+			// Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+			annotations: {}
+		}
+	}
+
+	service: {
+		ports: {
+			// You can set a different external and internal gRPC ports and their name.
+			grpc: {
+				external: {
+					port: 26257
+					name: "grpc"
+				}
+				// If the port number is different than `external.port`, then it will be
+				// named as `internal.name` in Service.
+				internal: {
+					port: 26257
+					// If using Istio set it to `cockroach`.
+					name: "grpc-internal"
+				}
+			}
+			http: {
+				port: 8080
+				name: "http"
+			}
+		}
+
+		// This Service is meant to be used by clients of the database.
+		// It exposes a ClusterIP that will automatically load balance connections
+		// to the different database Pods.
+		public: {
+			type: "ClusterIP"
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+
+		// This service only exists to create DNS entries for each pod in
+		// the StatefulSet such that they can resolve each other's IP addresses.
+		// It does not create a load-balanced ClusterIP and should not be used directly
+		// by clients in most circumstances.
+		discovery: {
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+	}
+
+	// CockroachDB's ingress for web ui.
+	ingress: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		//   kubernetes.io/ingress.class: nginx
+		//   cert-manager.io/cluster-issuer: letsencrypt
+		paths: ["/"]
+		hosts: []
+		// - cockroachlabs.com
+		tls: []
+	}
+	// - hosts: [cockroachlabs.com]
+	//   secretName: cockroachlabs-tls
+
+	prometheus: {
+		enabled: true
+	}
+
+	securityContext: enabled: true
+
+	// CockroachDB's Prometheus operator ServiceMonitor support
+	serviceMonitor: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		interval: "10s"
+		// scrapeTimeout: 10s
+		// Limits the ServiceMonitor to the current namespace if set to `true`.
+		namespaced: false
+
+		// tlsConfig: TLS configuration to use when scraping the endpoint.
+		// Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+		tlsConfig: {}
+	}
+
+	// CockroachDB's data persistence.
+	// If neither `persistentVolume` nor `hostPath` is used, then data will be
+	// persisted in ad-hoc `emptyDir`.
+	storage: {
+		// Absolute path on host to store CockroachDB's data.
+		// If not specified, then `emptyDir` will be used instead.
+		// If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+		hostPath: ""
+
+		// If `enabled` is `true` then a PersistentVolumeClaim will be created and
+		// used to store CockroachDB's data, otherwise `hostPath` is used.
+		persistentVolume: {
+			enabled: true
+
+			size: string | *"100Gi"
+
+			// If defined, then `storageClassName: <storageClass>`.
+			// If set to "-", then `storageClassName: ""`, which disables dynamic
+			// provisioning.
+			// If undefined or empty (default), then no `storageClassName` spec is set,
+			// so the default provisioner will be chosen (gp2 on AWS, standard on
+			// GKE, AWS & OpenStack).
+			storageClass: ""
+
+			// Additional labels to apply to the created PersistentVolumeClaims.
+			labels: {}
+			// Additional annotations to apply to the created PersistentVolumeClaims.
+			annotations: {}
+		}
+	}
+
+	// Kubernetes Job which initializes multi-node CockroachDB cluster.
+	// It's not created if `statefulset.replicas` is `1`.
+	init: {
+		// Additional labels to apply to this Job and its Pod.
+		labels: {
+			"app.kubernetes.io/component": "init"
+		}
+
+		// Additional annotations to apply to this Job.
+		jobAnnotations: {}
+
+		// Additional annotations to apply to the Pod of this Job.
+		annotations: {}
+
+		// Affinity rules for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		affinity: {}
+
+		// Node selection constraints for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// Taints to be tolerated by the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+		// quickly and doesn't continue to consume resources in the Kubernetes
+		// cluster. Normally, you should leave this section commented out, but if your
+		// Kubernetes cluster uses Resource Quotas and requires all pods to specify
+		// resource requests or limits, you can set those here.
+		resources: {}
+		// requests:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+		// limits:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+
+		securityContext: {
+			enabled: true
+		}
+
+		provisioning: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+			clusterSettings: null
+			// cluster.organization: "'FooCorp - Local Testing'"
+			// enterprise.license: "'xxxxx'"
+			users: []
+			// - name:
+			//   password:
+			//   # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+			//   options: [LOGIN]
+			databases: []
+		}
+	}
+	// - name:
+	//   # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+	//   options: [encoding='utf-8']
+	//   owners: []
+	//   # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+	//   owners_with_grant_option: []
+	//   # Backup schedules are not idemponent for now and will fail on next run
+	//   # https://github.com/cockroachdb/cockroach/issues/57892
+	//   backup:
+	//     into: s3://
+	//     # Enterprise-only option (revision_history)
+	//     # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+	//     options: [revision_history]
+	//     recurring: '@always'
+	//     # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+	//     fullBackup: '@daily'
+	//     schedule:
+	//       # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+	//       options: [first_run = 'now']
+	// Whether to run securely using TLS certificates.
+	tls: {
+		enabled: true
+		copyCerts: image: "busybox"
+		certs: {
+			// Bring your own certs scenario. If provided, tls.init section will be ignored.
+			provided: false
+			// Secret name for the client root cert.
+			clientRootSecret: "cockroachdb-root"
+			// Secret name for node cert.
+			nodeSecret: "cockroachdb-node"
+			// Secret name for CA cert
+			caSecret: "cockroach-ca"
+			// Enable if the secret is a dedicated TLS.
+			// TLS secrets are created by cert-mananger, for example.
+			tlsSecret: false
+			// Enable if the you want cockroach db to create its own certificates
+			selfSigner: {
+				// If set, the cockroach db will generate its own certificates
+				enabled: false | *true
+				// Run selfSigner as non-root
+				securityContext: {
+					enabled: true
+				}
+				// If set, the user should provide the CA certificate to sign other certificates.
+				caProvided: false
+				// It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+				caSecret: ""
+				// Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+				minimumCertDuration: "624h"
+				// Duration of CA certificates in hour
+				caCertDuration: "43800h"
+				// Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+				caCertExpiryWindow: "648h"
+				// Duration of Client certificates in hour
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hour
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+				// If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+				rotateCerts: true
+				// Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+				readinessWait: "30s"
+				// Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+				podUpdateTimeout: "2m"
+				// ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+				svcAccountAnnotations: {}
+			}
+
+			// Use cert-manager to issue certificates for mTLS.
+			certManager: true | *false
+			// Specify an Issuer or a ClusterIssuer to use, when issuing
+			// node and client certificates. The values correspond to the
+			// issuerRef specified in the certificate.
+			certManagerIssuer: {
+				group: "cert-manager.io"
+				kind:  "Issuer"
+				name:  string | *"cockroachdb"
+				// Make it false when you are providing your own CA issuer
+				isSelfSignedIssuer: true
+				// Duration of Client certificates in hours
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hours
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+			}
+		}
+
+		selfSigner: {
+			// Additional annotations to apply to the Pod of this Job.
+			annotations: {}
+
+			// Affinity rules for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+			affinity: {}
+
+			// Node selection constraints for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+			nodeSelector: {}
+
+			// Taints to be tolerated by the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+			tolerations: []
+
+			// Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+			image: {
+				repository: "cockroachlabs-helm-charts/cockroach-self-signer-cert"
+				tag:        "1.5"
+				pullPolicy: "IfNotPresent"
+				credentials: {}
+				registry: "gcr.io"
+			}
+		}
+	}
+	// username: john_doe
+	// password: changeme
+
+	networkPolicy: {
+		enabled: false
+
+		ingress: {
+			// List of sources which should be able to access the CockroachDB Pods via
+			// gRPC port. Items in this list are combined using a logical OR operation.
+			// Rules for allowing inter-communication are applied automatically.
+			// If empty, then connections from any Pod is allowed.
+			grpc: []
+			// - podSelector:
+			//     matchLabels:
+			//       app.kubernetes.io/name: my-app-django
+			//       app.kubernetes.io/instance: my-app
+			// List of sources which should be able to access the CockroachDB Pods via
+			// HTTP port. Items in this list are combined using a logical OR operation.
+			// If empty, then connections from any Pod is allowed.
+			http: []
+		}
+	}
+	// - namespaceSelector:
+	//     matchLabels:
+	//       project: my-project
+	// To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+	// make sure to set ingress.paths: ['/*']
+	iap: {
+		enabled: false
+	}
+
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.holos.cue

@@ -0,0 +1,25 @@
+package holos
+
+#Values: {
+	image: repository: "quay.io/holos/cockroachdb/cockroach"
+
+	fullnameOverride: #ComponentName
+
+	tls: {
+		enabled: true
+		certs: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
+			selfSigner: enabled: false
+			certManager: true
+			certManagerIssuer: {
+				kind: "Issuer"
+				name: #ComponentName
+			}
+		}
+	}
+
+	storage: persistentVolume: {
+		enabled: true
+		size:    "1Gi"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel.cue

@@ -0,0 +1,10 @@
+package holos
+
+#TargetNamespace: #InstancePrefix + "-zitadel"
+
+#DB: {
+  Host: "crdb-public"
+}
+
+// The canonical login domain for the entire platform.  Zitadel will be active on a singlec cluster at a time, but always accessible from this hostname.
+#ExternalDomain: "login.\(#Platform.org.domain)"

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel/values.cue

@@ -0,0 +1,251 @@
+package holos
+
+#Values: {
+
+	// Default values for zitadel.
+	zitadel: {
+		// The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		configmapConfig: {
+			ExternalSecure: true
+			Machine: Identification: {
+				Hostname: Enabled: true
+				Webhook: Enabled:  false
+			}
+		}
+
+		// The ZITADEL config under secretConfig is written to a Kubernetes Secret
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		secretConfig: null
+
+		// Annotations set on secretConfig secret
+		secretConfigAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// Reference the name of a secret that contains ZITADEL configuration.
+		configSecretName: null
+		// The key under which the ZITADEL configuration is located in the secret.
+		configSecretKey: "config-yaml"
+
+		// ZITADEL uses the masterkey for symmetric encryption.
+		// You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+		masterkey: ""
+		// Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+		// Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+		masterkeySecretName: string | *""
+
+		// Annotations set on masterkey secret
+		masterkeyAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// The CA Certificate needed for establishing secure database connections
+		dbSslCaCrt: ""
+
+		// The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+		dbSslCaCrtSecret: string | *""
+
+		// The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslAdminCrtSecret: string | *""
+
+		// The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslUserCrtSecret: string | *""
+
+		// Generate a self-signed certificate using an init container
+		// This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+		// E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+		// By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+		selfSignedCert: {
+			enabled:           false
+			additionalDnsName: null
+		}
+	}
+
+	replicaCount: 3
+
+	image: {
+		repository: "ghcr.io/zitadel/zitadel"
+		pullPolicy: "IfNotPresent"
+		// Overrides the image tag whose default is the chart appVersion.
+		tag: ""
+	}
+
+	chownImage: {
+		repository: "alpine"
+		pullPolicy: "IfNotPresent"
+		tag:        "3.19"
+	}
+
+	imagePullSecrets: []
+	nameOverride:     ""
+	fullnameOverride: ""
+
+	// Annotations to add to the deployment
+	annotations: {}
+
+	// Annotations to add to the configMap
+	configMap: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+	}
+
+	serviceAccount: {
+		// Specifies whether a service account should be created
+		create: true
+		// Annotations to add to the service account
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+		// The name of the service account to use.
+		// If not set and create is true, a name is generated using the fullname template
+		name: ""
+	}
+
+	podAnnotations: {}
+
+	podAdditionalLabels: {}
+
+	podSecurityContext: {
+		runAsNonRoot: true
+		runAsUser:    1000
+	}
+
+	securityContext: {}
+
+	// Additional environment variables
+	env: []
+	// - name: ZITADEL_DATABASE_POSTGRES_HOST
+	//   valueFrom:
+	//     secretKeyRef:
+	//       name: postgres-pguser-postgres
+	//       key: host
+
+	service: {
+		type: "ClusterIP"
+		// If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+		clusterIP: ""
+		port:      8080
+		protocol:  "http2"
+		annotations: {}
+		scheme: "HTTP"
+	}
+
+	ingress: {
+		enabled:   false
+		className: ""
+		annotations: {}
+		hosts: [{
+			host: "localhost"
+			paths: [{
+				path:     "/"
+				pathType: "Prefix"
+			}]
+		}]
+		tls: []
+	}
+
+	resources: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	affinity: {}
+
+	topologySpreadConstraints: []
+
+	initJob: {
+		// Once ZITADEL is installed, the initJob can be disabled.
+		enabled: true
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "1"
+		}
+		resources: {}
+		backoffLimit:          5
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		// Available init commands :
+		// "": initialize ZITADEL instance (without skip anything)
+		// database: initialize only the database
+		// grant: set ALL grant to user
+		// user: initialize only the database user
+		// zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+		command: ""
+	}
+
+	setupJob: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "2"
+		}
+		resources: {}
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		additionalArgs: ["--init-projections=true"]
+		machinekeyWriter: {
+			image: {
+				repository: "bitnami/kubectl"
+				tag:        ""
+			}
+			resources: {}
+		}
+	}
+
+	readinessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	livenessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	startupProbe: {
+		enabled:          true
+		periodSeconds:    1
+		failureThreshold: 30
+	}
+
+	metrics: {
+		enabled: false
+		serviceMonitor: {
+			// If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+			// https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+			// The Prometheus community Helm chart installs this operator
+			// https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+			enabled:         false
+			honorLabels:     false
+			honorTimestamps: true
+		}
+	}
+
+	pdb: {
+		enabled: false
+		// these values are used for the PDB and are mutally exclusive
+		minAvailable: 1
+		// maxUnavailable: 1
+		annotations: {}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel/values.holos.cue

@@ -0,0 +1,34 @@
+package holos
+
+#Values: {
+
+	// https://raw.githubusercontent.com/zitadel/zitadel-charts/main/examples/4-cockroach-secure/zitadel-values.yaml
+	zitadel: {
+		masterkeySecretName: "zitadel-masterkey"
+		// https://github.com/zitadel/zitadel-charts/blob/zitadel-7.4.0/charts/zitadel/templates/configmap.yaml#L13
+		configmapConfig: {
+			// NOTE: You can change the ExternalDomain, ExternalPort and ExternalSecure
+			// configuration options at any time. However, for ZITADEL to be able to
+			// pick up the changes, you need to rerun ZITADELs setup phase.  Do so with
+			// kubectl delete job zitadel-setup, then re-apply the new config.
+			//
+			// https://zitadel.com/docs/self-hosting/manage/custom-domain
+			ExternalDomain: #ExternalDomain
+			ExternalPort:   443
+			ExternalSecure: true
+			TLS: Enabled: false
+			Database: Cockroach: {
+				Host: #DB.Host
+				User: SSL: Mode:  "verify-full"
+				Admin: SSL: Mode: "verify-full"
+			}
+		}
+
+		// Managed by crdb component
+		dbSslCaCrtSecret:    "cockroach-ca"
+		dbSslAdminCrtSecret: "cockroachdb-root"
+		// Managed by this component
+		dbSslUserCrtSecret: "cockroachdb-zitadel"
+	}
+
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel/zitadel.cue

@@ -0,0 +1,43 @@
+package holos
+
+#InputKeys: component: "zitadel"
+
+// Upstream helm chart doesn't specify the namespace field for all resources.
+#Kustomization: spec: targetNamespace: #TargetNamespace
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "zitadel"
+		version: "7.9.0"
+		repository: {
+			name: "zitadel"
+			url:  "https://charts.zitadel.com"
+		}
+	}
+	values: #Values
+
+	apiObjects: {
+		ExternalSecret: masterkey: #ExternalSecret & {
+			_name: "zitadel-masterkey"
+		}
+		Certificate: zitadel: #Certificate & {
+			metadata: name: "crdb-zitadel-client"
+			metadata: namespace: #TargetNamespace
+			spec: {
+				commonName: "zitadel"
+				issuerRef: {
+					group: "cert-manager.io"
+					kind: "Issuer"
+					name: "crdb-ca-issuer"
+				}
+				privateKey: algorithm: "RSA"
+				privateKey: size: 2048
+				renewBefore: "48h0m0s"
+				secretName: "cockroachdb-zitadel"
+				subject: organizations: ["Cockroach"]
+				usages: ["digital signature", "key encipherment", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue

@@ -0,0 +1,61 @@
+package holos
+
+// Lets Encrypt certificate issuers for public tls certs
+#InputKeys: component: "certissuers"
+#TargetNamespace: "cert-manager"
+
+let Name = "letsencrypt"
+
+// The cloudflare api token is platform scoped, not cluster scoped.
+#SecretName: "cloudflare-api-token-secret"
+
+// Depends on cert manager
+#DependsOn: _CertManager
+
+#KubernetesObjects & {
+	apiObjects: {
+		ClusterIssuer: {
+			letsencrypt: #ClusterIssuer & {
+				metadata: name: Name
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-istio"
+						solvers: [{http01: ingress: class: "istio"}]
+					}
+				}
+			}
+			letsencryptStaging: #ClusterIssuer & {
+				metadata: name: Name + "-staging"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-staging-istio"
+						solvers: [{http01: ingress: class: "istio"}]
+					}
+				}
+			}
+			letsencryptDns: #ClusterIssuer & {
+				metadata: name: Name + "-dns"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-istio"
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+		}
+		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
+			_name: #SecretName
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -5,13 +5,14 @@ package holos
 #TargetNamespace: "cert-manager"
 
 #InputKeys: {
-	project: "mesh"
 	component: "certmanager"
-	service: "cert-manager"
+	service:   "cert-manager"
 }
 
 #HelmChart & {
-	values: installCrds: true
+	values: #UpstreamValues & {
+		installCRDs: true
+	}
 	namespace: #TargetNamespace
 	chart: {
 		name:    "cert-manager"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio-base/istiobase.cue

@@ -0,0 +1,17 @@
+package holos
+
+#InputKeys: component: "istio-base"
+#TargetNamespace: "istio-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "base"
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+	values: #IstioValues
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/cni/cni.cue

@@ -0,0 +1,10 @@
+package holos
+
+#InputKeys: component: "cni"
+#TargetNamespace: "kube-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: name: "cni"
+	values: #IstioValues
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/gateway/gateway.cue

@@ -0,0 +1,46 @@
+package holos
+
+// The primary istio Gateway, named default
+
+let Name = "gateway"
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+// TODO: We need to generalize this for multiple services hanging off the default gateway.
+let LoginCert = #Certificate & {
+		metadata: {
+			name:      "login"
+			namespace: #TargetNamespace
+		}
+		spec: {
+			commonName: "login.\(#Platform.org.domain)"
+			dnsNames: [commonName]
+			secretName: metadata.name
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: "letsencrypt"
+		}
+	}
+
+#KubernetesObjects & {
+	apiObjects: {
+		Certificate: login: LoginCert
+		Gateway: default: #Gateway & {
+			metadata: name: "default"
+			metadata: namespace: #TargetNamespace
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: ["prod-iam-zitadel/\(LoginCert.spec.commonName)"]
+					port: name:          "https-prod-iam-zitadel"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: LoginCert.spec.secretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -0,0 +1,75 @@
+package holos
+
+let Name = "httpbin"
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
+let Metadata = {
+	name:      Name
+	namespace: #TargetNamespace
+	labels: app: Name
+}
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+let Cert = #HTTP01Cert & {
+	_name:   Name
+	_secret: SecretName
+}
+
+#KubernetesObjects & {
+	apiObjects: {
+		Certificate: httpbin: Cert.object
+		Deployment: httpbin: #Deployment & {
+			metadata: Metadata
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: MatchLabels
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: httpbin: #Service & {
+			metadata: Metadata
+			spec: selector: MatchLabels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		Gateway: httpbin: #Gateway & {
+			metadata: Metadata
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: ["\(#TargetNamespace)/\(Cert.Host)"]
+					port: name:          "https-\(#InstanceName)"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: Cert.SecretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+		VirtualService: httpbin: #VirtualService & {
+			metadata: Metadata
+			spec: hosts: [Cert.Host]
+			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/ingress/ingress.cue

@@ -0,0 +1,155 @@
+package holos
+
+import "encoding/json"
+
+#InputKeys: component: "ingress"
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IstioD
+
+#HelmChart & {
+	chart: name: "gateway"
+	namespace: #TargetNamespace
+	values: #GatewayValues & {
+		// This component expects the load balancer to send the PROXY protocol header.
+		// Refer to: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#proxy-protocol-v2
+		podAnnotations: "proxy.istio.io/config": json.Marshal(_ProxyProtocol)
+		// TODO This configuration is specific to the OIS Metal NLB, refactor it out to the metal collection.
+		service: {
+			type: "NodePort"
+			annotations: "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
+			externalTrafficPolicy: "Local"
+			// Add 30000 to the port to get the Nodeport
+			ports: [
+				{
+					name:       "status-port"
+					port:       15021
+					protocol:   "TCP"
+					targetPort: 15021
+					nodePort:   30021
+				},
+				{
+					name:       "http2"
+					port:       80
+					protocol:   "TCP"
+					targetPort: 80
+					nodePort:   30080
+				},
+				{
+					name:       "https"
+					port:       443
+					protocol:   "TCP"
+					targetPort: 443
+					nodePort:   30443
+				},
+			]
+		}
+	}
+	apiObjects: _APIObjects
+}
+
+_ProxyProtocol: gatewayTopology: proxyProtocol: {}
+
+// Additional holos specific API Objects
+let Name = #GatewayValues.name
+let GatewayLabels = {
+	app:   Name
+	istio: "ingressgateway"
+}
+let RedirectMetaName = {
+	name:      Name + "-https-redirect"
+	namespace: #TargetNamespace
+}
+
+// https-redirect
+_APIObjects: {
+	Gateway: {
+		httpsRedirect: #Gateway & {
+			metadata: RedirectMetaName
+			spec: selector: GatewayLabels
+			spec: servers: [{
+				port: {
+					number:   80
+					name:     "http2"
+					protocol: "HTTP2"
+				}
+				hosts: ["*"]
+				// handled by the VirtualService
+				tls: httpsRedirect: false
+			}]
+		}
+	}
+	VirtualService: {
+		httpsRedirect: #VirtualService & {
+			metadata: RedirectMetaName
+			spec: hosts: ["*"]
+			spec: gateways: [RedirectMetaName.name]
+			spec: http: [{
+				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+				redirect: {
+					scheme:       "https"
+					redirectCode: 302
+				}
+			}]
+		}
+	}
+}
+
+let LoopbackName = Name + "-loopback"
+let LoopbackDescription = "Allows in-cluster traffic to stay in cluster via traffic routing"
+let LoopbackLabels = {
+	app:   LoopbackName
+	istio: "ingressgateway"
+}
+let LoopbackMetaName = {
+	name:      LoopbackName
+	namespace: #TargetNamespace
+}
+
+// istio-ingressgateway-loopback
+_APIObjects: {
+	Deployment: {
+		loopback: #Deployment & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: {
+				selector: matchLabels: LoopbackLabels
+				template: {
+					metadata: {
+						annotations: "inject.istio.io/templates": "gateway"
+						annotations: #Description & {
+							_Description: LoopbackDescription
+						}
+						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
+					}
+					spec: {
+						serviceAccountName: "istio-ingressgateway"
+						// Allow binding to all ports (such as 80 and 443)
+						securityContext: {
+							runAsNonRoot: true
+							seccompProfile: type: "RuntimeDefault"
+							sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+						}
+						containers: [{
+							name:  "istio-proxy"
+							image: "auto" // Managed by istiod
+							securityContext: {
+								allowPrivilegeEscalation: false
+								capabilities: drop: ["ALL"]
+								runAsUser:  1337
+								runAsGroup: 1337
+							}
+						}]
+					}
+				}
+			}
+		}
+	}
+	Service: {
+		loopback: #Service & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: selector:      LoopbackLabels
+			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istio.cue

@@ -0,0 +1,13 @@
+package holos
+
+#DependsOn: _IstioBase
+
+#HelmChart: {
+	chart: {
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/istiod.cue

@@ -0,0 +1,34 @@
+package holos
+
+import "encoding/yaml"
+
+#InputKeys: component: "istiod"
+#TargetNamespace: "istio-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name: "istiod"
+	}
+	values: #IstioValues & {
+		pilot: {
+			// The istio meshconfig ConfigMap is handled in the holos component instead of
+			// the upstream chart so extension providers can be collected from holos data.
+			configMap: false
+			// Set to `type: RuntimeDefault` to use the default profile if available.
+			seccompProfile: type: "RuntimeDefault"
+		}
+	}
+	apiObjects: ConfigMap: istio: #IstioConfigMap
+}
+
+#IstioConfigMap: #ConfigMap & {
+	metadata: {
+		name:      "istio"
+		namespace: #TargetNamespace
+	}
+	data: {
+		mesh:         yaml.Marshal(_MeshConfig)
+		meshNetworks: "networks: {}"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/meshconfig.cue

@@ -0,0 +1,74 @@
+package holos
+
+// Istio meshconfig
+// TODO: Generate per-project extauthz providers.
+_MeshConfig: {
+	accessLogEncoding: "JSON"
+	accessLogFile:     "/dev/stdout"
+	defaultConfig: {
+		discoveryAddress: "istiod.istio-system.svc:15012"
+		tracing: zipkin: address: "zipkin.istio-system:9411"
+	}
+	defaultProviders: metrics: ["prometheus"]
+	enablePrometheusMerge: true
+	// For PROXY PROTOCOL at the ingress gateway.
+	gatewayTopology: {
+		numTrustedProxies: 2
+	}
+	rootNamespace: "istio-system"
+	trustDomain:   "cluster.local"
+	extensionProviders: [{
+		name: "cluster-trace"
+		zipkin: {
+			maxTagLength: 56
+			port:         9411
+			service:      "zipkin.istio-system.svc"
+		}
+	}, {
+		name: "cluster-gatekeeper"
+		envoyExtAuthzHttp: {
+			headersToDownstreamOnDeny: [
+				"content-type",
+				"set-cookie",
+			]
+			headersToUpstreamOnAllow: [
+				"authorization",
+				"path",
+				"x-auth-request-user",
+				"x-auth-request-email",
+				"x-auth-request-access-token",
+			]
+			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+			includeRequestHeadersInCheck: [
+				"authorization",
+				"cookie",
+				"x-forwarded-for",
+			]
+			port:    4180
+			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
+		}
+	}, {
+		name: "core-authorizer"
+		envoyExtAuthzHttp: {
+			headersToDownstreamOnDeny: [
+				"content-type",
+				"set-cookie",
+			]
+			headersToUpstreamOnAllow: [
+				"authorization",
+				"path",
+				"x-auth-request-user",
+				"x-auth-request-email",
+				"x-auth-request-access-token",
+			]
+			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+			includeRequestHeadersInCheck: [
+				"authorization",
+				"cookie",
+				"x-forwarded-for",
+			]
+			port:    4180
+			service: "oauth2-proxy.prod-core-system.svc.cluster.local"
+		}
+	}]
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.cni.cue

@@ -0,0 +1,161 @@
+package holos
+
+// Default values.yaml imported from the cni chart
+
+#CNIValues: {
+	cni: {
+		hub:        ""
+		tag:        ""
+		variant:    ""
+		image:      "install-cni"
+		pullPolicy: ""
+
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		enabled: #IstioValues.istio_cni.enabled
+
+		// Configuration log level of istio-cni binary
+		// by default istio-cni send all logs to UDS server
+		// if want to see them you need change global.logging.level with cni:debug
+		logLevel: "debug"
+
+		// Configuration file to insert istio-cni plugin configuration
+		// by default this will be the first file found in the cni-conf-dir
+		// Example
+		// cniConfFileName: 10-calico.conflist
+		// CNI bin and conf dir override settings
+		// defaults:
+		cniBinDir:       "" // Auto-detected based on version; defaults to /opt/cni/bin.
+		cniConfDir:      "/etc/cni/net.d"
+		cniConfFileName: ""
+		// This directory must exist on the node, if it does not, consult your container runtime
+		// documentation for the appropriate path.
+		cniNetnsDir: null // Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+
+		excludeNamespaces: [
+			"istio-system",
+			"kube-system",
+		]
+
+		// Allows user to set custom affinity for the DaemonSet
+		affinity: {}
+
+		// Custom annotations on pod level, if you need them
+		podAnnotations: {}
+
+		// If this value is set a RoleBinding will be created
+		// in the same namespace as the istio-cni DaemonSet is created.
+		// This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount
+		// e.g. if you use PodSecurityPolicies
+		psp_cluster_role: ""
+
+		// Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+		// Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+		chained: #IstioValues.istio_cni.chained
+
+		// Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) or features (repairPods)
+		privileged: false
+
+		// Custom configuration happens based on the CNI provider.
+		// Possible values: "default", "multus"
+		provider: "default"
+
+		// Configure ambient settings
+		ambient: {
+			// If enabled, ambient redirection will be enabled
+			enabled: false
+			// Set ambient redirection mode: "iptables" or "ebpf"
+			redirectMode: "iptables"
+			// Set ambient config dir path: defaults to /etc/ambient-config
+			configDir: ""
+		}
+
+		repair: {
+			enabled: true
+			hub:     ""
+			tag:     ""
+
+			// Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+			// This defines the action the controller will take when a pod is detected as broken.
+			// labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+			// This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+			labelPods: false
+			// deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+			deletePods: true
+			// repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+			// Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+			// This requires no RBAC privilege, but does require `securityContext.privileged`.
+			repairPods: false
+
+			initContainerName: "istio-validation"
+
+			brokenPodLabelKey:   "cni.istio.io/uninitialized"
+			brokenPodLabelValue: "true"
+		}
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		seccompProfile: {}
+
+		resources: requests: {
+			cpu:    "100m"
+			memory: "100Mi"
+		}
+
+		resourceQuotas: {
+			enabled: false
+			pods:    5000
+		}
+
+		// The number of pods that can be unavailable during rolling update (see
+		// `updateStrategy.rollingUpdate.maxUnavailable` here:
+		// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+		// May be specified as a number of pods or as a percent of the total number
+		// of pods at the start of the update.
+		rollingMaxUnavailable: 1
+	}
+
+	// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+	revision: ""
+
+	// For Helm compatibility.
+	ownerName: ""
+
+	global: {
+		// Default hub for Istio images.
+		// Releases are published to docker hub under 'istio' project.
+		// Dev builds from prow are on gcr.io
+		hub: "docker.io/istio"
+
+		// Default tag for Istio images.
+		tag: "1.20.3"
+
+		// Variant of the image to use.
+		// Currently supported are: [debug, distroless]
+		variant: ""
+
+		// Specify image pull policy if default behavior isn't desired.
+		// Default behavior: latest images will be Always else IfNotPresent.
+		imagePullPolicy: ""
+
+		// change cni scope level to control logging out of istio-cni-node DaemonSet
+		logging: {
+			level: "default:info,cni:info"
+		}
+
+		logAsJson: false
+
+		// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+		// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		// - private-registry-key
+		// Default resources allocated
+		defaultResources: {
+			requests: {
+				cpu:    "100m"
+				memory: "100Mi"
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.gateway.cue

@@ -0,0 +1,170 @@
+package holos
+
+// Gateway default values.yaml imported from the gateway chart.
+
+#GatewayValues: {
+
+	// Name allows overriding the release name. Generally this should not be set
+	name: "istio-ingressgateway"
+	// revision declares which revision this gateway is a part of
+	revision: ""
+
+	// Controls the spec.replicas setting for the Gateway deployment if set.
+	// Otherwise defaults to Kubernetes Deployment default (1).
+	replicaCount: null
+
+	kind: "Deployment"
+
+	rbac: {
+		// If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+		// when using http://gateway-api.org/.
+		enabled: true
+	}
+
+	serviceAccount: {
+		// If set, a service account will be created. Otherwise, the default is used
+		create: true
+		// Annotations to add to the service account
+		annotations: {}
+		// The name of the service account to use.
+		// If not set, the release name is used
+		name: ""
+	}
+
+	podAnnotations: {
+		"prometheus.io/port":        "15020"
+		"prometheus.io/scrape":      "true"
+		"prometheus.io/path":        "/stats/prometheus"
+		"inject.istio.io/templates": "gateway"
+		"sidecar.istio.io/inject":   "true"
+		...
+	}
+
+	// Define the security context for the pod.
+	// If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+	// On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+	securityContext: {
+		seccompProfile: type: "RuntimeDefault"
+		sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+	}
+	containerSecurityContext: null
+
+	service: {
+		// Type of service. Set to "None" to disable the service entirely
+		type: string | *"LoadBalancer"
+		ports: [...] | *[{
+			name:       "status-port"
+			port:       15021
+			protocol:   "TCP"
+			targetPort: 15021
+		}, {
+			name:       "http2"
+			port:       80
+			protocol:   "TCP"
+			targetPort: 80
+		}, {
+			name:       "https"
+			port:       443
+			protocol:   "TCP"
+			targetPort: 443
+		}]
+		annotations: {...}
+		loadBalancerIP: ""
+		loadBalancerSourceRanges: []
+		externalTrafficPolicy: string | *""
+		externalIPs: []
+		ipFamilyPolicy: ""
+		ipFamilies: []
+	}
+
+	resources: {
+		requests: {
+			cpu:    "100m"
+			memory: "128Mi"
+		}
+		limits: {
+			cpu:    "2000m"
+			memory: "1024Mi"
+		}
+	}
+
+	autoscaling: {
+		enabled:                        true
+		minReplicas:                    1
+		maxReplicas:                    5
+		targetCPUUtilizationPercentage: 80
+		autoscaleBehavior: {}
+	}
+
+	// Pod environment variables
+	env: {}
+
+	// Labels to apply to all resources
+	labels: {}
+
+	// Annotations to apply to all resources
+	annotations: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	topologySpreadConstraints: []
+
+	affinity: {}
+
+	// If specified, the gateway will act as a network gateway for the given network.
+	networkGateway: ""
+
+	// Specify image pull policy if default behavior isn't desired.
+	// Default behavior: latest images will be Always else IfNotPresent
+	imagePullPolicy: ""
+
+	imagePullSecrets: []
+
+	// This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+	//
+	// By default, the `podDisruptionBudget` is disabled (set to `{}`),
+	// which means that no PodDisruptionBudget resource will be created.
+	//
+	// To enable the PodDisruptionBudget, configure it by specifying the
+	// `minAvailable` or `maxUnavailable`. For example, to set the
+	// minimum number of available replicas to 1, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//
+	// Or, to allow a maximum of 1 unavailable replica, you can set:
+	//
+	// podDisruptionBudget:
+	//   maxUnavailable: 1
+	//
+	// You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+	// For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//   unhealthyPodEvictionPolicy: AlwaysAllow
+	//
+	// To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+	//
+	// podDisruptionBudget: {}
+	//
+	podDisruptionBudget: {}
+
+	terminationGracePeriodSeconds: 30
+
+	// A list of `Volumes` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumes: []
+
+	// A list of `VolumeMounts` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumeMounts: []
+
+	// Configure this to a higher priority class in order to make sure your Istio gateway pods
+	// will not be killed because of low priority class.
+	// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+	// for more detail.
+	priorityClassName: ""
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -1,10 +1,14 @@
 package holos
 
-// All components are share this collection
+// Components under this directory are part of this collection
 #InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: {
-	dependsOn: [{name: "\(#StageName)-secrets-namespaces"}, ...]
-	targetNamespace: #TargetNamespace
-}
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
+_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.cue

@@ -0,0 +1,547 @@
+package holos
+
+// Default istio values from the istiod chart using cue import values.yaml
+#IstioValues: {
+	// Discovery Settings
+	pilot: {
+		autoscaleEnabled: true
+		autoscaleMin:     1
+		autoscaleMax:     5
+		autoscaleBehavior: {}
+		replicaCount:          1
+		rollingMaxSurge:       "100%"
+		rollingMaxUnavailable: "25%"
+
+		hub:     string | *""
+		tag:     string | *""
+		variant: string | *""
+
+		// Can be a full hub/image:tag
+		image:         "pilot"
+		traceSampling: 1.0
+
+		// Resources for a small pilot install
+		resources: {
+			requests: {
+				cpu:    "500m"
+				memory: "2048Mi"
+			}
+		}
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		seccompProfile: {...}
+
+		// Additional container arguments
+		extraContainerArgs: []
+
+		env: {}
+
+		cpu: targetAverageUtilization: 80
+
+		// Additional volumeMounts to the istiod container
+		volumeMounts: []
+
+		// Additional volumes to the istiod pod
+		volumes: []
+
+		nodeSelector: {}
+		podAnnotations: {}
+		serviceAnnotations: {}
+
+		topologySpreadConstraints: []
+
+		// You can use jwksResolverExtraRootCA to provide a root certificate
+		// in PEM format. This will then be trusted by pilot when resolving
+		// JWKS URIs.
+		jwksResolverExtraRootCA: ""
+
+		// This is used to set the source of configuration for
+		// the associated address in configSource, if nothing is specified
+		// the default MCP is assumed.
+		configSource: {
+			subscribedResources: []
+		}
+
+		plugins: []
+
+		// The following is used to limit how long a sidecar can be connected
+		// to a pilot. It balances out load across pilot instances at the cost of
+		// increasing system churn.
+		keepaliveMaxServerConnectionAge: "30m"
+
+		// Additional labels to apply to the deployment.
+		deploymentLabels: {}
+
+		//# Mesh config settings
+		// Install the mesh config map, generated from values.yaml.
+		// If false, pilot wil use default values (by default) or user-supplied values.
+		configMap: *true | false
+
+		// Additional labels to apply on the pod level for monitoring and logging configuration.
+		podLabels: {}
+
+		// Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+		ipFamilyPolicy: ""
+		ipFamilies: []
+	}
+
+	sidecarInjectorWebhook: {
+		// You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+		// always skip the injection on pods that match that label selector, regardless of the global policy.
+		// See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+		neverInjectSelector: []
+		alwaysInjectSelector: []
+
+		// injectedAnnotations are additional annotations that will be added to the pod spec after injection
+		// This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+		//
+		// annotations:
+		//   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+		//   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+		//
+		// The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+		// the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+		// injectedAnnotations:
+		//   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+		//   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+		injectedAnnotations: {}
+
+		// This enables injection of sidecar in all namespaces,
+		// with the exception of namespaces with "istio-injection:disabled" annotation
+		// Only one environment should have this enabled.
+		enableNamespacesByDefault: false
+
+		// Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+		// once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+		// Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+		reinvocationPolicy: "Never"
+
+		rewriteAppHTTPProbe: true
+
+		// Templates defines a set of custom injection templates that can be used. For example, defining:
+		//
+		// templates:
+		//   hello: |
+		//     metadata:
+		//       labels:
+		//         hello: world
+		//
+		// Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+		// being injected with the hello=world labels.
+		// This is intended for advanced configuration only; most users should use the built in template
+		templates: {}
+
+		// Default templates specifies a set of default templates that are used in sidecar injection.
+		// By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+		// To inject other additional templates, define it using the `templates` option, and add it to
+		// the default templates list.
+		// For example:
+		//
+		// templates:
+		//   hello: |
+		//     metadata:
+		//       labels:
+		//         hello: world
+		//
+		// defaultTemplates: ["sidecar", "hello"]
+		defaultTemplates: []
+	}
+	istiodRemote: {
+		// Sidecar injector mutating webhook configuration clientConfig.url value.
+		// For example: https://$remotePilotAddress:15017/inject
+		// The host should not refer to a service running in the cluster; use a service reference by specifying
+		// the clientConfig.service field instead.
+		injectionURL: ""
+
+		// Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+		// Override to pass env variables, for example: /inject/cluster/remote/net/network2
+		injectionPath: "/inject"
+	}
+	telemetry: {
+		enabled: true
+		v2: {
+			// For Null VM case now.
+			// This also enables metadata exchange.
+			enabled: true
+			metadataExchange: {
+				// Indicates whether to enable WebAssembly runtime for metadata exchange filter.
+				wasmEnabled: false
+			}
+			// Indicate if prometheus stats filter is enabled or not
+			prometheus: {
+				enabled: true
+				// Indicates whether to enable WebAssembly runtime for stats filter.
+				wasmEnabled: false
+				// overrides stats EnvoyFilter configuration.
+				configOverride: {
+					gateway: {}
+					inboundSidecar: {}
+					outboundSidecar: {}
+				}
+			}
+			// stackdriver filter settings.
+			stackdriver: {
+				enabled:         false
+				logging:         false
+				monitoring:      false
+				topology:        false // deprecated. setting this to true will have no effect, as this option is no longer supported.
+				disableOutbound: false
+				//  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
+
+				configOverride: {}
+			}
+			//  e.g.
+			//  disable_server_access_logging: false
+			//  disable_host_header_fallback: true
+			// Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver.
+			accessLogPolicy: {
+				enabled: false
+				// To reduce the number of successful logs, default log window duration is
+				// set to 12 hours.
+				logWindowDuration: "43200s"
+			}
+		}
+	}
+	// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+	revision: ""
+
+	// Revision tags are aliases to Istio control plane revisions
+	revisionTags: []
+
+	// For Helm compatibility.
+	ownerName: ""
+
+	// meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+	// See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+	meshConfig: {
+		enablePrometheusMerge: true
+	}
+
+	global: {
+		// Used to locate istiod.
+		istioNamespace: "istio-system"
+		// List of cert-signers to allow "approve" action in the istio cluster role
+		//
+		// certSigners:
+		//   - clusterissuers.cert-manager.io/istio-ca
+		certSigners: []
+		// enable pod disruption budget for the control plane, which is used to
+		// ensure Istio control plane components are gradually upgraded or recovered.
+		defaultPodDisruptionBudget: {
+			enabled: true
+		}
+		// The values aren't mutable due to a current PodDisruptionBudget limitation
+		// minAvailable: 1
+		// A minimal set of requested resources to applied to all deployments so that
+		// Horizontal Pod Autoscaler will be able to function (if set).
+		// Each component can overwrite these default values by adding its own resources
+		// block in the relevant section below and setting the desired resources values.
+		defaultResources: {
+			requests: cpu: "10m"
+		}
+		//   memory: 128Mi
+		// limits:
+		//   cpu: 100m
+		//   memory: 128Mi
+		// Default hub for Istio images.
+		// Releases are published to docker hub under 'istio' project.
+		// Dev builds from prow are on gcr.io
+		hub: string | *"docker.io/istio"
+		// Default tag for Istio images.
+		tag: string | *"1.20.3"
+		// Variant of the image to use.
+		// Currently supported are: [debug, distroless]
+		variant: string | *""
+
+		// Specify image pull policy if default behavior isn't desired.
+		// Default behavior: latest images will be Always else IfNotPresent.
+		imagePullPolicy: string | *""
+
+		// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+		// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		// - private-registry-key
+		// Enabled by default in master for maximising testing.
+		istiod: {
+			enableAnalysis: false
+		}
+
+		// To output all istio components logs in json format by adding --log_as_json argument to each container argument
+		logAsJson: false
+
+		// Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+		// The control plane has different scopes depending on component, but can configure default log level across all components
+		// If empty, default scope and level will be used as configured in code
+		logging: {
+			level: "default:info"
+		}
+
+		omitSidecarInjectorConfigMap: false
+
+		// Whether to restrict the applications namespace the controller manages;
+		// If not set, controller watches all namespaces
+		oneNamespace: false
+
+		// Configure whether Operator manages webhook configurations. The current behavior
+		// of Istiod is to manage its own webhook configurations.
+		// When this option is set as true, Istio Operator, instead of webhooks, manages the
+		// webhook configurations. When this option is set as false, webhooks manage their
+		// own webhook configurations.
+		operatorManageWebhooks: false
+
+		// Custom DNS config for the pod to resolve names of services in other
+		// clusters. Use this to add additional search domains, and other settings.
+		// see
+		// https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+		// This does not apply to gateway pods as they typically need a different
+		// set of DNS settings than the normal application pods (e.g., in
+		// multicluster scenarios).
+		// NOTE: If using templates, follow the pattern in the commented example below.
+		//podDNSSearchNamespaces:
+		//- global
+		//- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+		// Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+		// system-node-critical, it is better to configure this in order to make sure your Istio pods
+		// will not be killed because of low priority class.
+		// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		// for more detail.
+		priorityClassName: ""
+
+		proxy: {
+			image: "proxyv2"
+
+			// This controls the 'policy' in the sidecar injector.
+			autoInject: "enabled"
+
+			// CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+			// cluster domain. Default value is "cluster.local".
+			clusterDomain: "cluster.local"
+
+			// Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+			// not set, then the global "logLevel" will be used.
+			componentLogLevel: "misc:error"
+
+			// If set, newly injected sidecars will have core dumps enabled.
+			enableCoreDump: false
+
+			// istio ingress capture allowlist
+			// examples:
+			//     Redirect only selected ports:            --includeInboundPorts="80,8080"
+			excludeInboundPorts: ""
+			includeInboundPorts: "*"
+
+			// istio egress capture allowlist
+			// https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+			// example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+			// would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+			// be allowed by the sidecar
+			includeIPRanges:      "*"
+			excludeIPRanges:      ""
+			includeOutboundPorts: ""
+			excludeOutboundPorts: ""
+
+			// Log level for proxy, applies to gateways and sidecars.
+			// Expected values are: trace|debug|info|warning|error|critical|off
+			logLevel: "warning"
+
+			//If set to true, istio-proxy container will have privileged securityContext
+			privileged: false
+
+			// The number of successive failed probes before indicating readiness failure.
+			readinessFailureThreshold: 4
+
+			// The initial delay for readiness probes in seconds.
+			readinessInitialDelaySeconds: 0
+
+			// The period between readiness probes.
+			readinessPeriodSeconds: 15
+
+			// Enables or disables a startup probe.
+			// For optimal startup times, changing this should be tied to the readiness probe values.
+			//
+			// If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+			// This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+			// and doesn't spam the readiness endpoint too much
+			//
+			// If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+			// This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+			startupProbe: {
+				enabled:          true
+				failureThreshold: 600
+			} // 10 minutes
+			// Resources for the sidecar.
+			resources: {
+				requests: {
+					cpu:    "100m"
+					memory: "128Mi"
+				}
+				limits: {
+					cpu:    "2000m"
+					memory: "1024Mi"
+				}
+			}
+
+			// Default port for Pilot agent health checks. A value of 0 will disable health checking.
+			statusPort: 15020
+
+			// Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
+			// If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+			tracer: "zipkin"
+		}
+
+		proxy_init: {
+			// Base name for the proxy_init container, used to configure iptables.
+			image: "proxyv2"
+		}
+
+		// configure remote pilot and istiod service and endpoint
+		remotePilotAddress: ""
+
+		//#############################################################################################
+		// The following values are found in other charts. To effectively modify these values, make   #
+		// make sure they are consistent across your Istio helm charts                                #
+		//#############################################################################################
+		// The customized CA address to retrieve certificates for the pods in the cluster.
+		// CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+		// If not set explicitly, default to the Istio discovery address.
+		caAddress: ""
+
+		// Configure a remote cluster data plane controlled by an external istiod.
+		// When set to true, istiod is not deployed locally and only a subset of the other
+		// discovery charts are enabled.
+		externalIstiod: false
+
+		// Configure a remote cluster as the config cluster for an external istiod.
+		configCluster: false
+
+		// Configure the policy for validating JWT.
+		// Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+		jwtPolicy: "third-party-jwt"
+
+		// Mesh ID means Mesh Identifier. It should be unique within the scope where
+		// meshes will interact with each other, but it is not required to be
+		// globally/universally unique. For example, if any of the following are true,
+		// then two meshes must have different Mesh IDs:
+		// - Meshes will have their telemetry aggregated in one place
+		// - Meshes will be federated together
+		// - Policy will be written referencing one mesh from the other
+		//
+		// If an administrator expects that any of these conditions may become true in
+		// the future, they should ensure their meshes have different Mesh IDs
+		// assigned.
+		//
+		// Within a multicluster mesh, each cluster must be (manually or auto)
+		// configured to have the same Mesh ID value. If an existing cluster 'joins' a
+		// multicluster mesh, it will need to be migrated to the new mesh ID. Details
+		// of migration TBD, and it may be a disruptive operation to change the Mesh
+		// ID post-install.
+		//
+		// If the mesh admin does not specify a value, Istio will use the value of the
+		// mesh's Trust Domain. The best practice is to select a proper Trust Domain
+		// value.
+		meshID: ""
+
+		// Configure the mesh networks to be used by the Split Horizon EDS.
+		//
+		// The following example defines two networks with different endpoints association methods.
+		// For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+		// mapped to network1. The gateway for this network example is specified by its public IP
+		// address and port.
+		// The second network, `network2`, in this example is defined differently with all endpoints
+		// retrieved through the specified Multi-Cluster registry being mapped to network2. The
+		// gateway is also defined differently with the name of the gateway service on the remote
+		// cluster. The public IP for the gateway will be determined from that remote service (only
+		// LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+		// it still need to be configured manually).
+		//
+		// meshNetworks:
+		//   network1:
+		//     endpoints:
+		//     - fromCidr: "192.168.0.1/24"
+		//     gateways:
+		//     - address: 1.1.1.1
+		//       port: 80
+		//   network2:
+		//     endpoints:
+		//     - fromRegistry: reg1
+		//     gateways:
+		//     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+		//       port: 443
+		//
+		meshNetworks: {}
+
+		// Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+		mountMtlsCerts: false
+
+		multiCluster: {
+			// Set to true to connect two kubernetes clusters via their respective
+			// ingressgateway services when pods in each cluster cannot directly
+			// talk to one another. All clusters should be using Istio mTLS and must
+			// have a shared root CA for this model to work.
+			enabled: false
+			// Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+			// to properly label proxies
+			clusterName: ""
+		}
+
+		// Network defines the network this cluster belong to. This name
+		// corresponds to the networks in the map of mesh networks.
+		network: ""
+
+		// Configure the certificate provider for control plane communication.
+		// Currently, two providers are supported: "kubernetes" and "istiod".
+		// As some platforms may not have kubernetes signing APIs,
+		// Istiod is the default
+		pilotCertProvider: "istiod"
+
+		sds: {
+			// The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+			// When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+			// JWT is intended for the CA.
+			token: {
+				aud: "istio-ca"
+			}
+		}
+
+		sts: {
+			// The service port used by Security Token Service (STS) server to handle token exchange requests.
+			// Setting this port to a non-zero value enables STS server.
+			servicePort: 0
+		}
+
+		// The name of the CA for workload certificates.
+		// For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+		// will be used as the certificates for workloads.
+		// The default value is "" and when caName="", the CA will be configured by other
+		// mechanisms (e.g., environmental variable CA_PROVIDER).
+		caName: ""
+
+		// whether to use autoscaling/v2 template for HPA settings
+		// for internal usage only, not to be configured by users.
+		autoscalingv2API: true
+	}
+
+	base: {
+		// For istioctl usage to disable istio config crds in base
+		enableIstioConfigCRDs: true
+
+		// If enabled, gateway-api types will be validated using the standard upstream validation logic.
+		// This is an alternative to deploying the standalone validation server the project provides.
+		// This is disabled by default, as the cluster may already have a validation server; while technically
+		// it works to have multiple redundant validations, this adds complexity and operational risks.
+		// Users should consider enabling this if they want full gateway-api validation but don't have other validation servers.
+		validateGateway: false
+	}
+
+	// keep in sync with settings used when installing the Istio CNI chart
+	istio_cni: {
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		// values.istio_cni.enabled should be set to the same value as values.cni.enabled.
+		// values.istio_cni.chained should be set to the same value as values.cni.chained.
+		enabled: true
+		chained: true
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.holos.cue

@@ -0,0 +1,28 @@
+package holos
+
+#IstioValues: {
+	global: {
+		// Used to locate istiod.
+		istioNamespace: "istio-system"
+		// Switch the hub away from the default docker.io to avoid rate limits
+		hub: "gcr.io/istio-release"
+		// ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		istiod: enableAnalysis: false
+		configValidation:   true
+		externalIstiod:     false
+		remotePilotAddress: ""
+	}
+	base: {
+		// Include the CRDs in the helm template output
+		enableCRDTemplates: true
+		// Validation webhook configuration url
+		// For example: https://$remotePilotAddress:15017/validate
+		validationURL: ""
+		// For istioctl usage to disable istio config crds in base
+		enableIstioConfigCRDs: true
+	}
+	defaultRevision: "default"
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso-creds-refresher/component.cue

@@ -20,9 +20,7 @@ import "encoding/json"
 
 #TargetNamespace: #CredsRefresher.namespace
 
-#Kustomization: spec: {
-	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-}
+#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
 
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso/eso.cue

@@ -11,10 +11,8 @@ package holos
 	service: "eso"
 }
 
-#Kustomization: spec: {
-	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-	targetNamespace: #TargetNamespace
-}
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          #InstancePrefix + "-namespaces"
 
 #HelmChart & {
 	values: installCrds: true

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/namespaces/component.cue

@@ -12,7 +12,12 @@ package holos
 	_ns: #PlatformNamespace
 
 	objects: [
-		#Namespace & {metadata: _ns},
+		#Namespace & {
+			metadata: _ns
+		},
+		#SecretStore & {
+			_namespace: _ns.name
+		},
 	]
 }
 
@@ -21,8 +26,9 @@ package holos
 		for ns in #PlatformNamespaces {
 			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
 				let Kind = obj.kind
+				let NS = ns.name
 				let Name = obj.metadata.name
-				"\(Kind)": "\(Name)": obj
+				"\(Kind)": "\(NS)/\(Name)": obj
 			}
 		}
 	}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/validate/component.cue

@@ -9,13 +9,10 @@ package holos
 	component: "validate"
 }
 
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]
-
+#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
 
 #KubernetesObjects & {
 	apiObjects: {
-		SecretStore: default: #SecretStore
-
 		ExternalSecret: validate: #ExternalSecret & {
 			_name: "validate"
 		}

docs/examples/platforms/reference/clusters/workload/metal/ceph/ceph.cue

@@ -12,10 +12,8 @@ package holos
 	component: "ceph"
 }
 
-#Kustomization: spec: {
-	dependsOn: [{name: "prod-secrets-namespaces"}]
-	targetNamespace: #TargetNamespace
-}
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          "\(#StageName)-secrets-namespaces"
 
 #HelmChart & {
 	namespace: #TargetNamespace
@@ -29,7 +27,6 @@ package holos
 	}
 
 	apiObjects: {
-		SecretStore: default: #SecretStore
 		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
 			_name: #SecretName
 		}

docs/examples/platforms/reference/namespaces.cue

@@ -1,17 +1,25 @@
 package holos
 
+// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/
+let Restricted = {
+	labels: "pod-security.kubernetes.io/enforce":         "restricted"
+	labels: "pod-security.kubernetes.io/enforce-version": "latest"
+}
+let Privileged = {
+	labels: "pod-security.kubernetes.io/enforce":         "privileged"
+	labels: "pod-security.kubernetes.io/enforce-version": "latest"
+}
+
 // #PlatformNamespaces is the union of all namespaces across all cluster types.  Namespaces are created in all clusters regardless of if they're
 // used within the cluster or not.  The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
 #PlatformNamespaces: [
 	{name: "external-secrets"},
 	{name: "holos-system"},
 	{name: "flux-system"},
-	{
-		name: "ceph-system"
-		labels: "pod-security.kubernetes.io/enforce": "privileged"
-	},
-	{name: "istio-system"},
-	{name: "istio-ingress"},
+	{name: "ceph-system"} & Privileged,
+	{name: "istio-system"} & Privileged,
+	{name: "istio-ingress"} & Restricted,
 	{name: "cert-manager"},
 	{name: "argocd"},
+	{name: "prod-iam-zitadel"},
 ]

docs/examples/schema.cue

@@ -3,11 +3,17 @@ package holos
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	batchv1 "k8s.io/api/batch/v1"
 	es "external-secrets.io/externalsecret/v1beta1"
 	ss "external-secrets.io/secretstore/v1beta1"
+	is "cert-manager.io/issuer/v1"
+	ci "cert-manager.io/clusterissuer/v1"
+	crt "cert-manager.io/certificate/v1"
+	gw "networking.istio.io/gateway/v1beta1"
+	vs "networking.istio.io/virtualservice/v1beta1"
 	"encoding/yaml"
 )
 
@@ -16,25 +22,36 @@ _apiVersion: "holos.run/v1alpha1"
 
 // #ClusterName is the cluster name for cluster scoped resources.
 #ClusterName: #InputKeys.cluster
+
 // #StageName is prod, dev, stage, etc...  Usually prod for platform components.
 #StageName: #InputKeys.stage
+
 // #CollectionName is the preferred handle to the collection element of the instance name.  A collection name mapes to an "application name" as described in the kubernetes recommended labels documentation.  Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
 #CollectionName: #InputKeys.project
+
 // #ComponentName is the name of the holos component.
 #ComponentName: #InputKeys.component
+
 // #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
 #InstanceName: "\(#StageName)-\(#CollectionName)-\(#ComponentName)"
+
 // #InstancePrefix is the stage and project without the component name.  Useful for dependency management among multiple components for a project stage.
 #InstancePrefix: "\(#StageName)-\(#CollectionName)"
 
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
+// #SelectorLabels are mixed into selectors.
+#SelectorLabels: {
+	"holos.run/stage.name":     #StageName
+	"holos.run/project.name":   #CollectionName
+	"holos.run/component.name": #ComponentName
+	...
+}
+
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":        #StageName
-	"holos.run/project.name":      #CollectionName
-	"holos.run/component.name":    #ComponentName
+	#SelectorLabels
 	"app.kubernetes.io/part-of":   #StageName
 	"app.kubernetes.io/name":      #CollectionName
 	"app.kubernetes.io/component": #ComponentName
@@ -43,14 +60,26 @@ _apiVersion: "holos.run/v1alpha1"
 }
 
 #ClusterObject: {
+	_description: string | *""
 	metadata: metav1.#ObjectMeta & {
 		labels: #CommonLabels
+		annotations: #Description & {
+			_Description: _description
+			...
+		}
 	}
 	...
 }
 
+#Description: {
+	_Description:            string | *""
+	"holos.run/description": _Description
+	...
+}
+
 #NamespaceObject: #ClusterObject & {
 	metadata: namespace: string
+	...
 }
 
 // Kubernetes API Objects
@@ -62,13 +91,42 @@ _apiVersion: "holos.run/v1alpha1"
 }
 #ClusterRole:        #ClusterObject & rbacv1.#ClusterRole
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
-#Role:               #NamespaceObject & rbacv1.#Role
-#RoleBinding:        #NamespaceObject & rbacv1.#RoleBinding
-#ConfigMap:          #NamespaceObject & corev1.#ConfigMap
-#ServiceAccount:     #NamespaceObject & corev1.#ServiceAccount
-#Pod:                #NamespaceObject & corev1.#Pod
-#Job:                #NamespaceObject & batchv1.#Job
-#CronJob:            #NamespaceObject & batchv1.#CronJob
+#ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
+
+#Issuer:         #NamespaceObject & is.#Issuer
+#Role:           #NamespaceObject & rbacv1.#Role
+#RoleBinding:    #NamespaceObject & rbacv1.#RoleBinding
+#ConfigMap:      #NamespaceObject & corev1.#ConfigMap
+#ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
+#Pod:            #NamespaceObject & corev1.#Pod
+#Service:        #NamespaceObject & corev1.#Service
+#Job:            #NamespaceObject & batchv1.#Job
+#CronJob:        #NamespaceObject & batchv1.#CronJob
+#Deployment:     #NamespaceObject & appsv1.#Deployment
+#Gateway:        #NamespaceObject & gw.#Gateway
+#VirtualService: #NamespaceObject & vs.#VirtualService
+#Certificate:    #NamespaceObject & crt.#Certificate
+
+// #HTTP01Cert defines a http01 certificate.
+#HTTP01Cert: {
+	_name:      string
+	_secret:    string | *_name
+	SecretName: _secret
+	Host:       _name + "." + #ClusterDomain
+	object: #Certificate & {
+		metadata: {
+			name:      _secret
+			namespace: string | *#TargetNamespace
+		}
+		spec: {
+			commonName: Host
+			dnsNames: [Host]
+			secretName: _secret
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: "letsencrypt"
+		}
+	}
+}
 
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -89,9 +147,18 @@ _apiVersion: "holos.run/v1alpha1"
 		targetNamespace?: string
 		timeout:          string | *"3m0s"
 		wait:             bool | *true
+		dependsOn: [for k, v in #DependsOn {v}]
 	}
 }
 
+// #DependsOn stores all of the dependencies between components.  It's a struct to support merging across levels in the tree.
+#DependsOn: {
+	[NAME=_]: {
+		name: string
+	}
+	...
+}
+
 // External Secrets CRDs
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
@@ -116,13 +183,14 @@ _apiVersion: "holos.run/v1alpha1"
 }
 
 #SecretStore: #NamespaceObject & ss.#SecretStore & {
+	_namespace: string
 	metadata: {
 		name:      string | *"default"
-		namespace: #TargetNamespace
+		namespace: _namespace
 	}
 	spec: provider: {
 		kubernetes: {
-			remoteNamespace: #TargetNamespace
+			remoteNamespace: _namespace
 			auth: token: bearerToken: {
 				name: string | *"eso-reader"
 				key:  string | *"token"
@@ -142,7 +210,7 @@ _apiVersion: "holos.run/v1alpha1"
 	// stage is usually set by the platform or project.
 	stage: *"prod" | string @tag(stage, type=string)
 	// service is usually set by the component.
-	service: string @tag(service, type=string)
+	service: *component | string @tag(service, type=string)
 	// component is the name of the component
 	component: string @tag(component, type=string)
 
@@ -162,6 +230,8 @@ _apiVersion: "holos.run/v1alpha1"
 	org: {
 		name:   string
 		domain: string
+		contact: email:    string
+		cloudflare: email: string
 	}
 	clusters: [ID=_]: {
 		name:    string & ID
@@ -199,6 +269,7 @@ _apiVersion: "holos.run/v1alpha1"
 				}
 			}
 		}
+		...
 	}
 }
 
@@ -229,7 +300,7 @@ _apiVersion: "holos.run/v1alpha1"
 	// ksObjects holds the flux Kustomization objects for gitops
 	ksObjects: [...#Kustomization] | *[#Kustomization]
 	// ksContent is the yaml representation of kustomization
-	ksContent: yaml.MarshalStream(ksObjects)
+	ksContent: yaml.Marshal(#Kustomization)
 	// platform returns the platform data structure for visibility / troubleshooting.
 	platform: #Platform
 }
@@ -280,6 +351,15 @@ _apiVersion: "holos.run/v1alpha1"
 // #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
 #SecretName: string
 
+// Cluster Domain is the cluster specific domain
+#ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
+
+// #SidecarInject represents the istio sidecar inject label
+#IstioSidecar: {
+	"sidecar.istio.io/inject": "true"
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

docs/provisioner/readme.md

@@ -49,7 +49,7 @@ PROJECT_NUMBER="$(gcloud projects describe $PROJECT_ID --format='value(projectNu
 ORG_DOMAIN="example.com"
 ```
 
-## Seed Cluster
+## Provisioner Cluster
 
 ```shell
 gcloud container clusters create-auto provisioner \

pkg/internal/builder/builder.go

@@ -17,6 +17,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"slices"
+	"strings"
 
 	"cuelang.org/go/cue/cuecontext"
 	"cuelang.org/go/cue/load"
@@ -381,6 +382,13 @@ func runHelm(ctx context.Context, hc *HelmChart, r *Result, path holos.PathCompo
 	chart := hc.Chart
 	helmOut, err := runCmd(ctx, "helm", "template", "--values", valuesPath, "--namespace", hc.Namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Name, cachedChartPath)
 	if err != nil {
+		stderr := helmOut.stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
 		return wrapper.Wrap(fmt.Errorf("could not run helm template: %w", err))
 	}
 

pkg/version/embedded/minor

@@ -1 +1 @@
-48
+50