(#30) Import istio crds into cue definitions

❯ timoni mod vendor crds -f ~/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
10:30AM INF schemas vendored: extensions.istio.io/wasmplugin/v1alpha1
10:30AM INF schemas vendored: install.istio.io/istiooperator/v1alpha1
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1beta1
10:30AM INF schemas vendored: networking.istio.io/envoyfilter/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1beta1
10:30AM INF schemas vendored: networking.istio.io/proxyconfig/v1beta1
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1beta1
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1beta1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1beta1
10:30AM INF schemas vendored: security.istio.io/peerauthentication/v1beta1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1beta1
10:30AM INF schemas vendored: telemetry.istio.io/telemetry/v1alpha1

.golangci.yaml

@@ -0,0 +1,2 @@
+run:
+  timeout: 5m

docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"list"
+)
+
+#WasmPlugin: {
+	// Extend the functionality provided by the Istio proxy through
+	// WebAssembly filters. See more details at:
+	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+	spec!:      #WasmPluginSpec
+	apiVersion: "extensions.istio.io/v1alpha1"
+	kind:       "WasmPlugin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Extend the functionality provided by the Istio proxy through
+// WebAssembly filters. See more details at:
+// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+#WasmPluginSpec: {
+	// Specifies the failure behavior for the plugin due to fatal
+	// errors.
+	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
+
+	// The pull behaviour to be applied when fetching Wasm module by
+	// either OCI image or http/https.
+	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
+
+	// Credentials to use for OCI image pulling.
+	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Specifies the criteria to determine which traffic is passed to
+	// WasmPlugin.
+	match?: [...{
+		// Criteria for selecting traffic by their direction.
+		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
+
+		// Criteria for selecting traffic by their destination port.
+		ports?: [...{
+			number: uint16 & >=1
+		}]
+	}]
+
+	// Determines where in the filter chain this `WasmPlugin` is to be
+	// injected.
+	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
+
+	// The configuration that will be passed on to the plugin.
+	pluginConfig?: {
+		...
+	}
+
+	// The plugin name to be used in the Envoy configuration (used to
+	// be called `rootID`).
+	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
+
+	// Determines ordering of `WasmPlugins` in the same `phase`.
+	priority?: null | int
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// SHA256 checksum that will be used to verify Wasm module or OCI
+	// container.
+	sha256?: =~"(^$|^[a-f0-9]{64}$)"
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Specifies the type of Wasm Extension to be used.
+	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
+
+	// URL of a Wasm module or OCI container.
+	url:              strings.MinRunes(1)
+	verificationKey?: string
+	vmConfig?: {
+		// Specifies environment variables to be injected to this VM.
+		env?: list.MaxItems(256) & [...{
+			// Name of the environment variable.
+			name: strings.MaxRunes(256) & strings.MinRunes(1)
+
+			// Value for the environment variable.
+			value?: strings.MaxRunes(2048)
+
+			// Source for the environment variable's value.
+			valueFrom?: "INLINE" | "HOST"
+		}]
+	}
+}

docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#IstioOperator: {
+	apiVersion: "install.istio.io/v1alpha1"
+	kind:       "IstioOperator"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	...
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue

@@ -0,0 +1,967 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#DestinationRule: {
+	// Configuration affecting load balancing, outlier detection, etc.
+	// See more details at:
+	// https://istio.io/docs/reference/config/networking/destination-rule.html
+	spec!:      #DestinationRuleSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "DestinationRule"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting load balancing, outlier detection, etc.
+// See more details at:
+// https://istio.io/docs/reference/config/networking/destination-rule.html
+#DestinationRuleSpec: {
+	// A list of namespaces to which this destination rule is
+	// exported.
+	exportTo?: [...string]
+
+	// The name of a service from the service registry.
+	host: string
+
+	// One or more named sets that represent individual versions of a
+	// service.
+	subsets?: [...{
+		// Labels apply a filter over the endpoints of a service in the
+		// service registry.
+		labels?: {
+			[string]: string
+		}
+
+		// Name of the subset.
+		name: string
+
+		// Traffic policies that apply to this subset.
+		trafficPolicy?: {
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+
+			// Traffic policies specific to individual ports.
+			portLevelSettings?: [...{
+				connectionPool?: {
+					// HTTP connection pool settings.
+					http?: {
+						// Specify if http1.1 connection should be upgraded to http2 for
+						// the associated destination.
+						h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+						// Maximum number of requests that will be queued while waiting
+						// for a ready connection pool connection.
+						http1MaxPendingRequests?: int
+
+						// Maximum number of active requests to a destination.
+						http2MaxRequests?: int
+
+						// The idle timeout for upstream connection pool connections.
+						idleTimeout?: string
+
+						// Maximum number of requests per connection to a backend.
+						maxRequestsPerConnection?: int
+
+						// Maximum number of retries that can be outstanding to all hosts
+						// in a cluster at a given time.
+						maxRetries?: int
+
+						// If set to true, client protocol will be preserved while
+						// initiating connection to backend.
+						useClientProtocol?: bool
+					}
+
+					// Settings common to both HTTP and TCP upstream connections.
+					tcp?: {
+						// TCP connection timeout.
+						connectTimeout?: string
+
+						// The maximum duration of a connection.
+						maxConnectionDuration?: string
+
+						// Maximum number of HTTP1 /TCP connections to a destination host.
+						maxConnections?: int
+
+						// If set then set SO_KEEPALIVE on the socket to enable TCP
+						// Keepalives.
+						tcpKeepalive?: {
+							// The time duration between keep-alive probes.
+							interval?: string
+
+							// Maximum number of keepalive probes to send without response
+							// before deciding the connection is dead.
+							probes?: int
+
+							// The time duration a connection needs to be idle before
+							// keep-alive probes start being sent.
+							time?: string
+						}
+					}
+				}
+
+				// Settings controlling the load balancer algorithms.
+				loadBalancer?: ({} | {
+					simple: _
+				} | {
+					consistentHash: _
+				}) & {
+					consistentHash?: ({} | {
+						httpHeaderName: _
+					} | {
+						httpCookie: _
+					} | {
+						useSourceIp: _
+					} | {
+						httpQueryParameterName: _
+					}) & ({} | {
+						ringHash: _
+					} | {
+						maglev: _
+					}) & {
+						// Hash based on HTTP cookie.
+						httpCookie?: {
+							// Name of the cookie.
+							name: string
+
+							// Path to set for the cookie.
+							path?: string
+
+							// Lifetime of the cookie.
+							ttl?: string
+						}
+
+						// Hash based on a specific HTTP header.
+						httpHeaderName?: string
+
+						// Hash based on a specific HTTP query parameter.
+						httpQueryParameterName?: string
+						maglev?: {
+							// The table size for Maglev hashing.
+							tableSize?: int
+						}
+
+						// Deprecated.
+						minimumRingSize?: int
+						ringHash?: {
+							// The minimum number of virtual nodes to use for the hash ring.
+							minimumRingSize?: int
+						}
+
+						// Hash based on the source IP address.
+						useSourceIp?: bool
+					}
+					localityLbSetting?: {
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						distribute?: [...{
+							// Originating locality, '/' separated, e.g.
+							from?: string
+
+							// Map of upstream localities to traffic distribution weights.
+							to?: {
+								[string]: int
+							}
+						}]
+
+						// enable locality load balancing, this is DestinationRule-level
+						// and will override mesh wide settings in entirety.
+						enabled?: null | bool
+
+						// Optional: only one of distribute, failover or failoverPriority
+						// can be set.
+						failover?: [...{
+							// Originating region.
+							from?: string
+
+							// Destination region the traffic will fail over to when endpoints
+							// in the 'from' region becomes unhealthy.
+							to?: string
+						}]
+
+						// failoverPriority is an ordered list of labels used to sort
+						// endpoints to do priority based load balancing.
+						failoverPriority?: [...string]
+					}
+					simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+					// Represents the warmup duration of Service.
+					warmupDurationSecs?: string
+				}
+				outlierDetection?: {
+					// Minimum ejection duration.
+					baseEjectionTime?: string
+
+					// Number of 5xx errors before a host is ejected from the
+					// connection pool.
+					consecutive5xxErrors?: null | int
+					consecutiveErrors?:    int
+
+					// Number of gateway errors before a host is ejected from the
+					// connection pool.
+					consecutiveGatewayErrors?: null | int
+
+					// The number of consecutive locally originated failures before
+					// ejection occurs.
+					consecutiveLocalOriginFailures?: null | int
+
+					// Time interval between ejection sweep analysis.
+					interval?: string
+
+					// Maximum % of hosts in the load balancing pool for the upstream
+					// service that can be ejected.
+					maxEjectionPercent?: int
+
+					// Outlier detection will be enabled as long as the associated
+					// load balancing pool has at least min_health_percent hosts in
+					// healthy mode.
+					minHealthPercent?: int
+
+					// Determines whether to distinguish local origin failures from
+					// external errors.
+					splitExternalLocalOriginErrors?: bool
+				}
+				port?: {
+					number?: int
+				}
+
+				// TLS related settings for connections to the upstream service.
+				tls?: {
+					// OPTIONAL: The path to the file containing certificate authority
+					// certificates to use in verifying a presented server
+					// certificate.
+					caCertificates?: string
+
+					// REQUIRED if mode is `MUTUAL`.
+					clientCertificate?: string
+
+					// The name of the secret that holds the TLS certs for the client
+					// including the CA certificates.
+					credentialName?: string
+
+					// `insecureSkipVerify` specifies whether the proxy should skip
+					// verifying the CA signature and SAN for the server certificate
+					// corresponding to the host.
+					insecureSkipVerify?: null | bool
+
+					// Indicates whether connections to this port should be secured
+					// using TLS.
+					mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+					// REQUIRED if mode is `MUTUAL`.
+					privateKey?: string
+
+					// SNI string to present to the server during TLS handshake.
+					sni?: string
+
+					// A list of alternate names to verify the subject identity in the
+					// certificate.
+					subjectAltNames?: [...string]
+				}
+			}]
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+
+			// Configuration of tunneling TCP over other transport or
+			// application layers for the host configured in the
+			// DestinationRule.
+			tunnel?: {
+				// Specifies which protocol to use for tunneling the downstream
+				// connection.
+				protocol?: string
+
+				// Specifies a host to which the downstream connection is
+				// tunneled.
+				targetHost: string
+
+				// Specifies a port to which the downstream connection is
+				// tunneled.
+				targetPort: int
+			}
+		}
+	}]
+
+	// Traffic policies to apply (load balancing policy, connection
+	// pool sizes, outlier detection).
+	trafficPolicy?: {
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// Settings controlling the load balancer algorithms.
+		loadBalancer?: ({} | {
+			simple: _
+		} | {
+			consistentHash: _
+		}) & {
+			consistentHash?: ({} | {
+				httpHeaderName: _
+			} | {
+				httpCookie: _
+			} | {
+				useSourceIp: _
+			} | {
+				httpQueryParameterName: _
+			}) & ({} | {
+				ringHash: _
+			} | {
+				maglev: _
+			}) & {
+				// Hash based on HTTP cookie.
+				httpCookie?: {
+					// Name of the cookie.
+					name: string
+
+					// Path to set for the cookie.
+					path?: string
+
+					// Lifetime of the cookie.
+					ttl?: string
+				}
+
+				// Hash based on a specific HTTP header.
+				httpHeaderName?: string
+
+				// Hash based on a specific HTTP query parameter.
+				httpQueryParameterName?: string
+				maglev?: {
+					// The table size for Maglev hashing.
+					tableSize?: int
+				}
+
+				// Deprecated.
+				minimumRingSize?: int
+				ringHash?: {
+					// The minimum number of virtual nodes to use for the hash ring.
+					minimumRingSize?: int
+				}
+
+				// Hash based on the source IP address.
+				useSourceIp?: bool
+			}
+			localityLbSetting?: {
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				distribute?: [...{
+					// Originating locality, '/' separated, e.g.
+					from?: string
+
+					// Map of upstream localities to traffic distribution weights.
+					to?: {
+						[string]: int
+					}
+				}]
+
+				// enable locality load balancing, this is DestinationRule-level
+				// and will override mesh wide settings in entirety.
+				enabled?: null | bool
+
+				// Optional: only one of distribute, failover or failoverPriority
+				// can be set.
+				failover?: [...{
+					// Originating region.
+					from?: string
+
+					// Destination region the traffic will fail over to when endpoints
+					// in the 'from' region becomes unhealthy.
+					to?: string
+				}]
+
+				// failoverPriority is an ordered list of labels used to sort
+				// endpoints to do priority based load balancing.
+				failoverPriority?: [...string]
+			}
+			simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+			// Represents the warmup duration of Service.
+			warmupDurationSecs?: string
+		}
+		outlierDetection?: {
+			// Minimum ejection duration.
+			baseEjectionTime?: string
+
+			// Number of 5xx errors before a host is ejected from the
+			// connection pool.
+			consecutive5xxErrors?: null | int
+			consecutiveErrors?:    int
+
+			// Number of gateway errors before a host is ejected from the
+			// connection pool.
+			consecutiveGatewayErrors?: null | int
+
+			// The number of consecutive locally originated failures before
+			// ejection occurs.
+			consecutiveLocalOriginFailures?: null | int
+
+			// Time interval between ejection sweep analysis.
+			interval?: string
+
+			// Maximum % of hosts in the load balancing pool for the upstream
+			// service that can be ejected.
+			maxEjectionPercent?: int
+
+			// Outlier detection will be enabled as long as the associated
+			// load balancing pool has at least min_health_percent hosts in
+			// healthy mode.
+			minHealthPercent?: int
+
+			// Determines whether to distinguish local origin failures from
+			// external errors.
+			splitExternalLocalOriginErrors?: bool
+		}
+
+		// Traffic policies specific to individual ports.
+		portLevelSettings?: [...{
+			connectionPool?: {
+				// HTTP connection pool settings.
+				http?: {
+					// Specify if http1.1 connection should be upgraded to http2 for
+					// the associated destination.
+					h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+					// Maximum number of requests that will be queued while waiting
+					// for a ready connection pool connection.
+					http1MaxPendingRequests?: int
+
+					// Maximum number of active requests to a destination.
+					http2MaxRequests?: int
+
+					// The idle timeout for upstream connection pool connections.
+					idleTimeout?: string
+
+					// Maximum number of requests per connection to a backend.
+					maxRequestsPerConnection?: int
+
+					// Maximum number of retries that can be outstanding to all hosts
+					// in a cluster at a given time.
+					maxRetries?: int
+
+					// If set to true, client protocol will be preserved while
+					// initiating connection to backend.
+					useClientProtocol?: bool
+				}
+
+				// Settings common to both HTTP and TCP upstream connections.
+				tcp?: {
+					// TCP connection timeout.
+					connectTimeout?: string
+
+					// The maximum duration of a connection.
+					maxConnectionDuration?: string
+
+					// Maximum number of HTTP1 /TCP connections to a destination host.
+					maxConnections?: int
+
+					// If set then set SO_KEEPALIVE on the socket to enable TCP
+					// Keepalives.
+					tcpKeepalive?: {
+						// The time duration between keep-alive probes.
+						interval?: string
+
+						// Maximum number of keepalive probes to send without response
+						// before deciding the connection is dead.
+						probes?: int
+
+						// The time duration a connection needs to be idle before
+						// keep-alive probes start being sent.
+						time?: string
+					}
+				}
+			}
+
+			// Settings controlling the load balancer algorithms.
+			loadBalancer?: ({} | {
+				simple: _
+			} | {
+				consistentHash: _
+			}) & {
+				consistentHash?: ({} | {
+					httpHeaderName: _
+				} | {
+					httpCookie: _
+				} | {
+					useSourceIp: _
+				} | {
+					httpQueryParameterName: _
+				}) & ({} | {
+					ringHash: _
+				} | {
+					maglev: _
+				}) & {
+					// Hash based on HTTP cookie.
+					httpCookie?: {
+						// Name of the cookie.
+						name: string
+
+						// Path to set for the cookie.
+						path?: string
+
+						// Lifetime of the cookie.
+						ttl?: string
+					}
+
+					// Hash based on a specific HTTP header.
+					httpHeaderName?: string
+
+					// Hash based on a specific HTTP query parameter.
+					httpQueryParameterName?: string
+					maglev?: {
+						// The table size for Maglev hashing.
+						tableSize?: int
+					}
+
+					// Deprecated.
+					minimumRingSize?: int
+					ringHash?: {
+						// The minimum number of virtual nodes to use for the hash ring.
+						minimumRingSize?: int
+					}
+
+					// Hash based on the source IP address.
+					useSourceIp?: bool
+				}
+				localityLbSetting?: {
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					distribute?: [...{
+						// Originating locality, '/' separated, e.g.
+						from?: string
+
+						// Map of upstream localities to traffic distribution weights.
+						to?: {
+							[string]: int
+						}
+					}]
+
+					// enable locality load balancing, this is DestinationRule-level
+					// and will override mesh wide settings in entirety.
+					enabled?: null | bool
+
+					// Optional: only one of distribute, failover or failoverPriority
+					// can be set.
+					failover?: [...{
+						// Originating region.
+						from?: string
+
+						// Destination region the traffic will fail over to when endpoints
+						// in the 'from' region becomes unhealthy.
+						to?: string
+					}]
+
+					// failoverPriority is an ordered list of labels used to sort
+					// endpoints to do priority based load balancing.
+					failoverPriority?: [...string]
+				}
+				simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
+
+				// Represents the warmup duration of Service.
+				warmupDurationSecs?: string
+			}
+			outlierDetection?: {
+				// Minimum ejection duration.
+				baseEjectionTime?: string
+
+				// Number of 5xx errors before a host is ejected from the
+				// connection pool.
+				consecutive5xxErrors?: null | int
+				consecutiveErrors?:    int
+
+				// Number of gateway errors before a host is ejected from the
+				// connection pool.
+				consecutiveGatewayErrors?: null | int
+
+				// The number of consecutive locally originated failures before
+				// ejection occurs.
+				consecutiveLocalOriginFailures?: null | int
+
+				// Time interval between ejection sweep analysis.
+				interval?: string
+
+				// Maximum % of hosts in the load balancing pool for the upstream
+				// service that can be ejected.
+				maxEjectionPercent?: int
+
+				// Outlier detection will be enabled as long as the associated
+				// load balancing pool has at least min_health_percent hosts in
+				// healthy mode.
+				minHealthPercent?: int
+
+				// Determines whether to distinguish local origin failures from
+				// external errors.
+				splitExternalLocalOriginErrors?: bool
+			}
+			port?: {
+				number?: int
+			}
+
+			// TLS related settings for connections to the upstream service.
+			tls?: {
+				// OPTIONAL: The path to the file containing certificate authority
+				// certificates to use in verifying a presented server
+				// certificate.
+				caCertificates?: string
+
+				// REQUIRED if mode is `MUTUAL`.
+				clientCertificate?: string
+
+				// The name of the secret that holds the TLS certs for the client
+				// including the CA certificates.
+				credentialName?: string
+
+				// `insecureSkipVerify` specifies whether the proxy should skip
+				// verifying the CA signature and SAN for the server certificate
+				// corresponding to the host.
+				insecureSkipVerify?: null | bool
+
+				// Indicates whether connections to this port should be secured
+				// using TLS.
+				mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+				// REQUIRED if mode is `MUTUAL`.
+				privateKey?: string
+
+				// SNI string to present to the server during TLS handshake.
+				sni?: string
+
+				// A list of alternate names to verify the subject identity in the
+				// certificate.
+				subjectAltNames?: [...string]
+			}
+		}]
+
+		// TLS related settings for connections to the upstream service.
+		tls?: {
+			// OPTIONAL: The path to the file containing certificate authority
+			// certificates to use in verifying a presented server
+			// certificate.
+			caCertificates?: string
+
+			// REQUIRED if mode is `MUTUAL`.
+			clientCertificate?: string
+
+			// The name of the secret that holds the TLS certs for the client
+			// including the CA certificates.
+			credentialName?: string
+
+			// `insecureSkipVerify` specifies whether the proxy should skip
+			// verifying the CA signature and SAN for the server certificate
+			// corresponding to the host.
+			insecureSkipVerify?: null | bool
+
+			// Indicates whether connections to this port should be secured
+			// using TLS.
+			mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
+
+			// REQUIRED if mode is `MUTUAL`.
+			privateKey?: string
+
+			// SNI string to present to the server during TLS handshake.
+			sni?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate.
+			subjectAltNames?: [...string]
+		}
+
+		// Configuration of tunneling TCP over other transport or
+		// application layers for the host configured in the
+		// DestinationRule.
+		tunnel?: {
+			// Specifies which protocol to use for tunneling the downstream
+			// connection.
+			protocol?: string
+
+			// Specifies a host to which the downstream connection is
+			// tunneled.
+			targetHost: string
+
+			// Specifies a port to which the downstream connection is
+			// tunneled.
+			targetPort: int
+		}
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue

@@ -0,0 +1,185 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#EnvoyFilter: {
+	// Customizing Envoy configuration generated by Istio. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/envoy-filter.html
+	spec!:      #EnvoyFilterSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "EnvoyFilter"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Customizing Envoy configuration generated by Istio. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/envoy-filter.html
+#EnvoyFilterSpec: {
+	// One or more patches with match conditions.
+	configPatches?: [...{
+		// Specifies where in the Envoy configuration, the patch should be
+		// applied.
+		applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
+
+		// Match on listener/route configuration/cluster.
+		match?: ({} | {
+			listener: _
+		} | {
+			routeConfiguration: _
+		} | {
+			cluster: _
+		}) & {
+			// Match on envoy cluster attributes.
+			cluster?: {
+				// The exact name of the cluster to match.
+				name?: string
+
+				// The service port for which this cluster was generated.
+				portNumber?: int
+
+				// The fully qualified service name for this cluster.
+				service?: string
+
+				// The subset associated with the service.
+				subset?: string
+			}
+
+			// The specific config generation context to match on.
+			context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
+
+			// Match on envoy listener attributes.
+			listener?: {
+				// Match a specific filter chain in a listener.
+				filterChain?: {
+					// Applies only to sidecars.
+					applicationProtocols?: string
+
+					// The destination_port value used by a filter chain's match
+					// condition.
+					destinationPort?: int
+
+					// The name of a specific filter to apply the patch to.
+					filter?: {
+						// The filter name to match on.
+						name?: string
+						subFilter?: {
+							// The filter name to match on.
+							name?: string
+						}
+					}
+
+					// The name assigned to the filter chain.
+					name?: string
+
+					// The SNI value used by a filter chain's match condition.
+					sni?: string
+
+					// Applies only to `SIDECAR_INBOUND` context.
+					transportProtocol?: string
+				}
+
+				// Match a specific listener filter.
+				listenerFilter?: string
+
+				// Match a specific listener by its name.
+				name?:     string
+				portName?: string
+
+				// The service port/gateway port to which traffic is being
+				// sent/received.
+				portNumber?: int
+			}
+
+			// Match on properties associated with a proxy.
+			proxy?: {
+				// Match on the node metadata supplied by a proxy when connecting
+				// to Istio Pilot.
+				metadata?: {
+					[string]: string
+				}
+
+				// A regular expression in golang regex format (RE2) that can be
+				// used to select proxies using a specific version of istio
+				// proxy.
+				proxyVersion?: string
+			}
+
+			// Match on envoy HTTP route configuration attributes.
+			routeConfiguration?: {
+				// The Istio gateway config's namespace/name for which this route
+				// configuration was generated.
+				gateway?: string
+
+				// Route configuration name to match on.
+				name?: string
+
+				// Applicable only for GATEWAY context.
+				portName?: string
+
+				// The service port number or gateway server port number for which
+				// this route configuration was generated.
+				portNumber?: int
+
+				// Match a specific virtual host in a route configuration and
+				// apply the patch to the virtual host.
+				vhost?: {
+					// The VirtualHosts objects generated by Istio are named as
+					// host:port, where the host typically corresponds to the
+					// VirtualService's host field or the hostname of a service in
+					// the registry.
+					name?: string
+
+					// Match a specific route within the virtual host.
+					route?: {
+						// Match a route with specific action type.
+						action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
+
+						// The Route objects generated by default are named as default.
+						name?: string
+					}
+				}
+			}
+		}
+
+		// The patch to apply along with the operation.
+		patch?: {
+			// Determines the filter insertion order.
+			filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
+
+			// Determines how the patch should be applied.
+			operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
+
+			// The JSON config of the object being patched.
+			value?: {}
+		}
+	}]
+
+	// Priority defines the order in which patch sets are applied
+	// within a context.
+	priority?: int
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,115 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: int
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue

@@ -0,0 +1,54 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ProxyConfig: {
+	// Provides configuration for individual workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/proxy-config.html
+	spec!:      #ProxyConfigSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ProxyConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Provides configuration for individual workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/proxy-config.html
+#ProxyConfigSpec: {
+	// The number of worker threads to run.
+	concurrency?: null | int
+
+	// Additional environment variables for the proxy.
+	environmentVariables?: {
+		[string]: string
+	}
+	image?: {
+		// The image type of the image.
+		imageType?: string
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue

@@ -0,0 +1,107 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: int
+	}]
+
+	// Service resolution mode for the hosts.
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue

@@ -0,0 +1,280 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: int
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: int
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: int
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: int
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue

@@ -0,0 +1,594 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -0,0 +1,594 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: int
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: int
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: int
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int
+		mirrorPercent?:  null | int
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: int
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: int
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: int
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: int
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: int
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadGroup: {
+	// Describes a collection of workload instances. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/workload-group.html
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Describes a collection of workload instances. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/workload-group.html
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue

@@ -0,0 +1,138 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadGroup: {
+	// `WorkloadGroup` enables specifying the properties of a single
+	// workload for bootstrap and provides a template for
+	// `WorkloadEntry`, similar to how `Deployment` specifies
+	// properties of workloads via `Pod` templates.
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// `WorkloadGroup` enables specifying the properties of a single
+// workload for bootstrap and provides a template for
+// `WorkloadEntry`, similar to how `Deployment` specifies
+// properties of workloads via `Pod` templates.
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    int
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  int
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: int
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue

@@ -0,0 +1,147 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/peerauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,55 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#PeerAuthentication: {
+	// Peer authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/peer_authentication.html
+	spec!:      #PeerAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "PeerAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Peer authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/peer_authentication.html
+#PeerAuthenticationSpec: {
+	mtls?: {
+		// Defines the mTLS mode used for peer authentication.
+		mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+	}
+
+	// Port specific mutual TLS settings.
+	portLevelMtls?: {
+		[string]: {
+			// Defines the mTLS mode used for peer authentication.
+			mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
+		}
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1beta1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#RequestAuthentication: {
+	// Request authentication configuration for workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/security/request_authentication.html
+	spec!:      #RequestAuthenticationSpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "RequestAuthentication"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Request authentication configuration for workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/security/request_authentication.html
+#RequestAuthenticationSpec: {
+	// Define the list of JWTs that can be validated at the selected
+	// workloads' proxy.
+	jwtRules?: [...{
+		// The list of JWT
+		// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+		// that are allowed to access.
+		audiences?: [...string]
+
+		// If set to true, the original token will be kept for the
+		// upstream request.
+		forwardOriginalToken?: bool
+
+		// List of header locations from which JWT is expected.
+		fromHeaders?: [...{
+			// The HTTP header name.
+			name: string
+
+			// The prefix that should be stripped before decoding the token.
+			prefix?: string
+		}]
+
+		// List of query parameters from which JWT is expected.
+		fromParams?: [...string]
+
+		// Identifies the issuer that issued the JWT.
+		issuer: string
+
+		// JSON Web Key Set of public keys to validate signature of the
+		// JWT.
+		jwks?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwks_uri?: string
+
+		// URL of the provider's public key set to validate signature of
+		// the JWT.
+		jwksUri?: string
+
+		// This field specifies a list of operations to copy the claim to
+		// HTTP headers on a successfully verified token.
+		outputClaimToHeaders?: [...{
+			// The name of the claim to be copied from.
+			claim?: string
+
+			// The name of the header to be created.
+			header?: string
+		}]
+
+		// This field specifies the header name to output a successfully
+		// verified JWT payload to the backend.
+		outputPayloadToHeader?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+}

docs/examples/cue.mod/gen/telemetry.istio.io/telemetry/v1alpha1/types_gen.cue

@@ -0,0 +1,184 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#Telemetry: {
+	// Telemetry configuration for workloads. See more details at:
+	// https://istio.io/docs/reference/config/telemetry.html
+	spec!:      #TelemetrySpec
+	apiVersion: "telemetry.istio.io/v1alpha1"
+	kind:       "Telemetry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Telemetry configuration for workloads. See more details at:
+// https://istio.io/docs/reference/config/telemetry.html
+#TelemetrySpec: {
+	// Optional.
+	accessLogging?: [...{
+		// Controls logging.
+		disabled?: null | bool
+		filter?: {
+			// CEL expression for selecting when requests/connections should
+			// be logged.
+			expression?: string
+		}
+		match?: {
+			// This determines whether or not to apply the access logging
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+	}]
+
+	// Optional.
+	metrics?: [...{
+		// Optional.
+		overrides?: [...{
+			// Optional.
+			disabled?: null | bool
+
+			// Match allows provides the scope of the override.
+			match?: ({} | {
+				metric: _
+			} | {
+				customMetric: _
+			}) & {
+				// Allows free-form specification of a metric.
+				customMetric?: string
+
+				// One of the well-known Istio Standard Metrics.
+				metric?: "ALL_METRICS" | "REQUEST_COUNT" | "REQUEST_DURATION" | "REQUEST_SIZE" | "RESPONSE_SIZE" | "TCP_OPENED_CONNECTIONS" | "TCP_CLOSED_CONNECTIONS" | "TCP_SENT_BYTES" | "TCP_RECEIVED_BYTES" | "GRPC_REQUEST_MESSAGES" | "GRPC_RESPONSE_MESSAGES"
+
+				// Controls which mode of metrics generation is selected: CLIENT
+				// and/or SERVER.
+				mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+			}
+
+			// Optional.
+			tagOverrides?: {
+				[string]: {
+					// Operation controls whether or not to update/add a tag, or to
+					// remove it.
+					operation?: "UPSERT" | "REMOVE"
+
+					// Value is only considered if the operation is `UPSERT`.
+					value?: string
+				}
+			}
+		}]
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Optional.
+		reportingInterval?: string
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Optional.
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	tracing?: [...{
+		// Optional.
+		customTags?: {
+			[string]: ({} | {
+				literal: _
+			} | {
+				environment: _
+			} | {
+				header: _
+			}) & {
+				// Environment adds the value of an environment variable to each
+				// span.
+				environment?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the environment variable from which to extract the tag
+					// value.
+					name?: string
+				}
+
+				// RequestHeader adds the value of an header from the request to
+				// each span.
+				header?: {
+					// Optional.
+					defaultValue?: string
+
+					// Name of the header from which to extract the tag value.
+					name?: string
+				}
+				literal?: {
+					// The tag value to use.
+					value?: string
+				}
+			}
+		}
+
+		// Controls span reporting.
+		disableSpanReporting?: null | bool
+		match?: {
+			// This determines whether or not to apply the tracing
+			// configuration based on the direction of traffic relative to
+			// the proxied workload.
+			mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
+		}
+
+		// Optional.
+		providers?: [...{
+			// Required.
+			name: string
+		}]
+
+		// Controls the rate at which traffic will be selected for tracing
+		// if no prior sampling decision has been made.
+		randomSamplingPercentage?:     null | number
+		useRequestIdForTraceSampling?: null | bool
+	}]
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue

@@ -6,6 +6,12 @@ package holos
 
 let Name = "letsencrypt"
 
+// The cloudflare api token is platform scoped, not cluster scoped.
+#SecretName: "cloudflare-api-token-secret"
+
+// Depends on cert manager
+#DependsOn: _CertManager
+
 #KubernetesObjects & {
 	apiObjects: {
 		ClusterIssuer: {
@@ -41,12 +47,15 @@ let Name = "letsencrypt"
 						solvers: [{
 							dns01: cloudflare: {
 								email: #Platform.org.cloudflare.email
-								apiTokenSecretRef: name: "cloudflare-api-token-secret"
+								apiTokenSecretRef: name: #SecretName
 								apiTokenSecretRef: key:  "api_token"
 							}}]
 					}
 				}
 			}
 		}
+		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
+			_name: #SecretName
+		}
 	}
 }

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/base/istiobase.cue

@@ -0,0 +1,42 @@
+package holos
+
+#InputKeys: component: "istio-base"
+#TargetNamespace: "istio-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "base"
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+	values: {
+		global: {
+			// Used to locate istiod.
+			istioNamespace: #TargetNamespace
+			// Switch the hub away from the default docker.io to avoid rate limits
+			hub: "gcr.io/istio-release"
+			// ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+      // to use for pulling any images in pods that reference this ServiceAccount.
+      // Must be set for any cluster configured with private docker registry.
+      imagePullSecrets: []
+      istiod: enableAnalysis: false
+      configValidation: true
+      externalIstiod: false
+      remotePilotAddress: ""
+		}
+		base: {
+			// Include the CRDs in the helm template output
+			enableCRDTemplates: true
+			// Validation webhook configuration url
+			// For example: https://$remotePilotAddress:15017/validate
+			validationURL: ""
+			// For istioctl usage to disable istio config crds in base
+			enableIstioConfigCRDs: true
+		}
+		defaultRevision: "default"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -1,12 +1,12 @@
 package holos
 
-// All components are share this collection
-#InputKeys: {
-	project: "mesh"
-}
+// Components under this directory are part of this collection
+#InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: {
-	dependsOn: [{name: "\(#StageName)-secrets-namespaces"}, ...]
-	targetNamespace: #TargetNamespace
-}
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso-creds-refresher/component.cue

@@ -20,9 +20,7 @@ import "encoding/json"
 
 #TargetNamespace: #CredsRefresher.namespace
 
-#Kustomization: spec: {
-	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-}
+#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
 
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso/eso.cue

@@ -11,10 +11,8 @@ package holos
 	service: "eso"
 }
 
-#Kustomization: spec: {
-	dependsOn: [{name: #InstancePrefix + "-namespaces"}]
-	targetNamespace: #TargetNamespace
-}
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          #InstancePrefix + "-namespaces"
 
 #HelmChart & {
 	values: installCrds: true

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/namespaces/component.cue

@@ -12,8 +12,12 @@ package holos
 	_ns: #PlatformNamespace
 
 	objects: [
-		#Namespace & {metadata: _ns},
-		#SecretStore & {_namespace: _ns.name}
+		#Namespace & {
+			metadata: _ns
+		},
+		#SecretStore & {
+			_namespace: _ns.name
+		},
 	]
 }
 

docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/validate/component.cue

@@ -9,7 +9,7 @@ package holos
 	component: "validate"
 }
 
-#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]
+#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
 
 #KubernetesObjects & {
 	apiObjects: {

docs/examples/platforms/reference/clusters/workload/metal/ceph/ceph.cue

@@ -12,10 +12,8 @@ package holos
 	component: "ceph"
 }
 
-#Kustomization: spec: {
-	dependsOn: [{name: "prod-secrets-namespaces"}]
-	targetNamespace: #TargetNamespace
-}
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#DependsOn: Namespaces: name:          "\(#StageName)-secrets-namespaces"
 
 #HelmChart & {
 	namespace: #TargetNamespace

docs/examples/platforms/reference/namespaces.cue

@@ -1,17 +1,16 @@
 package holos
 
+let Privileged = {labels: "pod-security.kubernetes.io/enforce": "privileged"}
+
 // #PlatformNamespaces is the union of all namespaces across all cluster types.  Namespaces are created in all clusters regardless of if they're
 // used within the cluster or not.  The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
 #PlatformNamespaces: [
 	{name: "external-secrets"},
 	{name: "holos-system"},
 	{name: "flux-system"},
-	{
-		name: "ceph-system"
-		labels: "pod-security.kubernetes.io/enforce": "privileged"
-	},
-	{name: "istio-system"},
-	{name: "istio-ingress"},
+	{name: "ceph-system"} & Privileged,
+	{name: "istio-system"} & Privileged,
+	{name: "istio-ingress"} & Privileged,
 	{name: "cert-manager"},
 	{name: "argocd"},
 ]

docs/examples/schema.cue

@@ -96,9 +96,18 @@ _apiVersion: "holos.run/v1alpha1"
 		targetNamespace?: string
 		timeout:          string | *"3m0s"
 		wait:             bool | *true
+		dependsOn: [for k, v in #DependsOn {v}]
 	}
 }
 
+// #DependsOn stores all of the dependencies between components.  It's a struct to support merging across levels in the tree.
+#DependsOn: {
+	[NAME=_]: {
+		name: string
+	}
+	...
+}
+
 // External Secrets CRDs
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string

pkg/version/embedded/minor

@@ -1 +1 @@
-48
+49

pkg/version/embedded/patch

@@ -1 +1 @@
-3
+0