(#42) Add KustomizeBuild holos component type to install pgo

PGO uses plain yaml and kustomize as the recommended installation
method.  Holos supports upstream by adding a new PlainFiles component
kind, which simply copies files into place and lets kustomize handle the
generation of the api objects.

Cue is responsible for very little in this kind of component, basically
allowing overlay resources if needed and deferring everything else to
the holos cli.

The holos cli in turn is responsible for executing kubectl kustomize
build on the input directory to produce the rendered output, then writes
the rendered output into place.

.github/workflows/lint.yaml

@@ -1,6 +1,7 @@
+---
 # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
 name: Lint
-on:
+"on":
   push:
     branches:
       - main
@@ -14,7 +15,7 @@ permissions:
 jobs:
   golangci:
     name: lint
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
@@ -22,6 +23,6 @@ jobs:
           go-version: stable
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
         with:
           version: latest

.github/workflows/release.yaml

@@ -2,17 +2,20 @@ name: Release
 
 on:
   push:
-    # Run only against tags
     tags:
       - '*'
+    branches:
+      - release
 
 permissions:
   contents: write
 
 jobs:
   goreleaser:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
+      - name: Provide GPG and Git
+        run: sudo apt update && sudo apt -qq -y install gnupg git
       - name: Checkout
         uses: actions/checkout@v4
         with:

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -23,5 +23,14 @@ jobs:
         with:
           go-version: stable
 
+      - name: Provide unzip for Helm
+        run: sudo apt update && sudo apt -qq -y install curl zip unzip tar bzip2
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v3
+
       - name: Test
         run: ./scripts/test

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -0,0 +1,281 @@
+# Want helm errors to show up
+! exec holos build .
+stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
+
+-- cue.mod --
+package holos
+-- zitadel.cue --
+package holos
+
+cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "HelmChart"
+metadata: name: "zitadel"
+namespace: "zitadel"
+chart: {
+	name:    "zitadel"
+	version: "7.9.0"
+	release: name
+	repository: {
+		name: "zitadel"
+		url:  "https://charts.zitadel.com"
+	}
+}
+
+
+-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
+{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
+{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
+{{- end }}
+{{- if .Values.zitadel.masterkey -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: zitadel-masterkey
+  {{- with .Values.zitadel.masterkeyAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "zitadel.labels" . | nindent 4 }}
+stringData:
+  masterkey: {{ .Values.zitadel.masterkey }}
+{{- end -}}
+-- vendor/zitadel/Chart.yaml --
+apiVersion: v2
+appVersion: v2.46.0
+description: A Helm chart for ZITADEL
+icon: https://zitadel.com/zitadel-logo-dark.svg
+kubeVersion: '>= 1.21.0-0'
+maintainers:
+- email: support@zitadel.com
+  name: zitadel
+  url: https://zitadel.com
+name: zitadel
+type: application
+version: 7.9.0
+-- vendor/zitadel/values.yaml --
+# Default values for zitadel.
+zitadel:
+  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  configmapConfig:
+    ExternalSecure: true
+    Machine:
+      Identification:
+        Hostname:
+          Enabled: true
+        Webhook:
+          Enabled: false
+
+  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  secretConfig:
+
+  # Annotations set on secretConfig secret
+  secretConfigAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # Reference the name of a secret that contains ZITADEL configuration.
+  configSecretName:
+  # The key under which the ZITADEL configuration is located in the secret.
+  configSecretKey: config-yaml
+
+  # ZITADEL uses the masterkey for symmetric encryption.
+  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+  masterkey: ""
+  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+  masterkeySecretName: ""
+
+  # Annotations set on masterkey secret
+  masterkeyAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # The CA Certificate needed for establishing secure database connections
+  dbSslCaCrt: ""
+
+  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+  dbSslCaCrtSecret: ""
+
+  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslAdminCrtSecret: ""
+
+  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslUserCrtSecret: ""
+
+  # Generate a self-signed certificate using an init container
+  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+  selfSignedCert:
+    enabled: false
+    additionalDnsName:
+
+replicaCount: 3
+
+image:
+  repository: ghcr.io/zitadel/zitadel
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+chownImage:
+  repository: alpine
+  pullPolicy: IfNotPresent
+  tag: "3.19"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# Annotations to add to the deployment
+annotations: {}
+
+# Annotations to add to the configMap
+configMap:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podAdditionalLabels: {}
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+securityContext: {}
+
+# Additional environment variables
+env:
+  []
+  # - name: ZITADEL_DATABASE_POSTGRES_HOST
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: postgres-pguser-postgres
+  #       key: host
+
+service:
+  type: ClusterIP
+  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+  clusterIP: ""
+  port: 8080
+  protocol: http2
+  annotations: {}
+  scheme: HTTP
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts:
+    - host: localhost
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+initJob:
+  # Once ZITADEL is installed, the initJob can be disabled.
+  enabled: true
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "1"
+  resources: {}
+  backoffLimit: 5
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  # Available init commands :
+  # "": initialize ZITADEL instance (without skip anything)
+  # database: initialize only the database
+  # grant: set ALL grant to user
+  # user: initialize only the database user
+  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+  command: ""
+
+setupJob:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "2"
+  resources: {}
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  additionalArgs:
+    - "--init-projections=true"
+  machinekeyWriter:
+    image:
+      repository: bitnami/kubectl
+      tag: ""
+    resources: {}
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+startupProbe:
+  enabled: true
+  periodSeconds: 1
+  failureThreshold: 30
+
+metrics:
+  enabled: false
+  serviceMonitor:
+    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+    # The Prometheus community Helm chart installs this operator
+    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+    enabled: false
+    honorLabels: false
+    honorTimestamps: true
+
+pdb:
+  enabled: false
+  # these values are used for the PDB and are mutally exclusive
+  minAvailable: 1
+  # maxUnavailable: 1
+  annotations: {}

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -0,0 +1,33 @@
+# Kustomize is a supported holos component kind
+exec holos render --cluster-name=mycluster . --log-level=debug
+
+# Want generated output
+cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KustomizeBuild"
+metadata: name: "kstest"
+-- kustomization.yaml --
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mynamespace
+resources:
+- serviceaccount.yaml
+-- serviceaccount.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+-- want.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+  namespace: mynamespace

docs/examples/cue.mod/gen/k8s.io/api/core/v1/types_go_gen.cue

@@ -3066,7 +3066,7 @@ import (
 	// If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
 	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 	// +optional
-	securityContext?: null | #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
+	securityContext?: #SecurityContext @go(SecurityContext,*SecurityContext) @protobuf(15,bytes,opt)
 
 	// Whether this container should allocate a buffer for stdin in the container runtime. If this
 	// is not set, reads from stdin in the container will always result in EOF.
@@ -3982,7 +3982,7 @@ import (
 	// SecurityContext holds pod-level security attributes and common container settings.
 	// Optional: Defaults to empty.  See type description for default values of each field.
 	// +optional
-	securityContext?: null | #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
+	securityContext?: #PodSecurityContext @go(SecurityContext,*PodSecurityContext) @protobuf(14,bytes,opt)
 
 	// ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.
 	// If specified, these secrets will be passed to individual puller implementations for them to use.

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -324,13 +324,7 @@ import "strings"
 			// withoutHeader has the same syntax with the header, but has
 			// opposite meaning.
 			withoutHeaders?: {
-				[string]: ({} | {
-					exact: _
-				} | {
-					prefix: _
-				} | {
-					regex: _
-				}) & {
+				[string]: {
 					exact?:  string
 					prefix?: string
 
@@ -383,11 +377,7 @@ import "strings"
 
 		// A HTTP rule can either return a direct_response, redirect or
 		// forward (default) traffic.
-		redirect?: ({} | {
-			port: _
-		} | {
-			derivePort: _
-		}) & {
+		redirect?: {
 			// On a redirect, overwrite the Authority/Host portion of the URL
 			// with this value.
 			authority?: string

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_BuiltinPluginLoadingOptions_name: "BploUndefinedBploUseStaticallyLinkedBploLoadFromFileSys"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/configmapargs_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// ConfigMapArgs contains the metadata of how to generate a configmap.
+#ConfigMapArgs: {
+	#GeneratorArgs
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/doc_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+// Package types holds the definition of the kustomization struct and
+// supporting structs.  It's the k8s API conformant object that describes
+// a set of generation and transformation operations to create and/or
+// modify k8s resources.
+// A kustomization file is a serialization of this struct.
+package types

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/fieldspec_go_gen.cue

@@ -0,0 +1,29 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// FieldSpec completely specifies a kustomizable field in a k8s API object.
+// It helps define the operands of transformations.
+//
+// For example, a directive to add a common label to objects
+// will need to know that a 'Deployment' object (in API group
+// 'apps', any version) can have labels at field path
+// 'spec/template/metadata/labels', and further that it is OK
+// (or not OK) to add that field path to the object if the
+// field path doesn't exist already.
+//
+// This would look like
+// {
+//   group: apps
+//   kind: Deployment
+//   path: spec/template/metadata/labels
+//   create: true
+// }
+#FieldSpec: {
+	path?:   string @go(Path)
+	create?: bool   @go(CreateIfNotPresent)
+}
+
+#FsSlice: [...#FieldSpec]

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generationbehavior_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GenerationBehavior specifies generation behavior of configmaps, secrets and maybe other resources.
+#GenerationBehavior: int // #enumGenerationBehavior
+
+#enumGenerationBehavior:
+	#BehaviorUnspecified |
+	#BehaviorCreate |
+	#BehaviorReplace |
+	#BehaviorMerge
+
+#values_GenerationBehavior: {
+	BehaviorUnspecified: #BehaviorUnspecified
+	BehaviorCreate:      #BehaviorCreate
+	BehaviorReplace:     #BehaviorReplace
+	BehaviorMerge:       #BehaviorMerge
+}
+
+// BehaviorUnspecified is an Unspecified behavior; typically treated as a Create.
+#BehaviorUnspecified: #GenerationBehavior & 0
+
+// BehaviorCreate makes a new resource.
+#BehaviorCreate: #GenerationBehavior & 1
+
+// BehaviorReplace replaces a resource.
+#BehaviorReplace: #GenerationBehavior & 2
+
+// BehaviorMerge attempts to merge a new resource with an existing resource.
+#BehaviorMerge: #GenerationBehavior & 3

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatorargs_go_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GeneratorArgs contains arguments common to ConfigMap and Secret generators.
+#GeneratorArgs: {
+	// Namespace for the resource, optional
+	namespace?: string @go(Namespace)
+
+	// Name - actually the partial name - of the generated resource.
+	// The full name ends up being something like
+	// NamePrefix + this.Name + hash(content of generated resource).
+	name?: string @go(Name)
+
+	// Behavior of generated resource, must be one of:
+	//   'create': create a new one
+	//   'replace': replace the existing one
+	//   'merge': merge with the existing one
+	behavior?: string @go(Behavior)
+
+	#KvPairSources
+
+	// Local overrides to global generatorOptions field.
+	options?: null | #GeneratorOptions @go(Options,*GeneratorOptions)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatoroptions_go_gen.cue

@@ -0,0 +1,22 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+#GeneratorOptions: {
+	// Labels to add to all generated resources.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+
+	// Annotations to add to all generated resources.
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+
+	// DisableNameSuffixHash if true disables the default behavior of adding a
+	// suffix to the names of generated resources that is a hash of the
+	// resource contents.
+	disableNameSuffixHash?: bool @go(DisableNameSuffixHash)
+
+	// Immutable if true add to all generated resources.
+	immutable?: bool @go(Immutable)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/helmchartargs_go_gen.cue

@@ -0,0 +1,116 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#HelmDefaultHome: "charts"
+
+#HelmGlobals: {
+	// ChartHome is a file path, relative to the kustomization root,
+	// to a directory containing a subdirectory for each chart to be
+	// included in the kustomization.
+	// The default value of this field is "charts".
+	// So, for example, kustomize looks for the minecraft chart
+	// at {kustomizationRoot}/{ChartHome}/minecraft.
+	// If the chart is there at build time, kustomize will use it as found,
+	// and not check version numbers or dates.
+	// If the chart is not there, kustomize will attempt to pull it
+	// using the version number specified in the kustomization file,
+	// and put it there.  To suppress the pull attempt, simply assure
+	// that the chart is already there.
+	chartHome?: string @go(ChartHome)
+
+	// ConfigHome defines a value that kustomize should pass to helm via
+	// the HELM_CONFIG_HOME environment variable.  kustomize doesn't attempt
+	// to read or write this directory.
+	// If omitted, {tmpDir}/helm is used, where {tmpDir} is some temporary
+	// directory created by kustomize for the benefit of helm.
+	// Likewise, kustomize sets
+	//   HELM_CACHE_HOME={ConfigHome}/.cache
+	//   HELM_DATA_HOME={ConfigHome}/.data
+	// for the helm subprocess.
+	configHome?: string @go(ConfigHome)
+}
+
+#HelmChart: {
+	// Name is the name of the chart, e.g. 'minecraft'.
+	name?: string @go(Name)
+
+	// Version is the version of the chart, e.g. '3.1.3'
+	version?: string @go(Version)
+
+	// Repo is a URL locating the chart on the internet.
+	// This is the argument to helm's  `--repo` flag, e.g.
+	// `https://itzg.github.io/minecraft-server-charts`.
+	repo?: string @go(Repo)
+
+	// ReleaseName replaces RELEASE-NAME in chart template output,
+	// making a particular inflation of a chart unique with respect to
+	// other inflations of the same chart in a cluster. It's the first
+	// argument to the helm `install` and `template` commands, i.e.
+	//   helm install {RELEASE-NAME} {chartName}
+	//   helm template {RELEASE-NAME} {chartName}
+	// If omitted, the flag --generate-name is passed to 'helm template'.
+	releaseName?: string @go(ReleaseName)
+
+	// Namespace set the target namespace for a release. It is .Release.Namespace
+	// in the helm template
+	namespace?: string @go(Namespace)
+
+	// AdditionalValuesFiles are local file paths to values files to be used in
+	// addition to either the default values file or the values specified in ValuesFile.
+	additionalValuesFiles?: [...string] @go(AdditionalValuesFiles,[]string)
+
+	// ValuesFile is a local file path to a values file to use _instead of_
+	// the default values that accompanied the chart.
+	// The default values are in '{ChartHome}/{Name}/values.yaml'.
+	valuesFile?: string @go(ValuesFile)
+
+	// ValuesInline holds value mappings specified directly,
+	// rather than in a separate file.
+	valuesInline?: {...} @go(ValuesInline,map[string]interface{})
+
+	// ValuesMerge specifies how to treat ValuesInline with respect to Values.
+	// Legal values: 'merge', 'override', 'replace'.
+	// Defaults to 'override'.
+	valuesMerge?: string @go(ValuesMerge)
+
+	// IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions.
+	// Defaults to 'false'.
+	includeCRDs?: bool @go(IncludeCRDs)
+
+	// SkipHooks sets the --no-hooks flag when calling helm template. This prevents
+	// helm from erroneously rendering test templates.
+	skipHooks?: bool @go(SkipHooks)
+
+	// ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions
+	apiVersions?: [...string] @go(ApiVersions,[]string)
+
+	// KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion"
+	kubeVersion?: string @go(KubeVersion)
+
+	// NameTemplate is for specifying the name template used to name the release.
+	nameTemplate?: string @go(NameTemplate)
+
+	// SkipTests skips tests from templated output.
+	skipTests?: bool @go(SkipTests)
+}
+
+// HelmChartArgs contains arguments to helm.
+// Deprecated.  Use HelmGlobals and HelmChart instead.
+#HelmChartArgs: {
+	chartName?:     string @go(ChartName)
+	chartVersion?:  string @go(ChartVersion)
+	chartRepoUrl?:  string @go(ChartRepoURL)
+	chartHome?:     string @go(ChartHome)
+	chartRepoName?: string @go(ChartRepoName)
+	helmBin?:       string @go(HelmBin)
+	helmHome?:      string @go(HelmHome)
+	values?:        string @go(Values)
+	valuesLocal?: {...} @go(ValuesLocal,map[string]interface{})
+	valuesMerge?:      string @go(ValuesMerge)
+	releaseName?:      string @go(ReleaseName)
+	releaseNamespace?: string @go(ReleaseNamespace)
+	extraArgs?: [...string] @go(ExtraArgs,[]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/iampolicygenerator_go_gen.cue

@@ -0,0 +1,40 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#Cloud: string // #enumCloud
+
+#enumCloud:
+	#GKE
+
+#GKE: #Cloud & "gke"
+
+// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
+#IAMPolicyGeneratorArgs: {
+	// which cloud provider to generate for (e.g. "gke")
+	cloud: #Cloud @go(Cloud)
+
+	// information about the kubernetes cluster for this object
+	kubernetesService: #KubernetesService @go(KubernetesService)
+
+	// information about the service account and project
+	serviceAccount: #ServiceAccount @go(ServiceAccount)
+}
+
+#KubernetesService: {
+	// the name used for the Kubernetes service account
+	name: string @go(Name)
+
+	// the name of the Kubernetes namespace for this object
+	namespace?: string @go(Namespace)
+}
+
+#ServiceAccount: {
+	// the name of the new cloud provider service account
+	name: string @go(Name)
+
+	// The ID of the project
+	projectId: string @go(ProjectId)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/image_go_gen.cue

@@ -0,0 +1,26 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Image contains an image name, a new name, a new tag or digest,
+// which will replace the original name and tag.
+#Image: {
+	// Name is a tag-less image name.
+	name?: string @go(Name)
+
+	// NewName is the value used to replace the original name.
+	newName?: string @go(NewName)
+
+	// TagSuffix is the value used to suffix the original tag
+	// If Digest and NewTag is present an error is thrown
+	tagSuffix?: string @go(TagSuffix)
+
+	// NewTag is the value used to replace the original tag.
+	newTag?: string @go(NewTag)
+
+	// Digest is the value used to replace the original image tag.
+	// If digest is present NewTag value is ignored.
+	digest?: string @go(Digest)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kustomization_go_gen.cue

@@ -0,0 +1,163 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#KustomizationVersion:        "kustomize.config.k8s.io/v1beta1"
+#KustomizationKind:           "Kustomization"
+#ComponentVersion:            "kustomize.config.k8s.io/v1alpha1"
+#ComponentKind:               "Component"
+#MetadataNamespacePath:       "metadata/namespace"
+#MetadataNamespaceApiVersion: "v1"
+#MetadataNamePath:            "metadata/name"
+#OriginAnnotations:           "originAnnotations"
+#TransformerAnnotations:      "transformerAnnotations"
+#ManagedByLabelOption:        "managedByLabel"
+
+// Kustomization holds the information needed to generate customized k8s api resources.
+#Kustomization: {
+	#TypeMeta
+
+	// MetaData is a pointer to avoid marshalling empty struct
+	metadata?: null | #ObjectMeta @go(MetaData,*ObjectMeta)
+
+	// OpenAPI contains information about what kubernetes schema to use.
+	openapi?: {[string]: string} @go(OpenAPI,map[string]string)
+
+	// NamePrefix will prefix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	namePrefix?: string @go(NamePrefix)
+
+	// NameSuffix will suffix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	nameSuffix?: string @go(NameSuffix)
+
+	// Namespace to add to all objects.
+	namespace?: string @go(Namespace)
+
+	// CommonLabels to add to all objects and selectors.
+	commonLabels?: {[string]: string} @go(CommonLabels,map[string]string)
+
+	// Labels to add to all objects but not selectors.
+	labels?: [...#Label] @go(Labels,[]Label)
+
+	// CommonAnnotations to add to all objects.
+	commonAnnotations?: {[string]: string} @go(CommonAnnotations,map[string]string)
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of PatchesStrategicMerge.
+	// PatchesStrategicMerge specifies the relative path to a file
+	// containing a strategic merge patch.  Format documented at
+	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+	// URLs and globs are not supported.
+	patchesStrategicMerge?: [...#PatchStrategicMerge] @go(PatchesStrategicMerge,[]PatchStrategicMerge)
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of JSONPatches.
+	// JSONPatches is a list of JSONPatch for applying JSON patch.
+	// Format documented at https://tools.ietf.org/html/rfc6902
+	// and http://jsonpatch.com
+	patchesJson6902?: [...#Patch] @go(PatchesJson6902,[]Patch)
+
+	// Patches is a list of patches, where each one can be either a
+	// Strategic Merge Patch or a JSON patch.
+	// Each patch can be applied to multiple target objects.
+	patches?: [...#Patch] @go(Patches,[]Patch)
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	images?: [...#Image] @go(Images,[]Image)
+
+	// Deprecated: Use the Images field instead.
+	imageTags?: [...#Image] @go(ImageTags,[]Image)
+
+	// Replacements is a list of replacements, which will copy nodes from a
+	// specified source to N specified targets.
+	replacements?: [...#ReplacementField] @go(Replacements,[]ReplacementField)
+
+	// Replicas is a list of {resourcename, count} that allows for simpler replica
+	// specification. This can also be done with a patch.
+	replicas?: [...#Replica] @go(Replicas,[]Replica)
+
+	// Deprecated: Vars will be removed in future release. Migrate to Replacements instead.
+	// Vars allow things modified by kustomize to be injected into a
+	// kubernetes object specification. A var is a name (e.g. FOO) associated
+	// with a field in a specific resource instance.  The field must
+	// contain a value of type string/bool/int/float, and defaults to the name field
+	// of the instance.  Any appearance of "$(FOO)" in the object
+	// spec will be replaced at kustomize build time, after the final
+	// value of the specified field has been determined.
+	vars?: [...#Var] @go(Vars,[]Var)
+
+	// SortOptions change the order that kustomize outputs resources.
+	sortOptions?: null | #SortOptions @go(SortOptions,*SortOptions)
+
+	// Resources specifies relative paths to files holding YAML representations
+	// of kubernetes API objects, or specifications of other kustomizations
+	// via relative paths, absolute paths, or URLs.
+	resources?: [...string] @go(Resources,[]string)
+
+	// Components specifies relative paths to specifications of other Components
+	// via relative paths, absolute paths, or URLs.
+	components?: [...string] @go(Components,[]string)
+
+	// Crds specifies relative paths to Custom Resource Definition files.
+	// This allows custom resources to be recognized as operands, making
+	// it possible to add them to the Resources list.
+	// CRDs themselves are not modified.
+	crds?: [...string] @go(Crds,[]string)
+
+	// Deprecated: Anything that would have been specified here should be specified in the Resources field instead.
+	bases?: [...string] @go(Bases,[]string)
+
+	// ConfigMapGenerator is a list of configmaps to generate from
+	// local data (one configMap per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	configMapGenerator?: [...#ConfigMapArgs] @go(ConfigMapGenerator,[]ConfigMapArgs)
+
+	// SecretGenerator is a list of secrets to generate from
+	// local data (one secret per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	secretGenerator?: [...#SecretArgs] @go(SecretGenerator,[]SecretArgs)
+
+	// HelmGlobals contains helm configuration that isn't chart specific.
+	helmGlobals?: null | #HelmGlobals @go(HelmGlobals,*HelmGlobals)
+
+	// HelmCharts is a list of helm chart configuration instances.
+	helmCharts?: [...#HelmChart] @go(HelmCharts,[]HelmChart)
+
+	// HelmChartInflationGenerator is a list of helm chart configurations.
+	// Deprecated.  Auto-converted to HelmGlobals and HelmCharts.
+	helmChartInflationGenerator?: [...#HelmChartArgs] @go(HelmChartInflationGenerator,[]HelmChartArgs)
+
+	// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+	generatorOptions?: null | #GeneratorOptions @go(GeneratorOptions,*GeneratorOptions)
+
+	// Configurations is a list of transformer configuration files
+	configurations?: [...string] @go(Configurations,[]string)
+
+	// Generators is a list of files containing custom generators
+	generators?: [...string] @go(Generators,[]string)
+
+	// Transformers is a list of files containing transformers
+	transformers?: [...string] @go(Transformers,[]string)
+
+	// Validators is a list of files containing validators
+	validators?: [...string] @go(Validators,[]string)
+
+	// BuildMetadata is a list of strings used to toggle different build options
+	buildMetadata?: [...string] @go(BuildMetadata,[]string)
+}
+
+_#deprecatedWarningToRunEditFix:              "Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedWarningToRunEditFixExperimential: "[EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedBaseWarningMessage:               "# Warning: 'bases' is deprecated. Please use 'resources' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedImageTagsWarningMessage:          "# Warning: 'imageTags' is deprecated. Please use 'images' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedPatchesJson6902Message:           "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedPatchesStrategicMergeMessage:     "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedVarsMessage:                      "# Warning: 'vars' is deprecated. Please use 'replacements' instead. [EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedCommonLabelsWarningMessage:       "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead. Run 'kustomize edit fix' to update your Kustomization automatically."

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kvpairsources_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// KvPairSources defines places to obtain key value pairs.
+#KvPairSources: {
+	// LiteralSources is a list of literal
+	// pair sources. Each literal source should
+	// be a key and literal value, e.g. `key=value`
+	literals?: [...string] @go(LiteralSources,[]string)
+
+	// FileSources is a list of file "sources" to
+	// use in creating a list of key, value pairs.
+	// A source takes the form:  [{key}=]{path}
+	// If the "key=" part is missing, the key is the
+	// path's basename. If they "key=" part is present,
+	// it becomes the key (replacing the basename).
+	// In either case, the value is the file contents.
+	// Specifying a directory will iterate each named
+	// file in the directory whose basename is a
+	// valid configmap key.
+	files?: [...string] @go(FileSources,[]string)
+
+	// EnvSources is a list of file paths.
+	// The contents of each file should be one
+	// key=value pair per line, e.g. a Docker
+	// or npm ".env" file or a ".ini" file
+	// (wikipedia.org/wiki/INI_file)
+	envs?: [...string] @go(EnvSources,[]string)
+
+	// Older, singular form of EnvSources.
+	// On edits (e.g. `kustomize fix`) this is merged into the plural form
+	// for consistency with LiteralSources and FileSources.
+	env?: string @go(EnvSource)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/labels_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#Label: {
+	// Pairs contains the key-value pairs for labels to add
+	pairs?: {[string]: string} @go(Pairs,map[string]string)
+
+	// IncludeSelectors inidicates should transformer include the
+	// fieldSpecs for selectors. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with builtin fieldSpecs if this
+	// is true.
+	includeSelectors?: bool @go(IncludeSelectors)
+
+	// IncludeTemplates inidicates should transformer include the
+	// spec/template/metadata fieldSpec. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with spec/template/metadata fieldSpec if this
+	// is true. If IncludeSelectors is true, IncludeTemplates is not needed.
+	includeTemplates?: bool @go(IncludeTemplates)
+	fields?: [...#FieldSpec] @go(FieldSpecs,[]FieldSpec)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_go_gen.cue

@@ -0,0 +1,34 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Restrictions on what things can be referred to
+// in a kustomization file.
+//
+//go:generate stringer -type=LoadRestrictions
+#LoadRestrictions: int // #enumLoadRestrictions
+
+#enumLoadRestrictions:
+	#LoadRestrictionsUnknown |
+	#LoadRestrictionsRootOnly |
+	#LoadRestrictionsNone
+
+#values_LoadRestrictions: {
+	LoadRestrictionsUnknown:  #LoadRestrictionsUnknown
+	LoadRestrictionsRootOnly: #LoadRestrictionsRootOnly
+	LoadRestrictionsNone:     #LoadRestrictionsNone
+}
+
+#LoadRestrictionsUnknown: #LoadRestrictions & 0
+
+// Files referenced by a kustomization file must be in
+// or under the directory holding the kustomization
+// file itself.
+#LoadRestrictionsRootOnly: #LoadRestrictions & 1
+
+// The kustomization file may specify absolute or
+// relative paths to patch or resources files outside
+// its own tree.
+#LoadRestrictionsNone: #LoadRestrictions & 2

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_LoadRestrictions_name: "LoadRestrictionsUnknownLoadRestrictionsRootOnlyLoadRestrictionsNone"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/objectmeta_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// ObjectMeta partially copies apimachinery/pkg/apis/meta/v1.ObjectMeta
+// No need for a direct dependence; the fields are stable.
+#ObjectMeta: {
+	name?:      string @go(Name)
+	namespace?: string @go(Namespace)
+	labels?: {[string]: string} @go(Labels,map[string]string)
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pair_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Pair is a key value pair.
+#Pair: {
+	Key:   string
+	Value: string
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patch_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Patch represent either a Strategic Merge Patch or a JSON patch
+// and its targets.
+// The content of the patch can either be from a file
+// or from an inline string.
+#Patch: {
+	// Path is a relative file path to the patch file.
+	path?: string @go(Path)
+
+	// Patch is the content of a patch.
+	patch?: string @go(Patch)
+
+	// Target points to the resources that the patch is applied to
+	target?: #Target | #Selector @go(Target,*Selector)
+
+	// Options is a list of options for the patch
+	options?: {[string]: bool} @go(Options,map[string]bool)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patchstrategicmerge_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// PatchStrategicMerge represents a relative path to a
+// stategic merge patch with the format
+// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+#PatchStrategicMerge: string

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginconfig_go_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#HelmConfig: {
+	Enabled: bool
+	Command: string
+	ApiVersions: [...string] @go(,[]string)
+	KubeVersion: string
+}
+
+// PluginConfig holds plugin configuration.
+#PluginConfig: {
+	// PluginRestrictions distinguishes plugin restrictions.
+	PluginRestrictions: #PluginRestrictions
+
+	// BpLoadingOptions distinguishes builtin plugin behaviors.
+	BpLoadingOptions: #BuiltinPluginLoadingOptions
+
+	// FnpLoadingOptions sets the way function-based plugin behaviors.
+	FnpLoadingOptions: #FnPluginLoadingOptions
+
+	// HelmConfig contains metadata needed for allowing and running helm.
+	HelmConfig: #HelmConfig
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_go_gen.cue

@@ -0,0 +1,87 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Some plugin classes
+// - builtin: plugins defined in the kustomize repo.
+//   May be freely used and re-configured.
+// - local: plugins that aren't builtin but are
+//   locally defined (presumably by the user), meaning
+//   the kustomization refers to them via a relative
+//   file path, not a URL.
+// - remote: require a build-time download to obtain.
+//   Unadvised, unless one controls the
+//   serving site.
+//
+//go:generate stringer -type=PluginRestrictions
+#PluginRestrictions: int // #enumPluginRestrictions
+
+#enumPluginRestrictions:
+	#PluginRestrictionsUnknown |
+	#PluginRestrictionsBuiltinsOnly |
+	#PluginRestrictionsNone
+
+#values_PluginRestrictions: {
+	PluginRestrictionsUnknown:      #PluginRestrictionsUnknown
+	PluginRestrictionsBuiltinsOnly: #PluginRestrictionsBuiltinsOnly
+	PluginRestrictionsNone:         #PluginRestrictionsNone
+}
+
+#PluginRestrictionsUnknown: #PluginRestrictions & 0
+
+// Non-builtin plugins completely disabled.
+#PluginRestrictionsBuiltinsOnly: #PluginRestrictions & 1
+
+// No restrictions, do whatever you want.
+#PluginRestrictionsNone: #PluginRestrictions & 2
+
+// BuiltinPluginLoadingOptions distinguish ways in which builtin plugins are used.
+//go:generate stringer -type=BuiltinPluginLoadingOptions
+#BuiltinPluginLoadingOptions: int // #enumBuiltinPluginLoadingOptions
+
+#enumBuiltinPluginLoadingOptions:
+	#BploUndefined |
+	#BploUseStaticallyLinked |
+	#BploLoadFromFileSys
+
+#values_BuiltinPluginLoadingOptions: {
+	BploUndefined:           #BploUndefined
+	BploUseStaticallyLinked: #BploUseStaticallyLinked
+	BploLoadFromFileSys:     #BploLoadFromFileSys
+}
+
+#BploUndefined: #BuiltinPluginLoadingOptions & 0
+
+// Desired in production use for performance.
+#BploUseStaticallyLinked: #BuiltinPluginLoadingOptions & 1
+
+// Desired in testing and development cycles where it's undesirable
+// to generate static code.
+#BploLoadFromFileSys: #BuiltinPluginLoadingOptions & 2
+
+// FnPluginLoadingOptions set way functions-based plugins are restricted
+#FnPluginLoadingOptions: {
+	// Allow to run executables
+	EnableExec: bool
+
+	// Allow to run starlark
+	EnableStar: bool
+
+	// Allow container access to network
+	Network:     bool
+	NetworkName: string
+
+	// list of mounts
+	Mounts: [...string] @go(,[]string)
+
+	// list of env variables to pass to fn
+	Env: [...string] @go(,[]string)
+
+	// Run as uid and gid of the command executor
+	AsCurrentUser: bool
+
+	// Run in this working directory
+	WorkingDir: string
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_PluginRestrictions_name: "PluginRestrictionsUnknownPluginRestrictionsBuiltinsOnlyPluginRestrictionsNone"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacement_go_gen.cue

@@ -0,0 +1,57 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#DefaultReplacementFieldPath: "metadata.name"
+
+// Replacement defines how to perform a substitution
+// where it is from and where it is to.
+#Replacement: {
+	// The source of the value.
+	source?: null | #SourceSelector @go(Source,*SourceSelector)
+
+	// The N fields to write the value to.
+	targets?: [...null | #TargetSelector] @go(Targets,[]*TargetSelector)
+}
+
+// SourceSelector is the source of the replacement transformer.
+#SourceSelector: {
+	// Structured field path expected in the allowed object.
+	fieldPath?: string @go(FieldPath)
+
+	// Used to refine the interpretation of the field.
+	options?: null | #FieldOptions @go(Options,*FieldOptions)
+}
+
+// TargetSelector specifies fields in one or more objects.
+#TargetSelector: {
+	// Include objects that match this.
+	select?: null | #Selector @go(Select,*Selector)
+
+	// From the allowed set, remove objects that match this.
+	reject?: [...null | #Selector] @go(Reject,[]*Selector)
+
+	// Structured field paths expected in each allowed object.
+	fieldPaths?: [...string] @go(FieldPaths,[]string)
+
+	// Used to refine the interpretation of the field.
+	options?: null | #FieldOptions @go(Options,*FieldOptions)
+}
+
+// FieldOptions refine the interpretation of FieldPaths.
+#FieldOptions: {
+	// Used to split/join the field.
+	delimiter?: string @go(Delimiter)
+
+	// Which position in the split to consider.
+	index?: int @go(Index)
+
+	// TODO (#3492): Implement use of this option
+	// None, Base64, URL, Hex, etc
+	encoding?: string @go(Encoding)
+
+	// If field missing, add it.
+	create?: bool @go(Create)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacementfield_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#ReplacementField: {
+	#Replacement
+	path?: string @go(Path)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replica_go_gen.cue

@@ -0,0 +1,17 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Replica specifies a modification to a replica config.
+// The number of replicas of a resource whose name matches will be set to count.
+// This struct is used by the ReplicaCountTransform, and is meant to supplement
+// the existing patch functionality with a simpler syntax for replica configuration.
+#Replica: {
+	// The name of the resource to change the replica count
+	name?: string @go(Name)
+
+	// The number of replicas required.
+	count: int64 @go(Count)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/secretargs_go_gen.cue

@@ -0,0 +1,19 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// SecretArgs contains the metadata of how to generate a secret.
+#SecretArgs: {
+	#GeneratorArgs
+
+	// Type of the secret.
+	//
+	// This is the same field as the secret type field in v1/Secret:
+	// It can be "Opaque" (default), or "kubernetes.io/tls".
+	//
+	// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
+	// keys: "tls.key" and "tls.crt"
+	type?: string @go(Type)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/selector_go_gen.cue

@@ -0,0 +1,20 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Selector specifies a set of resources.
+// Any resource that matches intersection of all conditions
+// is included in this set.
+#Selector: {
+	// AnnotationSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource annotations.
+	annotationSelector?: string @go(AnnotationSelector)
+
+	// LabelSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource labels.
+	labelSelector?: string @go(LabelSelector)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/sortoptions_go_gen.cue

@@ -0,0 +1,36 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// SortOptions defines the order that kustomize outputs resources.
+#SortOptions: {
+	// Order selects the ordering strategy.
+	order?: #SortOrder @go(Order)
+
+	// LegacySortOptions tweaks the sorting for the "legacy" sort ordering
+	// strategy.
+	legacySortOptions?: null | #LegacySortOptions @go(LegacySortOptions,*LegacySortOptions)
+}
+
+// SortOrder defines different ordering strategies.
+#SortOrder: string // #enumSortOrder
+
+#enumSortOrder:
+	#LegacySortOrder |
+	#FIFOSortOrder
+
+#LegacySortOrder: #SortOrder & "legacy"
+
+#FIFOSortOrder: #SortOrder & "fifo"
+
+// LegacySortOptions define various options for tweaking the "legacy" ordering
+// strategy.
+#LegacySortOptions: {
+	// OrderFirst selects the resource kinds to order first.
+	orderFirst: [...string] @go(OrderFirst,[]string)
+
+	// OrderLast selects the resource kinds to order last.
+	orderLast: [...string] @go(OrderLast,[]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/typemeta_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta
+// No need for a direct dependence; the fields are stable.
+#TypeMeta: {
+	kind?:       string @go(Kind)
+	apiVersion?: string @go(APIVersion)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue

@@ -0,0 +1,45 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Var represents a variable whose value will be sourced
+// from a field in a Kubernetes object.
+#Var: {
+	// Value of identifier name e.g. FOO used in container args, annotations
+	// Appears in pod template as $(FOO)
+	name: string @go(Name)
+
+	// ObjRef must refer to a Kubernetes resource under the
+	// purview of this kustomization. ObjRef should use the
+	// raw name of the object (the name specified in its YAML,
+	// before addition of a namePrefix and a nameSuffix).
+	objref: #Target @go(ObjRef)
+
+	// FieldRef refers to the field of the object referred to by
+	// ObjRef whose value will be extracted for use in
+	// replacing $(FOO).
+	// If unspecified, this defaults to fieldPath: $defaultFieldPath
+	fieldref?: #FieldSelector @go(FieldRef)
+}
+
+// Target refers to a kubernetes object by Group, Version, Kind and Name
+// gvk.Gvk contains Group, Version and Kind
+// APIVersion is added to keep the backward compatibility of using ObjectReference
+// for Var.ObjRef
+#Target: {
+	apiVersion?: string @go(APIVersion)
+	name:        string @go(Name)
+	namespace?:  string @go(Namespace)
+}
+
+// FieldSelector contains the fieldPath to an object field.
+// This struct is added to keep the backward compatibility of using ObjectFieldSelector
+// for Var.FieldRef
+#FieldSelector: {
+	fieldPath?: string @go(FieldPath)
+}
+
+// byName is a sort interface which sorts Vars by name alphabetically
+_#byName: [...#Var]

docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue

@@ -0,0 +1,6 @@
+package v1
+
+#Deployment: {
+	apiVersion: "apps/v1"
+	kind:       "Deployment"
+}

docs/examples/cue.mod/usr/k8s.io/api/batch/v1/types.cue

@@ -1,11 +1,11 @@
 package v1
 
 #CronJob: {
-  apiVersion: "batch/v1"
-  kind: "CronJob"
+	apiVersion: "batch/v1"
+	kind:       "CronJob"
 }
 
 #Job: {
-  apiVersion: "batch/v1"
-  kind: "Job"
+	apiVersion: "batch/v1"
+	kind:       "Job"
 }

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -1,21 +1,26 @@
 package v1
 
 #Namespace: {
-  apiVersion: "v1"
-  kind: "Namespace"
+	apiVersion: "v1"
+	kind:       "Namespace"
 }
 
 #ConfigMap: {
-  apiVersion: "v1"
-  kind: "ConfigMap"
+	apiVersion: "v1"
+	kind:       "ConfigMap"
 }
 
 #ServiceAccount: {
-  apiVersion: "v1"
-  kind: "ServiceAccount"
+	apiVersion: "v1"
+	kind:       "ServiceAccount"
 }
 
 #Pod: {
-  apiVersion: "v1"
-  kind: "Pod"
+	apiVersion: "v1"
+	kind:       "Pod"
+}
+
+#Service: {
+	apiVersion: "v1"
+	kind:       "Service"
 }

docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/patch_go.cue

@@ -0,0 +1,15 @@
+package types
+
+#Patch: {
+	// Path is a relative file path to the patch file.
+	path?: string @go(Path)
+
+	// Patch is the content of a patch.
+	patch?: string @go(Patch)
+
+	// Target points to the resources that the patch is applied to
+	target?: #Target | #Selector @go(Target,*Selector)
+
+	// Options is a list of options for the patch
+	options?: {[string]: bool} @go(Options,map[string]bool)
+}

docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/var_go.cue

@@ -0,0 +1,7 @@
+package types
+
+#Target: {
+	group?:   string @go(Group)
+	version?: string @go(Version)
+	kind?:    string @go(Kind)
+}

docs/examples/namespaces.cue

@@ -4,6 +4,7 @@ package holos
 #PlatformNamespace: {
 	name: string
 	labels?: {[string]: string}
+	annotations?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/certificates.cue

@@ -0,0 +1,61 @@
+package holos
+
+#PlatformCerts: {
+	// Globally scoped platform services are defined here.
+	login: #PlatformCert & {
+		_name:        "login"
+		_wildcard:    true
+		_description: "Cert for Zitadel oidc identity provider for iam services"
+	}
+
+	// Cluster scoped services are defined here.
+	for cluster in #Platform.clusters {
+		"\(cluster.name)-httpbin": #ClusterCert & {
+			_name:        "httpbin"
+			_cluster:     cluster.name
+			_description: "Test endpoint to verify the service mesh ingress gateway"
+		}
+	}
+}
+
+// #PlatformCert provisions a cert in the provisioner cluster.
+// Workload clusters use ExternalSecret resources to fetch the Secret tls key and cert from the provisioner cluster.
+#PlatformCert: #Certificate & {
+	_name:     string
+	_wildcard: true | *false
+	metadata: name:      string | *_name
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}
+
+// #ClusterCert provisions a cluster specific certificate.
+#ClusterCert: #Certificate & {
+	_name:     string
+	_cluster:  string
+	_wildcard: true | *false
+	metadata: name:      string | *"\(_cluster)-\(_name)"
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(_cluster).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/iam.cue

@@ -0,0 +1,10 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/disabled/iam/readme.md

@@ -0,0 +1,17 @@
+# IAM
+
+The IAM service provides identity and access management for a holos managed platform.  Zitadel is the identity provider which integrates tightly with:
+
+ 1. AuthorizationPolicy at the level of the service mesh.
+ 2. Application level oidc login (ArgoCD, Grafana, etc...)
+ 3. Cloud provider IAM via oidc.
+
+## Preflight
+
+The zitadel master key needs to have a data key named `masterkey` with a Secret name of `zitadel-masterkey`.
+
+```bash
+holos create secret zitadel-masterkey --namespace prod-iam-zitadel --append-hash=false --data-stdin <<EOF
+{"masterkey":"$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"}
+EOF
+```

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,20 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		ExternalSecret: node: #ExternalSecret & {_name: "cockroachdb-node"}
+		ExternalSecret: root: #ExternalSecret & {_name: "cockroachdb-root"}
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.cue

@@ -0,0 +1,606 @@
+package holos
+
+#Values: {
+
+	// Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+	// Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+	nameOverride: ""
+
+	// Override the resource names created by this chart which originally is generated using release and chart name.
+	fullnameOverride: string | *""
+
+	image: {
+		repository: string | *"cockroachdb/cockroach"
+		tag:        "v23.1.13"
+		pullPolicy: "IfNotPresent"
+		credentials: {}
+	}
+	// registry: docker.io
+	// username: john_doe
+	// password: changeme
+	// Additional labels to apply to all Kubernetes resources created by this chart.
+	labels: {}
+	// app.kubernetes.io/part-of: my-app
+	// Cluster's default DNS domain.
+	// You should overwrite it if you're using a different one,
+	// otherwise CockroachDB nodes discovery won't work.
+	clusterDomain: "cluster.local"
+
+	conf: {
+		// An ordered list of CockroachDB node attributes.
+		// Attributes are arbitrary strings specifying machine capabilities.
+		// Machine capabilities might include specialized hardware or number of cores
+		// (e.g. "gpu", "x16c").
+		attrs: []
+		// - x16c
+		// - gpu
+		// Total size in bytes for caches, shared evenly if there are multiple
+		// storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+		// A percentage of physical memory can also be specified (e.g. `.25`).
+		cache: "25%"
+
+		// Sets a name to verify the identity of a cluster.
+		// The value must match between all nodes specified via `conf.join`.
+		// This can be used as an additional verification when either the node or
+		// cluster, or both, have not yet been initialized and do not yet know their
+		// cluster ID.
+		// To introduce a cluster name into an already-initialized cluster, pair this
+		// option with `conf.disable-cluster-name-verification: yes`.
+		"cluster-name": ""
+
+		// Tell the server to ignore `conf.cluster-name` mismatches.
+		// This is meant for use when opting an existing cluster into starting to use
+		// cluster name verification, or when changing the cluster name.
+		// The cluster should be restarted once with `conf.cluster-name` and
+		// `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+		// have been updated to know the new cluster name, the cluster can be restarted
+		// again with `conf.disable-cluster-name-verification: no`.
+		// This option has no effect if `conf.cluster-name` is not specified.
+		"disable-cluster-name-verification": false
+
+		// The addresses for connecting a CockroachDB nodes to an existing cluster.
+		// If you are deploying a second CockroachDB instance that should join a first
+		// one, use the below list to join to the existing instance.
+		// Each item in the array should be a FQDN (and port if needed) resolvable by
+		// new Pods.
+		join: []
+
+		// New logging configuration.
+		log: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/v21.1/configure-logs
+			config: {}
+		}
+		// file-defaults:
+		//   dir: /custom/dir/path/
+		// fluent-defaults:
+		//   format: json-fluent
+		// sinks:
+		//   stderr:
+		//     channels: [DEV]
+		// Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+		logtostderr: "INFO"
+
+		// Maximum storage capacity available to store temporary disk-based data for
+		// SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+		// sometimes able to spill intermediate results to disk).
+		// Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+		// `32GiB`) or a percentage of disk size (e.g. `10%`).
+		// The location of the temporary files is within the first store dir.
+		// If expressed as a percentage, `max-disk-temp-storage` is interpreted
+		// relative to the size of the storage device on which the first store is
+		// placed. The temp space usage is never counted towards any store usage
+		// (although it does share the device with the first store) so, when
+		// configuring this, make sure that the size of this temp storage plus the size
+		// of the first store don't exceed the capacity of the storage device.
+		// If the first store is an in-memory one (i.e. `type=mem`), then this
+		// temporary "disk" data is also kept in-memory.
+		// A percentage value is interpreted as a percentage of the available internal
+		// memory.
+		// max-disk-temp-storage: 0GB
+		// Maximum allowed clock offset for the cluster. If observed clock offsets
+		// exceed this limit, servers will crash to minimize the likelihood of
+		// reading inconsistent data. Increasing this value will increase the time
+		// to recovery of failures as well as the frequency of uncertainty-based
+		// read restarts.
+		// Note, that this value must be the same on all nodes in the cluster.
+		// In order to change it, all nodes in the cluster must be stopped
+		// simultaneously and restarted with the new value.
+		// max-offset: 500ms
+		// Maximum memory capacity available to store temporary data for SQL clients,
+		// including prepared queries and intermediate data rows during query
+		// execution. Accepts numbers interpreted as bytes, size suffixes
+		// (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+		"max-sql-memory": "25%"
+
+		// An ordered, comma-separated list of key-value pairs that describe the
+		// topography of the machine. Topography might include country, datacenter
+		// or rack designations. Data is automatically replicated to maximize
+		// diversities of each tier. The order of tiers is used to determine
+		// the priority of the diversity, so the more inclusive localities like
+		// country should come before less inclusive localities like datacenter.
+		// The tiers and order must be the same on all nodes. Including more tiers
+		// is better than including fewer. For example:
+		//   locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+		//   locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+		//   locality: planet=earth,province=manitoba,colo=secondary,power=3
+		locality: ""
+
+		// Run CockroachDB instances in standalone mode with replication disabled
+		// (replication factor = 1).
+		// Enabling this option makes the following values to be ignored:
+		// - `conf.cluster-name`
+		// - `conf.disable-cluster-name-verification`
+		// - `conf.join`
+		//
+		// WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+		//          CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+		//          Don't use this option for production deployments unless you clearly
+		//          understand what you're doing.
+		//          Usually, this option is intended to be used in conjunction with
+		//          `statefulset.replicas: 1` for temporary one-time deployments (like
+		//          running E2E tests, for example).
+		"single-node": false
+
+		// If non-empty, create a SQL audit log in the specified directory.
+		"sql-audit-dir": ""
+
+		// CockroachDB's port to listen to inter-communications and client connections.
+		port: 26257
+
+		// CockroachDB's port to listen to HTTP requests.
+		"http-port": 8080
+
+		// CockroachDB's data mount path.
+		path: "cockroach-data"
+
+		// CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+		// Uses --store flag
+		store: {
+			enabled: false
+			// Should be empty or 'mem'
+			type: null
+			// Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+			size: null
+			// Arbitrary strings, separated by colons, specifying disk type or capability
+			attrs: null
+		}
+	}
+
+	statefulset: {
+		replicas: 3
+		updateStrategy: type: "RollingUpdate"
+		podManagementPolicy: "Parallel"
+		budget: maxUnavailable: 1
+
+		// List of additional command-line arguments you want to pass to the
+		// `cockroach start` command.
+		args: []
+		// - --disable-cluster-name-verification
+		// List of extra environment variables to pass into container
+		env: []
+		// - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+		//   value: "24h"
+		// List of Secrets names in the same Namespace as the CockroachDB cluster,
+		// which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+		// member.
+		secretMounts: []
+
+		// Additional labels to apply to this StatefulSet and all its Pods.
+		labels: {
+			"app.kubernetes.io/component": "cockroachdb"
+		}
+
+		// Additional annotations to apply to the Pods of this StatefulSet.
+		annotations: {}
+
+		// Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		nodeAffinity: {}
+		// Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		podAffinity: {}
+		// Anti-affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		// You may either toggle options below for default anti-affinity rules,
+		// or specify the whole set of anti-affinity rules instead of them.
+		podAntiAffinity: {
+			// The topologyKey to be used.
+			// Can be used to spread across different nodes, AZs, regions etc.
+			topologyKey: "kubernetes.io/hostname"
+			// Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+			// disables anti-affinity rules).
+			type: "soft"
+			// Weight for `soft` anti-affinity rules.
+			// Does not apply for other anti-affinity types.
+			weight: 100
+		}
+
+		// Node selection constraints for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// PriorityClassName given to Pods of this StatefulSet
+		// https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		priorityClassName: ""
+
+		// Taints to be tolerated by Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+		topologySpreadConstraints: {
+			maxSkew:           1
+			topologyKey:       "topology.kubernetes.io/zone"
+			whenUnsatisfiable: "ScheduleAnyway"
+		}
+
+		// Uncomment the following resources definitions or pass them from
+		// command line to control the CPU and memory resources allocated
+		// by Pods of this StatefulSet.
+		resources: {}
+		// limits:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// requests:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// Custom Liveness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+		customLivenessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+		// Custom Rediness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+		customReadinessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+
+		securityContext: {
+			enabled: true
+		}
+
+		serviceAccount: {
+			// Specifies whether this ServiceAccount should be created.
+			create: true
+			// The name of this ServiceAccount to use.
+			// If not set and `create` is `true`, then service account is auto-generated.
+			// If not set and `create` is `false`, then it uses default service account.
+			name: ""
+			// Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+			annotations: {}
+		}
+	}
+
+	service: {
+		ports: {
+			// You can set a different external and internal gRPC ports and their name.
+			grpc: {
+				external: {
+					port: 26257
+					name: "grpc"
+				}
+				// If the port number is different than `external.port`, then it will be
+				// named as `internal.name` in Service.
+				internal: {
+					port: 26257
+					// If using Istio set it to `cockroach`.
+					name: "grpc-internal"
+				}
+			}
+			http: {
+				port: 8080
+				name: "http"
+			}
+		}
+
+		// This Service is meant to be used by clients of the database.
+		// It exposes a ClusterIP that will automatically load balance connections
+		// to the different database Pods.
+		public: {
+			type: "ClusterIP"
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+
+		// This service only exists to create DNS entries for each pod in
+		// the StatefulSet such that they can resolve each other's IP addresses.
+		// It does not create a load-balanced ClusterIP and should not be used directly
+		// by clients in most circumstances.
+		discovery: {
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+	}
+
+	// CockroachDB's ingress for web ui.
+	ingress: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		//   kubernetes.io/ingress.class: nginx
+		//   cert-manager.io/cluster-issuer: letsencrypt
+		paths: ["/"]
+		hosts: []
+		// - cockroachlabs.com
+		tls: []
+	}
+	// - hosts: [cockroachlabs.com]
+	//   secretName: cockroachlabs-tls
+
+	prometheus: {
+		enabled: true
+	}
+
+	securityContext: enabled: true
+
+	// CockroachDB's Prometheus operator ServiceMonitor support
+	serviceMonitor: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		interval: "10s"
+		// scrapeTimeout: 10s
+		// Limits the ServiceMonitor to the current namespace if set to `true`.
+		namespaced: false
+
+		// tlsConfig: TLS configuration to use when scraping the endpoint.
+		// Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+		tlsConfig: {}
+	}
+
+	// CockroachDB's data persistence.
+	// If neither `persistentVolume` nor `hostPath` is used, then data will be
+	// persisted in ad-hoc `emptyDir`.
+	storage: {
+		// Absolute path on host to store CockroachDB's data.
+		// If not specified, then `emptyDir` will be used instead.
+		// If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+		hostPath: ""
+
+		// If `enabled` is `true` then a PersistentVolumeClaim will be created and
+		// used to store CockroachDB's data, otherwise `hostPath` is used.
+		persistentVolume: {
+			enabled: true
+
+			size: string | *"100Gi"
+
+			// If defined, then `storageClassName: <storageClass>`.
+			// If set to "-", then `storageClassName: ""`, which disables dynamic
+			// provisioning.
+			// If undefined or empty (default), then no `storageClassName` spec is set,
+			// so the default provisioner will be chosen (gp2 on AWS, standard on
+			// GKE, AWS & OpenStack).
+			storageClass: ""
+
+			// Additional labels to apply to the created PersistentVolumeClaims.
+			labels: {}
+			// Additional annotations to apply to the created PersistentVolumeClaims.
+			annotations: {}
+		}
+	}
+
+	// Kubernetes Job which initializes multi-node CockroachDB cluster.
+	// It's not created if `statefulset.replicas` is `1`.
+	init: {
+		// Additional labels to apply to this Job and its Pod.
+		labels: {
+			"app.kubernetes.io/component": "init"
+		}
+
+		// Additional annotations to apply to this Job.
+		jobAnnotations: {}
+
+		// Additional annotations to apply to the Pod of this Job.
+		annotations: {}
+
+		// Affinity rules for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		affinity: {}
+
+		// Node selection constraints for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// Taints to be tolerated by the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+		// quickly and doesn't continue to consume resources in the Kubernetes
+		// cluster. Normally, you should leave this section commented out, but if your
+		// Kubernetes cluster uses Resource Quotas and requires all pods to specify
+		// resource requests or limits, you can set those here.
+		resources: {}
+		// requests:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+		// limits:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+
+		securityContext: {
+			enabled: true
+		}
+
+		provisioning: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+			clusterSettings: null
+			// cluster.organization: "'FooCorp - Local Testing'"
+			// enterprise.license: "'xxxxx'"
+			users: []
+			// - name:
+			//   password:
+			//   # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+			//   options: [LOGIN]
+			databases: []
+		}
+	}
+	// - name:
+	//   # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+	//   options: [encoding='utf-8']
+	//   owners: []
+	//   # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+	//   owners_with_grant_option: []
+	//   # Backup schedules are not idemponent for now and will fail on next run
+	//   # https://github.com/cockroachdb/cockroach/issues/57892
+	//   backup:
+	//     into: s3://
+	//     # Enterprise-only option (revision_history)
+	//     # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+	//     options: [revision_history]
+	//     recurring: '@always'
+	//     # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+	//     fullBackup: '@daily'
+	//     schedule:
+	//       # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+	//       options: [first_run = 'now']
+	// Whether to run securely using TLS certificates.
+	tls: {
+		enabled: true
+		copyCerts: image: "busybox"
+		certs: {
+			// Bring your own certs scenario. If provided, tls.init section will be ignored.
+			provided: true | *false
+			// Secret name for the client root cert.
+			clientRootSecret: "cockroachdb-root"
+			// Secret name for node cert.
+			nodeSecret: "cockroachdb-node"
+			// Secret name for CA cert
+			caSecret: "cockroach-ca"
+			// Enable if the secret is a dedicated TLS.
+			// TLS secrets are created by cert-mananger, for example.
+			tlsSecret: true | *false
+			// Enable if the you want cockroach db to create its own certificates
+			selfSigner: {
+				// If set, the cockroach db will generate its own certificates
+				enabled: false | *true
+				// Run selfSigner as non-root
+				securityContext: {
+					enabled: true
+				}
+				// If set, the user should provide the CA certificate to sign other certificates.
+				caProvided: false
+				// It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+				caSecret: ""
+				// Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+				minimumCertDuration: "624h"
+				// Duration of CA certificates in hour
+				caCertDuration: "43800h"
+				// Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+				caCertExpiryWindow: "648h"
+				// Duration of Client certificates in hour
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hour
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+				// If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+				rotateCerts: true
+				// Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+				readinessWait: "30s"
+				// Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+				podUpdateTimeout: "2m"
+				// ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+				svcAccountAnnotations: {}
+			}
+
+			// Use cert-manager to issue certificates for mTLS.
+			certManager: true | *false
+			// Specify an Issuer or a ClusterIssuer to use, when issuing
+			// node and client certificates. The values correspond to the
+			// issuerRef specified in the certificate.
+			certManagerIssuer: {
+				group: "cert-manager.io"
+				kind:  "Issuer"
+				name:  string | *"cockroachdb"
+				// Make it false when you are providing your own CA issuer
+				isSelfSignedIssuer: true
+				// Duration of Client certificates in hours
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hours
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+			}
+		}
+
+		selfSigner: {
+			// Additional annotations to apply to the Pod of this Job.
+			annotations: {}
+
+			// Affinity rules for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+			affinity: {}
+
+			// Node selection constraints for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+			nodeSelector: {}
+
+			// Taints to be tolerated by the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+			tolerations: []
+
+			// Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+			image: {
+				repository: "cockroachlabs-helm-charts/cockroach-self-signer-cert"
+				tag:        "1.5"
+				pullPolicy: "IfNotPresent"
+				credentials: {}
+				registry: "gcr.io"
+			}
+		}
+	}
+	// username: john_doe
+	// password: changeme
+
+	networkPolicy: {
+		enabled: false
+
+		ingress: {
+			// List of sources which should be able to access the CockroachDB Pods via
+			// gRPC port. Items in this list are combined using a logical OR operation.
+			// Rules for allowing inter-communication are applied automatically.
+			// If empty, then connections from any Pod is allowed.
+			grpc: []
+			// - podSelector:
+			//     matchLabels:
+			//       app.kubernetes.io/name: my-app-django
+			//       app.kubernetes.io/instance: my-app
+			// List of sources which should be able to access the CockroachDB Pods via
+			// HTTP port. Items in this list are combined using a logical OR operation.
+			// If empty, then connections from any Pod is allowed.
+			http: []
+		}
+	}
+	// - namespaceSelector:
+	//     matchLabels:
+	//       project: my-project
+	// To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+	// make sure to set ingress.paths: ['/*']
+	iap: {
+		enabled: false
+	}
+
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.holos.cue

@@ -0,0 +1,23 @@
+package holos
+
+#Values: {
+	image: repository: "quay.io/holos/cockroachdb/cockroach"
+
+	fullnameOverride: #ComponentName
+
+	tls: {
+		enabled: true
+		certs: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
+			selfSigner: enabled: false
+			certManager: false
+			provided:    true
+			tlsSecret:   true
+		}
+	}
+
+	storage: persistentVolume: {
+		enabled: true
+		size:    "1Gi"
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel.cue

@@ -0,0 +1,10 @@
+package holos
+
+#TargetNamespace: #InstancePrefix + "-zitadel"
+
+#DB: {
+	Host: "crdb-public"
+}
+
+// The canonical login domain for the entire platform.  Zitadel will be active on a singlec cluster at a time, but always accessible from this hostname.
+#ExternalDomain: "login.\(#Platform.org.domain)"

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel/values.cue

@@ -0,0 +1,251 @@
+package holos
+
+#Values: {
+
+	// Default values for zitadel.
+	zitadel: {
+		// The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		configmapConfig: {
+			ExternalSecure: true
+			Machine: Identification: {
+				Hostname: Enabled: true
+				Webhook: Enabled:  false
+			}
+		}
+
+		// The ZITADEL config under secretConfig is written to a Kubernetes Secret
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		secretConfig: null
+
+		// Annotations set on secretConfig secret
+		secretConfigAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// Reference the name of a secret that contains ZITADEL configuration.
+		configSecretName: null
+		// The key under which the ZITADEL configuration is located in the secret.
+		configSecretKey: "config-yaml"
+
+		// ZITADEL uses the masterkey for symmetric encryption.
+		// You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+		masterkey: ""
+		// Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+		// Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+		masterkeySecretName: string | *""
+
+		// Annotations set on masterkey secret
+		masterkeyAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// The CA Certificate needed for establishing secure database connections
+		dbSslCaCrt: ""
+
+		// The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+		dbSslCaCrtSecret: string | *""
+
+		// The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslAdminCrtSecret: string | *""
+
+		// The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslUserCrtSecret: string | *""
+
+		// Generate a self-signed certificate using an init container
+		// This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+		// E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+		// By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+		selfSignedCert: {
+			enabled:           false
+			additionalDnsName: null
+		}
+	}
+
+	replicaCount: 3
+
+	image: {
+		repository: "ghcr.io/zitadel/zitadel"
+		pullPolicy: "IfNotPresent"
+		// Overrides the image tag whose default is the chart appVersion.
+		tag: ""
+	}
+
+	chownImage: {
+		repository: "alpine"
+		pullPolicy: "IfNotPresent"
+		tag:        "3.19"
+	}
+
+	imagePullSecrets: []
+	nameOverride:     ""
+	fullnameOverride: ""
+
+	// Annotations to add to the deployment
+	annotations: {}
+
+	// Annotations to add to the configMap
+	configMap: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+	}
+
+	serviceAccount: {
+		// Specifies whether a service account should be created
+		create: true
+		// Annotations to add to the service account
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+		// The name of the service account to use.
+		// If not set and create is true, a name is generated using the fullname template
+		name: ""
+	}
+
+	podAnnotations: {}
+
+	podAdditionalLabels: {}
+
+	podSecurityContext: {
+		runAsNonRoot: true
+		runAsUser:    1000
+	}
+
+	securityContext: {}
+
+	// Additional environment variables
+	env: []
+	// - name: ZITADEL_DATABASE_POSTGRES_HOST
+	//   valueFrom:
+	//     secretKeyRef:
+	//       name: postgres-pguser-postgres
+	//       key: host
+
+	service: {
+		type: "ClusterIP"
+		// If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+		clusterIP: ""
+		port:      8080
+		protocol:  "http2"
+		annotations: {}
+		scheme: "HTTP"
+	}
+
+	ingress: {
+		enabled:   false
+		className: ""
+		annotations: {}
+		hosts: [{
+			host: "localhost"
+			paths: [{
+				path:     "/"
+				pathType: "Prefix"
+			}]
+		}]
+		tls: []
+	}
+
+	resources: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	affinity: {}
+
+	topologySpreadConstraints: []
+
+	initJob: {
+		// Once ZITADEL is installed, the initJob can be disabled.
+		enabled: true
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "1"
+		}
+		resources: {}
+		backoffLimit:          5
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		// Available init commands :
+		// "": initialize ZITADEL instance (without skip anything)
+		// database: initialize only the database
+		// grant: set ALL grant to user
+		// user: initialize only the database user
+		// zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+		command: ""
+	}
+
+	setupJob: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "2"
+		}
+		resources: {}
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		additionalArgs: ["--init-projections=true"]
+		machinekeyWriter: {
+			image: {
+				repository: "bitnami/kubectl"
+				tag:        ""
+			}
+			resources: {}
+		}
+	}
+
+	readinessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	livenessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	startupProbe: {
+		enabled:          true
+		periodSeconds:    1
+		failureThreshold: 30
+	}
+
+	metrics: {
+		enabled: false
+		serviceMonitor: {
+			// If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+			// https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+			// The Prometheus community Helm chart installs this operator
+			// https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+			enabled:         false
+			honorLabels:     false
+			honorTimestamps: true
+		}
+	}
+
+	pdb: {
+		enabled: false
+		// these values are used for the PDB and are mutally exclusive
+		minAvailable: 1
+		// maxUnavailable: 1
+		annotations: {}
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel/values.holos.cue

@@ -0,0 +1,34 @@
+package holos
+
+#Values: {
+
+	// https://raw.githubusercontent.com/zitadel/zitadel-charts/main/examples/4-cockroach-secure/zitadel-values.yaml
+	zitadel: {
+		masterkeySecretName: "zitadel-masterkey"
+		// https://github.com/zitadel/zitadel-charts/blob/zitadel-7.4.0/charts/zitadel/templates/configmap.yaml#L13
+		configmapConfig: {
+			// NOTE: You can change the ExternalDomain, ExternalPort and ExternalSecure
+			// configuration options at any time. However, for ZITADEL to be able to
+			// pick up the changes, you need to rerun ZITADELs setup phase.  Do so with
+			// kubectl delete job zitadel-setup, then re-apply the new config.
+			//
+			// https://zitadel.com/docs/self-hosting/manage/custom-domain
+			ExternalDomain: #ExternalDomain
+			ExternalPort:   443
+			ExternalSecure: true
+			TLS: Enabled: false
+			Database: Cockroach: {
+				Host: #DB.Host
+				User: SSL: Mode:  "verify-full"
+				Admin: SSL: Mode: "verify-full"
+			}
+		}
+
+		// Managed by crdb component
+		dbSslCaCrtSecret:    "cockroach-ca"
+		dbSslAdminCrtSecret: "cockroachdb-root"
+		// Managed by this component
+		dbSslUserCrtSecret: "cockroachdb-zitadel"
+	}
+
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel/zitadel.cue

@@ -0,0 +1,55 @@
+package holos
+
+import "encoding/yaml"
+
+let Name = "zitadel"
+#InputKeys: component: Name
+
+// Upstream helm chart doesn't specify the namespace field for all resources.
+#Kustomization: spec: targetNamespace: #TargetNamespace
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    Name
+		version: "7.9.0"
+		repository: {
+			name: Name
+			url:  "https://charts.zitadel.com"
+		}
+	}
+	values: #Values
+
+	apiObjects: {
+		ExternalSecret: masterkey: #ExternalSecret & {
+			_name: "zitadel-masterkey"
+		}
+		ExternalSecret: zitadel: #ExternalSecret & {
+			_name: "cockroachdb-zitadel"
+		}
+		VirtualService: zitadel: #VirtualService & {
+			metadata: name:      Name
+			metadata: namespace: #TargetNamespace
+			spec: hosts: ["login.\(#Platform.org.domain)"]
+			spec: gateways: ["istio-ingress/default"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}
+
+// TODO: Generalize this common pattern of injecting the istio sidecar into a Deployment
+let Patch = [{op: "add", path: "/spec/template/metadata/labels/sidecar.istio.io~1inject", value: "true"}]
+
+#Kustomize: {
+	patches: [
+		{
+			target: {
+				group:   "apps"
+				version: "v1"
+				kind:    "Deployment"
+				name:    Name
+			}
+			patch: yaml.Marshal(Patch)
+		},
+	]
+}

docs/examples/platforms/reference/clusters/provisioner/iam/iam.cue

@@ -0,0 +1,10 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/crdb/crdbissuer.cue

@@ -0,0 +1,108 @@
+package holos
+
+// Manage an Issuer for cockroachdb for zitadel.
+// For the iam login service, zitadel connects to cockroach db using tls certs for authz.
+// Upstream: "The recommended approach is to use cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS."
+// Refer to https://www.cockroachlabs.com/docs/stable/secure-cockroachdb-kubernetes#deploy-cert-manager-for-mtls
+
+#InputKeys: component: "crdb"
+
+#KubernetesObjects & {
+	apiObjects: {
+		Issuer: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
+			crdb: #Issuer & {
+				_description: "Issues the self signed root ca cert for cockroach db"
+				metadata: name:      #ComponentName
+				metadata: namespace: #TargetNamespace
+				spec: selfSigned: {}
+			}
+			"crdb-ca-issuer": #Issuer & {
+				_description: "Issues mtls certs for cockroach db"
+				metadata: name:      "crdb-ca-issuer"
+				metadata: namespace: #TargetNamespace
+				spec: ca: secretName: "cockroach-ca"
+			}
+		}
+		Certificate: {
+			"crdb-ca-cert": #Certificate & {
+				_description: "Root CA cert for cockroach db"
+				metadata: name:      "crdb-ca-cert"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "root"
+					isCA:       true
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb"
+					privateKey: algorithm: "ECDSA"
+					privateKey: size:      256
+					secretName: "cockroach-ca"
+					subject: organizations: ["Cockroach"]
+				}
+			}
+			"crdb-node": #Certificate & {
+				metadata: name:      "crdb-node"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "node"
+					dnsNames: [
+						"localhost",
+						"127.0.0.1",
+						"crdb-public",
+						"crdb-public.\(#TargetNamespace)",
+						"crdb-public.\(#TargetNamespace).svc.cluster.local",
+						"*.crdb",
+						"*.crdb.\(#TargetNamespace)",
+						"*.crdb.\(#TargetNamespace).svc.cluster.local",
+					]
+					duration: "876h"
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb-ca-issuer"
+					privateKey: algorithm: "RSA"
+					privateKey: size:      2048
+					renewBefore: "168h"
+					secretName:  "cockroachdb-node"
+					subject: organizations: ["Cockroach"]
+					usages: ["digital signature", "key encipherment", "server auth", "client auth"]
+				}
+			}
+			"crdb-root-client": #Certificate & {
+				metadata: name:      "crdb-root-client"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "root"
+					duration:   "672h"
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb-ca-issuer"
+					privateKey: algorithm: "RSA"
+					privateKey: size:      2048
+					renewBefore: "48h"
+					secretName:  "cockroachdb-root"
+					subject: organizations: ["Cockroach"]
+					usages: ["digital signature", "key encipherment", "client auth"]
+				}
+			}
+		}
+		Certificate: zitadel: #Certificate & {
+			metadata: name:      "crdb-zitadel-client"
+			metadata: namespace: #TargetNamespace
+			spec: {
+				commonName: "zitadel"
+				issuerRef: {
+					group: "cert-manager.io"
+					kind:  "Issuer"
+					name:  "crdb-ca-issuer"
+				}
+				privateKey: algorithm: "RSA"
+				privateKey: size:      2048
+				renewBefore: "48h0m0s"
+				secretName:  "cockroachdb-zitadel"
+				subject: organizations: ["Cockroach"]
+				usages: ["digital signature", "key encipherment", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/zitadel.cue

@@ -0,0 +1,7 @@
+package holos
+
+#TargetNamespace: #InstancePrefix + "-zitadel"
+
+#DB: {
+	Host: "crdb-public"
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/certificates/certs.cue

@@ -0,0 +1,20 @@
+package holos
+
+// Provision all platform certificates.
+#InputKeys: component: "certificates"
+
+// Certificates usually go into the istio-system namespace, but they may go anywhere.
+#TargetNamespace: "default"
+
+// Depends on issuers
+#DependsOn: _LetsEncrypt
+
+#KubernetesObjects & {
+	apiObjects: {
+		for k, obj in #PlatformCerts {
+			"\(obj.kind)": {
+				"\(obj.metadata.namespace)/\(obj.metadata.name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/certmanager.cue

@@ -0,0 +1,43 @@
+package holos
+
+// https://cert-manager.io/docs/
+
+#TargetNamespace: "cert-manager"
+
+#InputKeys: {
+	component: "certmanager"
+	service:   "cert-manager"
+}
+
+#HelmChart & {
+	values: #Values & {
+		installCRDs: true
+		startupapicheck: enabled: false
+		// Must not use kube-system on gke autopilot.  GKE Warden authz blocks access.
+		global: leaderElection: namespace: #TargetNamespace
+	}
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cert-manager"
+		version: "1.14.3"
+		repository: {
+			name: "jetstack"
+			url:  "https://charts.jetstack.io"
+		}
+	}
+}
+
+// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
+#PodResources: {
+	requests: {
+		cpu:                 string | *"250m"
+		memory:              string | *"512Mi"
+		"ephemeral-storage": string | *"100Mi"
+	}
+}
+
+// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
+#NodeSelector: {
+	"kubernetes.io/os":          "linux"
+	"cloud.google.com/gke-spot": "true"
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/letsencrypt/issuers.cue

@@ -0,0 +1,78 @@
+package holos
+
+// Lets Encrypt certificate issuers for public tls certs
+#InputKeys: component: "letsencrypt"
+#TargetNamespace: "cert-manager"
+
+let Name = "letsencrypt"
+
+// The cloudflare api token is platform scoped, not cluster scoped.
+#SecretName: "cloudflare-api-token-secret"
+
+// Depends on cert manager
+#DependsOn: _CertManager
+
+#KubernetesObjects & {
+	apiObjects: {
+		ClusterIssuer: {
+			letsencrypt: #ClusterIssuer & {
+				metadata: name: Name
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+			letsencryptStaging: #ClusterIssuer & {
+				metadata: name: Name + "-staging"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-staging"
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+		}
+	}
+}
+
+// _HTTPSolvers are disabled in the provisioner cluster, dns is the method supported by holos.
+_HTTPSolvers: {
+	letsencryptHTTP: #ClusterIssuer & {
+		metadata: name: Name + "-http"
+		spec: {
+			acme: {
+				email:  #Platform.org.contact.email
+				server: "https://acme-v02.api.letsencrypt.org/directory"
+				privateKeySecretRef: name: Name
+				solvers: [{http01: ingress: class: "istio"}]
+			}
+		}
+	}
+	letsencryptHTTPStaging: #ClusterIssuer & {
+		metadata: name: Name + "-http-staging"
+		spec: {
+			acme: {
+				email:  #Platform.org.contact.email
+				server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+				privateKeySecretRef: name: Name + "-staging"
+				solvers: [{http01: ingress: class: "istio"}]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/mesh.cue

@@ -0,0 +1,13 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "mesh"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name:     "\(#StageName)-secrets-namespaces"
+_CertManager: CertManager: name:   "\(#InstancePrefix)-certmanager"
+_LetsEncrypt: LetsEncrypt: name:   "\(#InstancePrefix)-letsencrypt"
+_Certificates: Certificates: name: "\(#InstancePrefix)-certificates"

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/arc.cue

@@ -0,0 +1,9 @@
+package holos
+
+// GitHub Actions Runner Controller
+#InputKeys: project: "github"
+#DependsOn: Namespaces: name: "prod-secrets-namespaces"
+
+#TargetNamespace: #InputKeys.component
+#HelmChart: namespace: #TargetNamespace
+#HelmChart: chart: version: "0.8.3"

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/runner/arc-runner.cue

@@ -0,0 +1,30 @@
+package holos
+
+#InputKeys: component: "arc-runner"
+#Kustomization: spec: targetNamespace: #TargetNamespace
+
+#HelmChart & {
+	values: {
+		#Values
+		controllerServiceAccount: name:      "gha-rs-controller"
+		controllerServiceAccount: namespace: "arc-system"
+		githubConfigSecret: "controller-manager"
+		githubConfigUrl:    "https://github.com/" + #Platform.org.github.orgs.primary.name
+	}
+	apiObjects: {
+		ExternalSecret: controller: #ExternalSecret & {
+			_name: values.githubConfigSecret
+		}
+	}
+	chart: {
+		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+		// NOTE: Unfortunately the INSTALLATION_NAME is used as the helm release
+		// name and GitHub removed support for runner labels, so the only way to
+		// specify which runner a workflow runs on is using this helm release name.
+		// The quote is "Update the INSTALLATION_NAME value carefully. You will use
+		// the installation name as the value of runs-on in your workflows."  Refer to
+		// https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
+		release: "gha-rs"
+		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/runner/values.cue

@@ -0,0 +1,192 @@
+package holos
+
+#Values: {
+	//# githubConfigUrl is the GitHub url for where you want to configure runners
+	//# ex: https://github.com/myorg/myrepo or https://github.com/myorg
+	githubConfigUrl: string | *""
+
+	//# githubConfigSecret is the k8s secrets to use when auth with GitHub API.
+	//# You can choose to use GitHub App or a PAT token
+	githubConfigSecret: string | {
+		//## GitHub Apps Configuration
+		//# NOTE: IDs MUST be strings, use quotes
+		//github_app_id: ""
+		//github_app_installation_id: ""
+		//github_app_private_key: |
+		//## GitHub PAT Configuration
+		github_token: ""
+	}
+	//# If you have a pre-define Kubernetes secret in the same namespace the gha-runner-scale-set is going to deploy,
+	//# you can also reference it via `githubConfigSecret: pre-defined-secret`.
+	//# You need to make sure your predefined secret has all the required secret data set properly.
+	//#   For a pre-defined secret using GitHub PAT, the secret needs to be created like this:
+	//#   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat'
+	//#   For a pre-defined secret using GitHub App, the secret needs to be created like this:
+	//#   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******'
+	// githubConfigSecret: pre-defined-secret
+	//# proxy can be used to define proxy settings that will be used by the
+	//# controller, the listener and the runner of this scale set.
+	//
+	// proxy:
+	//   http:
+	//     url: http://proxy.com:1234
+	//     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+	//   https:
+	//     url: http://proxy.com:1234
+	//     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+	//   noProxy:
+	//     - example.com
+	//     - example.org
+	//# maxRunners is the max number of runners the autoscaling runner set will scale up to.
+	// maxRunners: 5
+	//# minRunners is the min number of idle runners. The target number of runners created will be
+	//# calculated as a sum of minRunners and the number of jobs assigned to the scale set.
+	// minRunners: 0
+	// runnerGroup: "default"
+	//# name of the runner scale set to create.  Defaults to the helm release name
+	// runnerScaleSetName: ""
+	//# A self-signed CA certificate for communication with the GitHub server can be
+	//# provided using a config map key selector. If `runnerMountPath` is set, for
+	//# each runner pod ARC will:
+	//# - create a `github-server-tls-cert` volume containing the certificate
+	//#   specified in `certificateFrom`
+	//# - mount that volume on path `runnerMountPath`/{certificate name}
+	//# - set NODE_EXTRA_CA_CERTS environment variable to that same path
+	//# - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version
+	//#   2.303.0 this will instruct the runner to reload certificates on the host)
+	//#
+	//# If any of the above had already been set by the user in the runner pod
+	//# template, ARC will observe those and not overwrite them.
+	//# Example configuration:
+	//
+	// githubServerTLS:
+	//   certificateFrom:
+	//     configMapKeyRef:
+	//       name: config-map-name
+	//       key: ca.crt
+	//   runnerMountPath: /usr/local/share/ca-certificates/
+	//# Container mode is an object that provides out-of-box configuration
+	//# for dind and kubernetes mode. Template will be modified as documented under the
+	//# template object.
+	//#
+	//# If any customization is required for dind or kubernetes mode, containerMode should remain
+	//# empty, and configuration should be applied to the template.
+	// containerMode:
+	//   type: "dind"  ## type can be set to dind or kubernetes
+	//   ## the following is required when containerMode.type=kubernetes
+	//   kubernetesModeWorkVolumeClaim:
+	//     accessModes: ["ReadWriteOnce"]
+	//     # For local testing, use https://github.com/openebs/dynamic-localpv-provisioner/blob/develop/docs/quickstart.md to provide dynamic provision volume with storageClassName: openebs-hostpath
+	//     storageClassName: "dynamic-blob-storage"
+	//     resources:
+	//       requests:
+	//         storage: 1Gi
+	//   kubernetesModeServiceAccount:
+	//     annotations:
+	//# template is the PodSpec for each listener Pod
+	//# For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+	// listenerTemplate:
+	//   spec:
+	//     containers:
+	//     # Use this section to append additional configuration to the listener container.
+	//     # If you change the name of the container, the configuration will not be applied to the listener,
+	//     # and it will be treated as a side-car container.
+	//     - name: listener
+	//       securityContext:
+	//         runAsUser: 1000
+	//     # Use this section to add the configuration of a side-car container.
+	//     # Comment it out or remove it if you don't need it.
+	//     # Spec for this container will be applied as is without any modifications.
+	//     - name: side-car
+	//       image: example-sidecar
+	//# template is the PodSpec for each runner Pod
+	//# For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+	template: {
+		//# template.spec will be modified if you change the container mode
+		//# with containerMode.type=dind, we will populate the template.spec with following pod spec
+		//# template:
+		//#   spec:
+		//#     initContainers:
+		//#     - name: init-dind-externals
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
+		//#       volumeMounts:
+		//#         - name: dind-externals
+		//#           mountPath: /home/runner/tmpDir
+		//#     containers:
+		//#     - name: runner
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["/home/runner/run.sh"]
+		//#       env:
+		//#         - name: DOCKER_HOST
+		//#           value: unix:///run/docker/docker.sock
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#         - name: dind-sock
+		//#           mountPath: /run/docker
+		//#           readOnly: true
+		//#     - name: dind
+		//#       image: docker:dind
+		//#       args:
+		//#         - dockerd
+		//#         - --host=unix:///run/docker/docker.sock
+		//#         - --group=$(DOCKER_GROUP_GID)
+		//#       env:
+		//#         - name: DOCKER_GROUP_GID
+		//#           value: "123"
+		//#       securityContext:
+		//#         privileged: true
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#         - name: dind-sock
+		//#           mountPath: /run/docker
+		//#         - name: dind-externals
+		//#           mountPath: /home/runner/externals
+		//#     volumes:
+		//#     - name: work
+		//#       emptyDir: {}
+		//#     - name: dind-sock
+		//#       emptyDir: {}
+		//#     - name: dind-externals
+		//#       emptyDir: {}
+		//#####################################################################################################
+		//# with containerMode.type=kubernetes, we will populate the template.spec with following pod spec
+		//# template:
+		//#   spec:
+		//#     containers:
+		//#     - name: runner
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["/home/runner/run.sh"]
+		//#       env:
+		//#         - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+		//#           value: /home/runner/k8s/index.js
+		//#         - name: ACTIONS_RUNNER_POD_NAME
+		//#           valueFrom:
+		//#             fieldRef:
+		//#               fieldPath: metadata.name
+		//#         - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+		//#           value: "true"
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#     volumes:
+		//#       - name: work
+		//#         ephemeral:
+		//#           volumeClaimTemplate:
+		//#             spec:
+		//#               accessModes: [ "ReadWriteOnce" ]
+		//#               storageClassName: "local-path"
+		//#               resources:
+		//#                 requests:
+		//#                   storage: 1Gi
+		spec: {
+			containers: [{
+				name:  "runner"
+				image: "ghcr.io/actions/actions-runner:latest"
+				command: ["/home/runner/run.sh"]
+			}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/system/arc-system.cue

@@ -0,0 +1,15 @@
+package holos
+
+#TargetNamespace: "arc-system"
+#InputKeys: component: "arc-system"
+
+#HelmChart & {
+	values:    #Values & #DefaultSecurityContext
+	namespace: #TargetNamespace
+	chart: {
+		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+		release: "gha-rs-controller"
+		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
+		version: "0.8.3"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/system/values.cue

@@ -0,0 +1,127 @@
+package holos
+
+#Values: {
+	// Default values for gha-runner-scale-set-controller.
+	// This is a YAML-formatted file.
+	// Declare variables to be passed into your templates.
+	labels: {}
+
+	// leaderElection will be enabled when replicaCount>1,
+	// So, only one replica will in charge of reconciliation at a given time
+	// leaderElectionId will be set to {{ define gha-runner-scale-set-controller.fullname }}.
+	replicaCount: 1
+
+	image: {
+		repository: "ghcr.io/actions/gha-runner-scale-set-controller"
+		pullPolicy: "IfNotPresent"
+		// Overrides the image tag whose default is the chart appVersion.
+		tag: ""
+	}
+
+	imagePullSecrets: []
+	nameOverride:     ""
+	fullnameOverride: ""
+
+	env: null
+	//# Define environment variables for the controller pod
+	//  - name: "ENV_VAR_NAME_1"
+	//    value: "ENV_VAR_VALUE_1"
+	//  - name: "ENV_VAR_NAME_2"
+	//    valueFrom:
+	//      secretKeyRef:
+	//        key: ENV_VAR_NAME_2
+	//        name: secret-name
+	//        optional: true
+
+	serviceAccount: {
+		// Specifies whether a service account should be created for running the controller pod
+		create: true
+		// Annotations to add to the service account
+		annotations: {}
+		// The name of the service account to use.
+		// If not set and create is true, a name is generated using the fullname template
+		// You can not use the default service account for this.
+		name: ""
+	}
+
+	podAnnotations: {}
+
+	podLabels: {}
+
+	podSecurityContext: {}
+	// fsGroup: 2000
+
+	securityContext: {...}
+	// capabilities:
+	//   drop:
+	//   - ALL
+	// readOnlyRootFilesystem: true
+	// runAsNonRoot: true
+	// runAsUser: 1000
+
+	resources: {}
+	//# We usually recommend not to specify default resources and to leave this as a conscious
+	//# choice for the user. This also increases chances charts run on environments with little
+	//# resources, such as Minikube. If you do want to specify resources, uncomment the following
+	//# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+	// limits:
+	//   cpu: 100m
+	//   memory: 128Mi
+	// requests:
+	//   cpu: 100m
+	//   memory: 128Mi
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	affinity: {}
+
+	// Mount volumes in the container.
+	volumes: []
+	volumeMounts: []
+
+	// Leverage a PriorityClass to ensure your pods survive resource shortages
+	// ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+	// PriorityClass: system-cluster-critical
+	priorityClassName: ""
+
+	//# If `metrics:` object is not provided, or commented out, the following flags
+	//# will be applied the controller-manager and listener pods with empty values:
+	//# `--metrics-addr`, `--listener-metrics-addr`, `--listener-metrics-endpoint`.
+	//# This will disable metrics.
+	//#
+	//# To enable metrics, uncomment the following lines.
+	// metrics:
+	//   controllerManagerAddr: ":8080"
+	//   listenerAddr: ":8080"
+	//   listenerEndpoint: "/metrics"
+
+	flags: {
+		//# Log level can be set here with one of the following values: "debug", "info", "warn", "error".
+		//# Defaults to "debug".
+		logLevel: "debug"
+		//# Log format can be set with one of the following values: "text", "json"
+		//# Defaults to "text"
+		logFormat: "text"
+
+		//# Restricts the controller to only watch resources in the desired namespace.
+		//# Defaults to watch all namespaces when unset.
+		// watchSingleNamespace: ""
+		//# Defines how the controller should handle upgrades while having running jobs.
+		//#
+		//# The strategies available are:
+		//# - "immediate": (default) The controller will immediately apply the change causing the
+		//#   recreation of the listener and ephemeral runner set. This can lead to an
+		//#   overprovisioning of runners, if there are pending / running jobs. This should not
+		//#   be a problem at a small scale, but it could lead to a significant increase of
+		//#   resources if you have a lot of jobs running concurrently.
+		//#
+		//# - "eventual": The controller will remove the listener and ephemeral runner set
+		//#   immediately, but will not recreate them (to apply changes) until all
+		//#   pending / running jobs have completed.
+		//#   This can lead to a longer time to apply the change but it will ensure
+		//#   that you don't have any overprovisioning of runners.
+		updateStrategy: "immediate"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/init/namespaces/component.cue

@@ -15,9 +15,6 @@ package holos
 		#Namespace & {
 			metadata: _ns
 		},
-		#SecretStore & {
-			_namespace: _ns.name
-		},
 	]
 }
 

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue

@@ -1,61 +0,0 @@
-package holos
-
-// Lets Encrypt certificate issuers for public tls certs
-#InputKeys: component: "certissuers"
-#TargetNamespace: "cert-manager"
-
-let Name = "letsencrypt"
-
-// The cloudflare api token is platform scoped, not cluster scoped.
-#SecretName: "cloudflare-api-token-secret"
-
-// Depends on cert manager
-#DependsOn: _CertManager
-
-#KubernetesObjects & {
-	apiObjects: {
-		ClusterIssuer: {
-			letsencrypt: #ClusterIssuer & {
-				metadata: name: Name
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-istio"
-						solvers: [{http01: ingress: class: "istio"}]
-					}
-				}
-			}
-			letsencryptStaging: #ClusterIssuer & {
-				metadata: name: Name + "-staging"
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-staging-istio"
-						solvers: [{http01: ingress: class: "istio"}]
-					}
-				}
-			}
-			letsencryptDns: #ClusterIssuer & {
-				metadata: name: Name + "-dns"
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-istio"
-						solvers: [{
-							dns01: cloudflare: {
-								email: #Platform.org.cloudflare.email
-								apiTokenSecretRef: name: #SecretName
-								apiTokenSecretRef: key:  "api_token"
-							}}]
-					}
-				}
-			}
-		}
-		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
-			_name: #SecretName
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -1,23 +0,0 @@
-package holos
-
-// https://cert-manager.io/docs/
-
-#TargetNamespace: "cert-manager"
-
-#InputKeys: {
-	component: "certmanager"
-	service:   "cert-manager"
-}
-
-#HelmChart & {
-	values: installCRDs: true
-	namespace: #TargetNamespace
-	chart: {
-		name:    "cert-manager"
-		version: "1.14.3"
-		repository: {
-			name: "jetstack"
-			url:  "https://charts.jetstack.io"
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/cni/cni.cue

@@ -0,0 +1,10 @@
+package holos
+
+#InputKeys: component: "cni"
+#TargetNamespace: "kube-system"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: name: "cni"
+	values: #IstioValues
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/gateway/gateway.cue

@@ -0,0 +1,35 @@
+package holos
+
+// The primary istio Gateway, named default
+
+let Name = "gateway"
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+let LoginCert = #PlatformCerts.login
+
+#KubernetesObjects & {
+	apiObjects: {
+		ExternalSecret: login: #ExternalSecret & {
+			_name: "login"
+		}
+		Gateway: default: #Gateway & {
+			metadata: name:      "default"
+			metadata: namespace: #TargetNamespace
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: [for dnsName in LoginCert.spec.dnsNames {"prod-iam-zitadel/\(dnsName)"}]
+					port: name:          "https-prod-iam-login"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: LoginCert.spec.secretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -0,0 +1,74 @@
+package holos
+
+let Name = "httpbin"
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
+let Metadata = {
+	name:      Name
+	namespace: #TargetNamespace
+	labels: app: Name
+}
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+let Cert = #PlatformCerts[SecretName]
+
+#KubernetesObjects & {
+	apiObjects: {
+		ExternalSecret: httpbin: #ExternalSecret & {
+			_name: Cert.spec.secretName
+		}
+		Deployment: httpbin: #Deployment & {
+			metadata: Metadata
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: MatchLabels
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: httpbin: #Service & {
+			metadata: Metadata
+			spec: selector: MatchLabels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		Gateway: httpbin: #Gateway & {
+			metadata: Metadata
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: [for host in Cert.spec.dnsNames {"\(#TargetNamespace)/\(host)"}]
+					port: name:          "https-\(#InstanceName)"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: Cert.spec.secretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+		VirtualService: httpbin: #VirtualService & {
+			metadata: Metadata
+			spec: hosts: [for host in Cert.spec.dnsNames {host}]
+			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/ingress/ingress.cue

@@ -0,0 +1,155 @@
+package holos
+
+import "encoding/json"
+
+#InputKeys: component: "ingress"
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IstioD
+
+#HelmChart & {
+	chart: name: "gateway"
+	namespace: #TargetNamespace
+	values: #GatewayValues & {
+		// This component expects the load balancer to send the PROXY protocol header.
+		// Refer to: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#proxy-protocol-v2
+		podAnnotations: "proxy.istio.io/config": json.Marshal(_ProxyProtocol)
+		// TODO This configuration is specific to the OIS Metal NLB, refactor it out to the metal collection.
+		service: {
+			type: "NodePort"
+			annotations: "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
+			externalTrafficPolicy: "Local"
+			// Add 30000 to the port to get the Nodeport
+			ports: [
+				{
+					name:       "status-port"
+					port:       15021
+					protocol:   "TCP"
+					targetPort: 15021
+					nodePort:   30021
+				},
+				{
+					name:       "http2"
+					port:       80
+					protocol:   "TCP"
+					targetPort: 80
+					nodePort:   30080
+				},
+				{
+					name:       "https"
+					port:       443
+					protocol:   "TCP"
+					targetPort: 443
+					nodePort:   30443
+				},
+			]
+		}
+	}
+	apiObjects: _APIObjects
+}
+
+_ProxyProtocol: gatewayTopology: proxyProtocol: {}
+
+// Additional holos specific API Objects
+let Name = #GatewayValues.name
+let GatewayLabels = {
+	app:   Name
+	istio: "ingressgateway"
+}
+let RedirectMetaName = {
+	name:      Name + "-https-redirect"
+	namespace: #TargetNamespace
+}
+
+// https-redirect
+_APIObjects: {
+	Gateway: {
+		httpsRedirect: #Gateway & {
+			metadata: RedirectMetaName
+			spec: selector: GatewayLabels
+			spec: servers: [{
+				port: {
+					number:   80
+					name:     "http2"
+					protocol: "HTTP2"
+				}
+				hosts: ["*"]
+				// handled by the VirtualService
+				tls: httpsRedirect: false
+			}]
+		}
+	}
+	VirtualService: {
+		httpsRedirect: #VirtualService & {
+			metadata: RedirectMetaName
+			spec: hosts: ["*"]
+			spec: gateways: [RedirectMetaName.name]
+			spec: http: [{
+				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+				redirect: {
+					scheme:       "https"
+					redirectCode: 302
+				}
+			}]
+		}
+	}
+}
+
+let LoopbackName = Name + "-loopback"
+let LoopbackDescription = "Allows in-cluster traffic to stay in cluster via traffic routing"
+let LoopbackLabels = {
+	app:   LoopbackName
+	istio: "ingressgateway"
+}
+let LoopbackMetaName = {
+	name:      LoopbackName
+	namespace: #TargetNamespace
+}
+
+// istio-ingressgateway-loopback
+_APIObjects: {
+	Deployment: {
+		loopback: #Deployment & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: {
+				selector: matchLabels: LoopbackLabels
+				template: {
+					metadata: {
+						annotations: "inject.istio.io/templates": "gateway"
+						annotations: #Description & {
+							_Description: LoopbackDescription
+						}
+						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
+					}
+					spec: {
+						serviceAccountName: "istio-ingressgateway"
+						// Allow binding to all ports (such as 80 and 443)
+						securityContext: {
+							runAsNonRoot: true
+							seccompProfile: type: "RuntimeDefault"
+							sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+						}
+						containers: [{
+							name:  "istio-proxy"
+							image: "auto" // Managed by istiod
+							securityContext: {
+								allowPrivilegeEscalation: false
+								capabilities: drop: ["ALL"]
+								runAsUser:  1337
+								runAsGroup: 1337
+							}
+						}]
+					}
+				}
+			}
+		}
+	}
+	Service: {
+		loopback: #Service & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: selector:      LoopbackLabels
+			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istio.cue

@@ -1,3 +1,13 @@
 package holos
 
 #DependsOn: _IstioBase
+
+#HelmChart: {
+	chart: {
+		version: "1.20.3"
+		repository: {
+			name: "istio"
+			url:  "https://istio-release.storage.googleapis.com/charts"
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/istiod.cue

@@ -8,12 +8,7 @@ import "encoding/yaml"
 #HelmChart & {
 	namespace: #TargetNamespace
 	chart: {
-		name:    "istiod"
-		version: "1.20.3"
-		repository: {
-			name: "istio"
-			url:  "https://istio-release.storage.googleapis.com/charts"
-		}
+		name: "istiod"
 	}
 	values: #IstioValues & {
 		pilot: {

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/istiod/meshconfig.cue

@@ -44,7 +44,7 @@ _MeshConfig: {
 				"cookie",
 				"x-forwarded-for",
 			]
-			port: 4180
+			port:    4180
 			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
 		}
 	}, {

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.cni.cue

@@ -0,0 +1,161 @@
+package holos
+
+// Default values.yaml imported from the cni chart
+
+#CNIValues: {
+	cni: {
+		hub:        ""
+		tag:        ""
+		variant:    ""
+		image:      "install-cni"
+		pullPolicy: ""
+
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		enabled: #IstioValues.istio_cni.enabled
+
+		// Configuration log level of istio-cni binary
+		// by default istio-cni send all logs to UDS server
+		// if want to see them you need change global.logging.level with cni:debug
+		logLevel: "debug"
+
+		// Configuration file to insert istio-cni plugin configuration
+		// by default this will be the first file found in the cni-conf-dir
+		// Example
+		// cniConfFileName: 10-calico.conflist
+		// CNI bin and conf dir override settings
+		// defaults:
+		cniBinDir:       "" // Auto-detected based on version; defaults to /opt/cni/bin.
+		cniConfDir:      "/etc/cni/net.d"
+		cniConfFileName: ""
+		// This directory must exist on the node, if it does not, consult your container runtime
+		// documentation for the appropriate path.
+		cniNetnsDir: null // Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+
+		excludeNamespaces: [
+			"istio-system",
+			"kube-system",
+		]
+
+		// Allows user to set custom affinity for the DaemonSet
+		affinity: {}
+
+		// Custom annotations on pod level, if you need them
+		podAnnotations: {}
+
+		// If this value is set a RoleBinding will be created
+		// in the same namespace as the istio-cni DaemonSet is created.
+		// This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount
+		// e.g. if you use PodSecurityPolicies
+		psp_cluster_role: ""
+
+		// Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+		// Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+		chained: #IstioValues.istio_cni.chained
+
+		// Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) or features (repairPods)
+		privileged: false
+
+		// Custom configuration happens based on the CNI provider.
+		// Possible values: "default", "multus"
+		provider: "default"
+
+		// Configure ambient settings
+		ambient: {
+			// If enabled, ambient redirection will be enabled
+			enabled: false
+			// Set ambient redirection mode: "iptables" or "ebpf"
+			redirectMode: "iptables"
+			// Set ambient config dir path: defaults to /etc/ambient-config
+			configDir: ""
+		}
+
+		repair: {
+			enabled: true
+			hub:     ""
+			tag:     ""
+
+			// Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+			// This defines the action the controller will take when a pod is detected as broken.
+			// labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+			// This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+			labelPods: false
+			// deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+			deletePods: true
+			// repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+			// Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+			// This requires no RBAC privilege, but does require `securityContext.privileged`.
+			repairPods: false
+
+			initContainerName: "istio-validation"
+
+			brokenPodLabelKey:   "cni.istio.io/uninitialized"
+			brokenPodLabelValue: "true"
+		}
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		seccompProfile: {}
+
+		resources: requests: {
+			cpu:    "100m"
+			memory: "100Mi"
+		}
+
+		resourceQuotas: {
+			enabled: false
+			pods:    5000
+		}
+
+		// The number of pods that can be unavailable during rolling update (see
+		// `updateStrategy.rollingUpdate.maxUnavailable` here:
+		// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+		// May be specified as a number of pods or as a percent of the total number
+		// of pods at the start of the update.
+		rollingMaxUnavailable: 1
+	}
+
+	// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+	revision: ""
+
+	// For Helm compatibility.
+	ownerName: ""
+
+	global: {
+		// Default hub for Istio images.
+		// Releases are published to docker hub under 'istio' project.
+		// Dev builds from prow are on gcr.io
+		hub: "docker.io/istio"
+
+		// Default tag for Istio images.
+		tag: "1.20.3"
+
+		// Variant of the image to use.
+		// Currently supported are: [debug, distroless]
+		variant: ""
+
+		// Specify image pull policy if default behavior isn't desired.
+		// Default behavior: latest images will be Always else IfNotPresent.
+		imagePullPolicy: ""
+
+		// change cni scope level to control logging out of istio-cni-node DaemonSet
+		logging: {
+			level: "default:info,cni:info"
+		}
+
+		logAsJson: false
+
+		// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+		// to use for pulling any images in pods that reference this ServiceAccount.
+		// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+		// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+		// Must be set for any cluster configured with private docker registry.
+		imagePullSecrets: []
+		// - private-registry-key
+		// Default resources allocated
+		defaultResources: {
+			requests: {
+				cpu:    "100m"
+				memory: "100Mi"
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/values.gateway.cue

@@ -0,0 +1,170 @@
+package holos
+
+// Gateway default values.yaml imported from the gateway chart.
+
+#GatewayValues: {
+
+	// Name allows overriding the release name. Generally this should not be set
+	name: "istio-ingressgateway"
+	// revision declares which revision this gateway is a part of
+	revision: ""
+
+	// Controls the spec.replicas setting for the Gateway deployment if set.
+	// Otherwise defaults to Kubernetes Deployment default (1).
+	replicaCount: null
+
+	kind: "Deployment"
+
+	rbac: {
+		// If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+		// when using http://gateway-api.org/.
+		enabled: true
+	}
+
+	serviceAccount: {
+		// If set, a service account will be created. Otherwise, the default is used
+		create: true
+		// Annotations to add to the service account
+		annotations: {}
+		// The name of the service account to use.
+		// If not set, the release name is used
+		name: ""
+	}
+
+	podAnnotations: {
+		"prometheus.io/port":        "15020"
+		"prometheus.io/scrape":      "true"
+		"prometheus.io/path":        "/stats/prometheus"
+		"inject.istio.io/templates": "gateway"
+		"sidecar.istio.io/inject":   "true"
+		...
+	}
+
+	// Define the security context for the pod.
+	// If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+	// On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+	securityContext: {
+		seccompProfile: type: "RuntimeDefault"
+		sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+	}
+	containerSecurityContext: null
+
+	service: {
+		// Type of service. Set to "None" to disable the service entirely
+		type: string | *"LoadBalancer"
+		ports: [...] | *[{
+			name:       "status-port"
+			port:       15021
+			protocol:   "TCP"
+			targetPort: 15021
+		}, {
+			name:       "http2"
+			port:       80
+			protocol:   "TCP"
+			targetPort: 80
+		}, {
+			name:       "https"
+			port:       443
+			protocol:   "TCP"
+			targetPort: 443
+		}]
+		annotations: {...}
+		loadBalancerIP: ""
+		loadBalancerSourceRanges: []
+		externalTrafficPolicy: string | *""
+		externalIPs: []
+		ipFamilyPolicy: ""
+		ipFamilies: []
+	}
+
+	resources: {
+		requests: {
+			cpu:    "100m"
+			memory: "128Mi"
+		}
+		limits: {
+			cpu:    "2000m"
+			memory: "1024Mi"
+		}
+	}
+
+	autoscaling: {
+		enabled:                        true
+		minReplicas:                    1
+		maxReplicas:                    5
+		targetCPUUtilizationPercentage: 80
+		autoscaleBehavior: {}
+	}
+
+	// Pod environment variables
+	env: {}
+
+	// Labels to apply to all resources
+	labels: {}
+
+	// Annotations to apply to all resources
+	annotations: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	topologySpreadConstraints: []
+
+	affinity: {}
+
+	// If specified, the gateway will act as a network gateway for the given network.
+	networkGateway: ""
+
+	// Specify image pull policy if default behavior isn't desired.
+	// Default behavior: latest images will be Always else IfNotPresent
+	imagePullPolicy: ""
+
+	imagePullSecrets: []
+
+	// This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+	//
+	// By default, the `podDisruptionBudget` is disabled (set to `{}`),
+	// which means that no PodDisruptionBudget resource will be created.
+	//
+	// To enable the PodDisruptionBudget, configure it by specifying the
+	// `minAvailable` or `maxUnavailable`. For example, to set the
+	// minimum number of available replicas to 1, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//
+	// Or, to allow a maximum of 1 unavailable replica, you can set:
+	//
+	// podDisruptionBudget:
+	//   maxUnavailable: 1
+	//
+	// You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+	// For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+	//
+	// podDisruptionBudget:
+	//   minAvailable: 1
+	//   unhealthyPodEvictionPolicy: AlwaysAllow
+	//
+	// To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+	//
+	// podDisruptionBudget: {}
+	//
+	podDisruptionBudget: {}
+
+	terminationGracePeriodSeconds: 30
+
+	// A list of `Volumes` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumes: []
+
+	// A list of `VolumeMounts` added into the Gateway Pods. See
+	// https://kubernetes.io/docs/concepts/storage/volumes/.
+	volumeMounts: []
+
+	// Configure this to a higher priority class in order to make sure your Istio gateway pods
+	// will not be killed because of low priority class.
+	// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+	// for more detail.
+	priorityClassName: ""
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -4,11 +4,11 @@ package holos
 #InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: targetNamespace: #TargetNamespace
 #DependsOn: _Namespaces
 
 // Common Dependencies
-_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
-_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"
-_IstioBase: IstioBase: name:     "\(#InstancePrefix)-istio-base"
-_IstioPilot: IstioPilot: name:   "\(#InstancePrefix)-istiod"
+_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
+_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.cue

@@ -526,7 +526,7 @@ package holos
 
 	base: {
 		// For istioctl usage to disable istio config crds in base
-		enableIstioConfigCRDs: true
+		enableIstioConfigCRDs: *true | false
 
 		// If enabled, gateway-api types will be validated using the standard upstream validation logic.
 		// This is an alternative to deploying the standalone validation server the project provides.
@@ -538,7 +538,10 @@ package holos
 
 	// keep in sync with settings used when installing the Istio CNI chart
 	istio_cni: {
-		enabled: false
+		// Refer to https://istio.io/latest/docs/setup/additional-setup/cni/#installing-with-helm
+		// values.istio_cni.enabled should be set to the same value as values.cni.enabled.
+		// values.istio_cni.chained should be set to the same value as values.cni.chained.
+		enabled: true
 		chained: true
 	}
 }

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.holos.cue

@@ -16,8 +16,8 @@ package holos
 		remotePilotAddress: ""
 	}
 	base: {
-		// Include the CRDs in the helm template output
-		enableCRDTemplates: true
+		// holos includes crd templates with the --include-crds helm flag.
+		enableCRDTemplates: false
 		// Validation webhook configuration url
 		// For example: https://$remotePilotAddress:15017/validate
 		validationURL: ""

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/controller.cue

@@ -0,0 +1,6 @@
+package holos
+
+#DependsOn: Namespaces: name: "prod-secrets-namespaces"
+#DependsOn: CRDS: name: "\(#InstancePrefix)-crds"
+#InputKeys: component: "controller"
+{} & #KustomizeBuild

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: postgres-operator
+
+labels:
+- includeTemplates: true
+  pairs:
+    app.kubernetes.io/name: pgo
+    # The version below should match the version on the PostgresCluster CRD
+    app.kubernetes.io/version: 5.5.1
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+
+resources:
+- ./rbac/cluster
+- ./manager
+
+images:
+- name: postgres-operator
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
+  newTag: ubi8-5.5.1-0 

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- manager.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/manager/manager.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      postgres-operator.crunchydata.com/control-plane: postgres-operator
+  template:
+    metadata:
+      labels:
+        postgres-operator.crunchydata.com/control-plane: postgres-operator
+    spec:
+      containers:
+      - name: operator
+        image: postgres-operator
+        env:
+        - name: PGO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CRUNCHY_DEBUG
+          value: "true"
+        - name: RELATED_IMAGE_POSTGRES_15
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.6-0"
+        - name: RELATED_IMAGE_POSTGRES_15_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.6-3.3-0"
+        - name: RELATED_IMAGE_POSTGRES_16
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.2-0"
+        - name: RELATED_IMAGE_POSTGRES_16_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.2-3.3-0"
+        - name: RELATED_IMAGE_POSTGRES_16_GIS_3.4
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.2-3.4-0"
+        - name: RELATED_IMAGE_PGADMIN
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-22"
+        - name: RELATED_IMAGE_PGBACKREST
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.49-0"
+        - name: RELATED_IMAGE_PGBOUNCER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.21-3"
+        - name: RELATED_IMAGE_PGEXPORTER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3"
+        - name: RELATED_IMAGE_PGUPGRADE
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.5.1-0"
+        - name: RELATED_IMAGE_STANDALONE_PGADMIN
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-7.8-3"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities: { drop: [ALL] }
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      serviceAccountName: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/role.yaml

@@ -0,0 +1,146 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/finalizers
+  - pgupgrades/finalizers
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/status
+  - pgupgrades/status
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/role.yaml

@@ -0,0 +1,146 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/finalizers
+  - pgupgrades/finalizers
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/status
+  - pgupgrades/status
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator