(#31) Add Cockroach DB for Zitadel

Following https://github.com/zitadel/zitadel-charts/blob/main/examples/4-cockroach-secure/README.md

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -324,13 +324,7 @@ import "strings"
 			// withoutHeader has the same syntax with the header, but has
 			// opposite meaning.
 			withoutHeaders?: {
-				[string]: ({} | {
-					exact: _
-				} | {
-					prefix: _
-				} | {
-					regex: _
-				}) & {
+				[string]: {
 					exact?:  string
 					prefix?: string
 
@@ -383,11 +377,7 @@ import "strings"
 
 		// A HTTP rule can either return a direct_response, redirect or
 		// forward (default) traffic.
-		redirect?: ({} | {
-			port: _
-		} | {
-			derivePort: _
-		}) & {
+		redirect?: {
 			// On a redirect, overwrite the Authority/Host portion of the URL
 			// with this value.
 			authority?: string

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -19,3 +19,8 @@ package v1
   apiVersion: "v1"
   kind: "Pod"
 }
+
+#Service: {
+  apiVersion: "v1"
+  kind: "Service"
+}

docs/examples/namespaces.cue

@@ -4,6 +4,7 @@ package holos
 #PlatformNamespace: {
 	name: string
 	labels?: {[string]: string}
+	annotations?: {[string]: string}
 }
 
 // #PlatformNamespaces is a list of namespaces to manage across the platform.

docs/examples/platforms/reference/clusters/workload/cloud/iam/iam.cue

@@ -0,0 +1,10 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/workload/cloud/iam/readme.md

@@ -0,0 +1,7 @@
+# IAM
+
+The IAM service provides identity and access management for a holos managed platform.  Zitadel is the identity provider which integrates tightly with:
+
+ 1. AuthorizationPolicy at the level of the service mesh.
+ 2. Application level oidc login (ArgoCD, Grafana, etc...)
+ 3. Cloud provider IAM via oidc.

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,26 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		Issuer: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
+			cockroachdb: #Issuer & {
+				metadata: name:      #ComponentName
+				metadata: namespace: #TargetNamespace
+				spec: selfSigned: {}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.cue

@@ -0,0 +1,606 @@
+package holos
+
+#Values: {
+
+	// Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+	// Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+	nameOverride: ""
+
+	// Override the resource names created by this chart which originally is generated using release and chart name.
+	fullnameOverride: string | *""
+
+	image: {
+		repository: string | *"cockroachdb/cockroach"
+		tag:        "v23.1.13"
+		pullPolicy: "IfNotPresent"
+		credentials: {}
+	}
+	// registry: docker.io
+	// username: john_doe
+	// password: changeme
+	// Additional labels to apply to all Kubernetes resources created by this chart.
+	labels: {}
+	// app.kubernetes.io/part-of: my-app
+	// Cluster's default DNS domain.
+	// You should overwrite it if you're using a different one,
+	// otherwise CockroachDB nodes discovery won't work.
+	clusterDomain: "cluster.local"
+
+	conf: {
+		// An ordered list of CockroachDB node attributes.
+		// Attributes are arbitrary strings specifying machine capabilities.
+		// Machine capabilities might include specialized hardware or number of cores
+		// (e.g. "gpu", "x16c").
+		attrs: []
+		// - x16c
+		// - gpu
+		// Total size in bytes for caches, shared evenly if there are multiple
+		// storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+		// A percentage of physical memory can also be specified (e.g. `.25`).
+		cache: "25%"
+
+		// Sets a name to verify the identity of a cluster.
+		// The value must match between all nodes specified via `conf.join`.
+		// This can be used as an additional verification when either the node or
+		// cluster, or both, have not yet been initialized and do not yet know their
+		// cluster ID.
+		// To introduce a cluster name into an already-initialized cluster, pair this
+		// option with `conf.disable-cluster-name-verification: yes`.
+		"cluster-name": ""
+
+		// Tell the server to ignore `conf.cluster-name` mismatches.
+		// This is meant for use when opting an existing cluster into starting to use
+		// cluster name verification, or when changing the cluster name.
+		// The cluster should be restarted once with `conf.cluster-name` and
+		// `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+		// have been updated to know the new cluster name, the cluster can be restarted
+		// again with `conf.disable-cluster-name-verification: no`.
+		// This option has no effect if `conf.cluster-name` is not specified.
+		"disable-cluster-name-verification": false
+
+		// The addresses for connecting a CockroachDB nodes to an existing cluster.
+		// If you are deploying a second CockroachDB instance that should join a first
+		// one, use the below list to join to the existing instance.
+		// Each item in the array should be a FQDN (and port if needed) resolvable by
+		// new Pods.
+		join: []
+
+		// New logging configuration.
+		log: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/v21.1/configure-logs
+			config: {}
+		}
+		// file-defaults:
+		//   dir: /custom/dir/path/
+		// fluent-defaults:
+		//   format: json-fluent
+		// sinks:
+		//   stderr:
+		//     channels: [DEV]
+		// Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+		logtostderr: "INFO"
+
+		// Maximum storage capacity available to store temporary disk-based data for
+		// SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+		// sometimes able to spill intermediate results to disk).
+		// Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+		// `32GiB`) or a percentage of disk size (e.g. `10%`).
+		// The location of the temporary files is within the first store dir.
+		// If expressed as a percentage, `max-disk-temp-storage` is interpreted
+		// relative to the size of the storage device on which the first store is
+		// placed. The temp space usage is never counted towards any store usage
+		// (although it does share the device with the first store) so, when
+		// configuring this, make sure that the size of this temp storage plus the size
+		// of the first store don't exceed the capacity of the storage device.
+		// If the first store is an in-memory one (i.e. `type=mem`), then this
+		// temporary "disk" data is also kept in-memory.
+		// A percentage value is interpreted as a percentage of the available internal
+		// memory.
+		// max-disk-temp-storage: 0GB
+		// Maximum allowed clock offset for the cluster. If observed clock offsets
+		// exceed this limit, servers will crash to minimize the likelihood of
+		// reading inconsistent data. Increasing this value will increase the time
+		// to recovery of failures as well as the frequency of uncertainty-based
+		// read restarts.
+		// Note, that this value must be the same on all nodes in the cluster.
+		// In order to change it, all nodes in the cluster must be stopped
+		// simultaneously and restarted with the new value.
+		// max-offset: 500ms
+		// Maximum memory capacity available to store temporary data for SQL clients,
+		// including prepared queries and intermediate data rows during query
+		// execution. Accepts numbers interpreted as bytes, size suffixes
+		// (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+		"max-sql-memory": "25%"
+
+		// An ordered, comma-separated list of key-value pairs that describe the
+		// topography of the machine. Topography might include country, datacenter
+		// or rack designations. Data is automatically replicated to maximize
+		// diversities of each tier. The order of tiers is used to determine
+		// the priority of the diversity, so the more inclusive localities like
+		// country should come before less inclusive localities like datacenter.
+		// The tiers and order must be the same on all nodes. Including more tiers
+		// is better than including fewer. For example:
+		//   locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+		//   locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+		//   locality: planet=earth,province=manitoba,colo=secondary,power=3
+		locality: ""
+
+		// Run CockroachDB instances in standalone mode with replication disabled
+		// (replication factor = 1).
+		// Enabling this option makes the following values to be ignored:
+		// - `conf.cluster-name`
+		// - `conf.disable-cluster-name-verification`
+		// - `conf.join`
+		//
+		// WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+		//          CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+		//          Don't use this option for production deployments unless you clearly
+		//          understand what you're doing.
+		//          Usually, this option is intended to be used in conjunction with
+		//          `statefulset.replicas: 1` for temporary one-time deployments (like
+		//          running E2E tests, for example).
+		"single-node": false
+
+		// If non-empty, create a SQL audit log in the specified directory.
+		"sql-audit-dir": ""
+
+		// CockroachDB's port to listen to inter-communications and client connections.
+		port: 26257
+
+		// CockroachDB's port to listen to HTTP requests.
+		"http-port": 8080
+
+		// CockroachDB's data mount path.
+		path: "cockroach-data"
+
+		// CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+		// Uses --store flag
+		store: {
+			enabled: false
+			// Should be empty or 'mem'
+			type: null
+			// Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+			size: null
+			// Arbitrary strings, separated by colons, specifying disk type or capability
+			attrs: null
+		}
+	}
+
+	statefulset: {
+		replicas: 3
+		updateStrategy: type: "RollingUpdate"
+		podManagementPolicy: "Parallel"
+		budget: maxUnavailable: 1
+
+		// List of additional command-line arguments you want to pass to the
+		// `cockroach start` command.
+		args: []
+		// - --disable-cluster-name-verification
+		// List of extra environment variables to pass into container
+		env: []
+		// - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+		//   value: "24h"
+		// List of Secrets names in the same Namespace as the CockroachDB cluster,
+		// which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+		// member.
+		secretMounts: []
+
+		// Additional labels to apply to this StatefulSet and all its Pods.
+		labels: {
+			"app.kubernetes.io/component": "cockroachdb"
+		}
+
+		// Additional annotations to apply to the Pods of this StatefulSet.
+		annotations: {}
+
+		// Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		nodeAffinity: {}
+		// Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		podAffinity: {}
+		// Anti-affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		// You may either toggle options below for default anti-affinity rules,
+		// or specify the whole set of anti-affinity rules instead of them.
+		podAntiAffinity: {
+			// The topologyKey to be used.
+			// Can be used to spread across different nodes, AZs, regions etc.
+			topologyKey: "kubernetes.io/hostname"
+			// Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+			// disables anti-affinity rules).
+			type: "soft"
+			// Weight for `soft` anti-affinity rules.
+			// Does not apply for other anti-affinity types.
+			weight: 100
+		}
+
+		// Node selection constraints for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// PriorityClassName given to Pods of this StatefulSet
+		// https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		priorityClassName: ""
+
+		// Taints to be tolerated by Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+		topologySpreadConstraints: {
+			maxSkew:           1
+			topologyKey:       "topology.kubernetes.io/zone"
+			whenUnsatisfiable: "ScheduleAnyway"
+		}
+
+		// Uncomment the following resources definitions or pass them from
+		// command line to control the CPU and memory resources allocated
+		// by Pods of this StatefulSet.
+		resources: {}
+		// limits:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// requests:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// Custom Liveness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+		customLivenessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+		// Custom Rediness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+		customReadinessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+
+		securityContext: {
+			enabled: true
+		}
+
+		serviceAccount: {
+			// Specifies whether this ServiceAccount should be created.
+			create: true
+			// The name of this ServiceAccount to use.
+			// If not set and `create` is `true`, then service account is auto-generated.
+			// If not set and `create` is `false`, then it uses default service account.
+			name: ""
+			// Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+			annotations: {}
+		}
+	}
+
+	service: {
+		ports: {
+			// You can set a different external and internal gRPC ports and their name.
+			grpc: {
+				external: {
+					port: 26257
+					name: "grpc"
+				}
+				// If the port number is different than `external.port`, then it will be
+				// named as `internal.name` in Service.
+				internal: {
+					port: 26257
+					// If using Istio set it to `cockroach`.
+					name: "grpc-internal"
+				}
+			}
+			http: {
+				port: 8080
+				name: "http"
+			}
+		}
+
+		// This Service is meant to be used by clients of the database.
+		// It exposes a ClusterIP that will automatically load balance connections
+		// to the different database Pods.
+		public: {
+			type: "ClusterIP"
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+
+		// This service only exists to create DNS entries for each pod in
+		// the StatefulSet such that they can resolve each other's IP addresses.
+		// It does not create a load-balanced ClusterIP and should not be used directly
+		// by clients in most circumstances.
+		discovery: {
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+	}
+
+	// CockroachDB's ingress for web ui.
+	ingress: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		//   kubernetes.io/ingress.class: nginx
+		//   cert-manager.io/cluster-issuer: letsencrypt
+		paths: ["/"]
+		hosts: []
+		// - cockroachlabs.com
+		tls: []
+	}
+	// - hosts: [cockroachlabs.com]
+	//   secretName: cockroachlabs-tls
+
+	prometheus: {
+		enabled: true
+	}
+
+	securityContext: enabled: true
+
+	// CockroachDB's Prometheus operator ServiceMonitor support
+	serviceMonitor: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		interval: "10s"
+		// scrapeTimeout: 10s
+		// Limits the ServiceMonitor to the current namespace if set to `true`.
+		namespaced: false
+
+		// tlsConfig: TLS configuration to use when scraping the endpoint.
+		// Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+		tlsConfig: {}
+	}
+
+	// CockroachDB's data persistence.
+	// If neither `persistentVolume` nor `hostPath` is used, then data will be
+	// persisted in ad-hoc `emptyDir`.
+	storage: {
+		// Absolute path on host to store CockroachDB's data.
+		// If not specified, then `emptyDir` will be used instead.
+		// If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+		hostPath: ""
+
+		// If `enabled` is `true` then a PersistentVolumeClaim will be created and
+		// used to store CockroachDB's data, otherwise `hostPath` is used.
+		persistentVolume: {
+			enabled: true
+
+			size: string | *"100Gi"
+
+			// If defined, then `storageClassName: <storageClass>`.
+			// If set to "-", then `storageClassName: ""`, which disables dynamic
+			// provisioning.
+			// If undefined or empty (default), then no `storageClassName` spec is set,
+			// so the default provisioner will be chosen (gp2 on AWS, standard on
+			// GKE, AWS & OpenStack).
+			storageClass: ""
+
+			// Additional labels to apply to the created PersistentVolumeClaims.
+			labels: {}
+			// Additional annotations to apply to the created PersistentVolumeClaims.
+			annotations: {}
+		}
+	}
+
+	// Kubernetes Job which initializes multi-node CockroachDB cluster.
+	// It's not created if `statefulset.replicas` is `1`.
+	init: {
+		// Additional labels to apply to this Job and its Pod.
+		labels: {
+			"app.kubernetes.io/component": "init"
+		}
+
+		// Additional annotations to apply to this Job.
+		jobAnnotations: {}
+
+		// Additional annotations to apply to the Pod of this Job.
+		annotations: {}
+
+		// Affinity rules for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		affinity: {}
+
+		// Node selection constraints for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// Taints to be tolerated by the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+		// quickly and doesn't continue to consume resources in the Kubernetes
+		// cluster. Normally, you should leave this section commented out, but if your
+		// Kubernetes cluster uses Resource Quotas and requires all pods to specify
+		// resource requests or limits, you can set those here.
+		resources: {}
+		// requests:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+		// limits:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+
+		securityContext: {
+			enabled: true
+		}
+
+		provisioning: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+			clusterSettings: null
+			// cluster.organization: "'FooCorp - Local Testing'"
+			// enterprise.license: "'xxxxx'"
+			users: []
+			// - name:
+			//   password:
+			//   # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+			//   options: [LOGIN]
+			databases: []
+		}
+	}
+	// - name:
+	//   # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+	//   options: [encoding='utf-8']
+	//   owners: []
+	//   # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+	//   owners_with_grant_option: []
+	//   # Backup schedules are not idemponent for now and will fail on next run
+	//   # https://github.com/cockroachdb/cockroach/issues/57892
+	//   backup:
+	//     into: s3://
+	//     # Enterprise-only option (revision_history)
+	//     # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+	//     options: [revision_history]
+	//     recurring: '@always'
+	//     # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+	//     fullBackup: '@daily'
+	//     schedule:
+	//       # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+	//       options: [first_run = 'now']
+	// Whether to run securely using TLS certificates.
+	tls: {
+		enabled: true
+		copyCerts: image: "busybox"
+		certs: {
+			// Bring your own certs scenario. If provided, tls.init section will be ignored.
+			provided: false
+			// Secret name for the client root cert.
+			clientRootSecret: "cockroachdb-root"
+			// Secret name for node cert.
+			nodeSecret: "cockroachdb-node"
+			// Secret name for CA cert
+			caSecret: "cockroach-ca"
+			// Enable if the secret is a dedicated TLS.
+			// TLS secrets are created by cert-mananger, for example.
+			tlsSecret: false
+			// Enable if the you want cockroach db to create its own certificates
+			selfSigner: {
+				// If set, the cockroach db will generate its own certificates
+				enabled: false | *true
+				// Run selfSigner as non-root
+				securityContext: {
+					enabled: true
+				}
+				// If set, the user should provide the CA certificate to sign other certificates.
+				caProvided: false
+				// It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+				caSecret: ""
+				// Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+				minimumCertDuration: "624h"
+				// Duration of CA certificates in hour
+				caCertDuration: "43800h"
+				// Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+				caCertExpiryWindow: "648h"
+				// Duration of Client certificates in hour
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hour
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+				// If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+				rotateCerts: true
+				// Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+				readinessWait: "30s"
+				// Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+				podUpdateTimeout: "2m"
+				// ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+				svcAccountAnnotations: {}
+			}
+
+			// Use cert-manager to issue certificates for mTLS.
+			certManager: true | *false
+			// Specify an Issuer or a ClusterIssuer to use, when issuing
+			// node and client certificates. The values correspond to the
+			// issuerRef specified in the certificate.
+			certManagerIssuer: {
+				group: "cert-manager.io"
+				kind:  "Issuer"
+				name:  string | *"cockroachdb"
+				// Make it false when you are providing your own CA issuer
+				isSelfSignedIssuer: true
+				// Duration of Client certificates in hours
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hours
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+			}
+		}
+
+		selfSigner: {
+			// Additional annotations to apply to the Pod of this Job.
+			annotations: {}
+
+			// Affinity rules for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+			affinity: {}
+
+			// Node selection constraints for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+			nodeSelector: {}
+
+			// Taints to be tolerated by the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+			tolerations: []
+
+			// Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+			image: {
+				repository: "cockroachlabs-helm-charts/cockroach-self-signer-cert"
+				tag:        "1.5"
+				pullPolicy: "IfNotPresent"
+				credentials: {}
+				registry: "gcr.io"
+			}
+		}
+	}
+	// username: john_doe
+	// password: changeme
+
+	networkPolicy: {
+		enabled: false
+
+		ingress: {
+			// List of sources which should be able to access the CockroachDB Pods via
+			// gRPC port. Items in this list are combined using a logical OR operation.
+			// Rules for allowing inter-communication are applied automatically.
+			// If empty, then connections from any Pod is allowed.
+			grpc: []
+			// - podSelector:
+			//     matchLabels:
+			//       app.kubernetes.io/name: my-app-django
+			//       app.kubernetes.io/instance: my-app
+			// List of sources which should be able to access the CockroachDB Pods via
+			// HTTP port. Items in this list are combined using a logical OR operation.
+			// If empty, then connections from any Pod is allowed.
+			http: []
+		}
+	}
+	// - namespaceSelector:
+	//     matchLabels:
+	//       project: my-project
+	// To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+	// make sure to set ingress.paths: ['/*']
+	iap: {
+		enabled: false
+	}
+
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/values.holos.cue

@@ -0,0 +1,25 @@
+package holos
+
+#Values: {
+	image: repository: "quay.io/holos/cockroachdb/cockroach"
+
+	fullnameOverride: #ComponentName
+
+	tls: {
+		enabled: true
+		certs: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
+			selfSigner: enabled: false
+			certManager: true
+			certManagerIssuer: {
+				kind: "Issuer"
+				name: #ComponentName
+			}
+		}
+	}
+
+	storage: persistentVolume: {
+		enabled: true
+		size:    "1Gi"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/zitadel.cue

@@ -0,0 +1,3 @@
+package holos
+
+#TargetNamespace: #InstancePrefix + "-zitadel"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -10,7 +10,9 @@ package holos
 }
 
 #HelmChart & {
-	values: installCRDs: true
+	values: #UpstreamValues & {
+		installCRDs: true
+	}
 	namespace: #TargetNamespace
 	chart: {
 		name:    "cert-manager"

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -0,0 +1,75 @@
+package holos
+
+let Name = "httpbin"
+let SecretName = #InputKeys.cluster + "-" + Name
+let MatchLabels = {app: Name} & #SelectorLabels
+let Metadata = {
+	name:      Name
+	namespace: #TargetNamespace
+	labels: app: Name
+}
+
+#InputKeys: component: Name
+
+#TargetNamespace: "istio-ingress"
+#DependsOn:       _IngressGateway
+
+let Cert = #HTTP01Cert & {
+	_name:   Name
+	_secret: SecretName
+}
+
+#KubernetesObjects & {
+	apiObjects: {
+		Certificate: httpbin: Cert.object
+		Deployment: httpbin: #Deployment & {
+			metadata: Metadata
+			spec: selector: matchLabels: MatchLabels
+			spec: template: {
+				metadata: labels: MatchLabels
+				metadata: labels: #CommonLabels
+				metadata: labels: #IstioSidecar
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                1337
+						runAsGroup:               1337
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: httpbin: #Service & {
+			metadata: Metadata
+			spec: selector: MatchLabels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		Gateway: httpbin: #Gateway & {
+			metadata: Metadata
+			spec: selector: istio: "ingressgateway"
+			spec: servers: [
+				{
+					hosts: ["\(#TargetNamespace)/\(Cert.Host)"]
+					port: name:          "https-\(#InstanceName)"
+					port: number:        443
+					port: protocol:      "HTTPS"
+					tls: credentialName: Cert.SecretName
+					tls: mode:           "SIMPLE"
+				},
+			]
+		}
+		VirtualService: httpbin: #VirtualService & {
+			metadata: Metadata
+			spec: hosts: [Cert.Host]
+			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/ingress/ingress.cue

@@ -50,28 +50,74 @@ import "encoding/json"
 _ProxyProtocol: gatewayTopology: proxyProtocol: {}
 
 // Additional holos specific API Objects
-let LoopbackName = #GatewayValues.name + "-loopback"
+let Name = #GatewayValues.name
+let GatewayLabels = {
+	app:   Name
+	istio: "ingressgateway"
+}
+let RedirectMetaName = {
+	name:      Name + "-https-redirect"
+	namespace: #TargetNamespace
+}
+
+// https-redirect
+_APIObjects: {
+	Gateway: {
+		httpsRedirect: #Gateway & {
+			metadata: RedirectMetaName
+			spec: selector: GatewayLabels
+			spec: servers: [{
+				port: {
+					number:   80
+					name:     "http2"
+					protocol: "HTTP2"
+				}
+				hosts: ["*"]
+				// handled by the VirtualService
+				tls: httpsRedirect: false
+			}]
+		}
+	}
+	VirtualService: {
+		httpsRedirect: #VirtualService & {
+			metadata: RedirectMetaName
+			spec: hosts: ["*"]
+			spec: gateways: [RedirectMetaName.name]
+			spec: http: [{
+				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+				redirect: {
+					scheme:       "https"
+					redirectCode: 302
+				}
+			}]
+		}
+	}
+}
+
+let LoopbackName = Name + "-loopback"
 let LoopbackDescription = "Allows in-cluster traffic to stay in cluster via traffic routing"
 let LoopbackLabels = {
 	app:   LoopbackName
 	istio: "ingressgateway"
 }
+let LoopbackMetaName = {
+	name:      LoopbackName
+	namespace: #TargetNamespace
+}
 
+// istio-ingressgateway-loopback
 _APIObjects: {
 	Deployment: {
 		loopback: #Deployment & {
 			_description: LoopbackDescription
-			metadata: {
-				name:      LoopbackName
-				namespace: #TargetNamespace
-			}
+			metadata:     LoopbackMetaName
 			spec: {
 				selector: matchLabels: LoopbackLabels
 				template: {
 					metadata: {
-						annotations: #CommonAnnotations & {
-							_Description:                LoopbackDescription
-							"inject.istio.io/templates": "gateway"
+						annotations: "inject.istio.io/templates": "gateway"
+						annotations: #Description & {
+							_Description: LoopbackDescription
 						}
 						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
 					}
@@ -98,4 +144,12 @@ _APIObjects: {
 			}
 		}
 	}
+	Service: {
+		loopback: #Service & {
+			_description: LoopbackDescription
+			metadata:     LoopbackMetaName
+			spec: selector:      LoopbackLabels
+			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+		}
+	}
 }

docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue

@@ -4,11 +4,11 @@ package holos
 #InputKeys: project: "mesh"
 
 // Shared dependencies for all components in this collection.
-#Kustomization: spec: targetNamespace: #TargetNamespace
 #DependsOn: _Namespaces
 
 // Common Dependencies
-_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
-_Namespaces: Namespaces: name:   "\(#StageName)-secrets-namespaces"
-_IstioBase: IstioBase: name:     "\(#InstancePrefix)-istio-base"
-_IstioD: IstioD: name:           "\(#InstancePrefix)-istiod"
+_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
+_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
+_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
+_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
+_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"

docs/examples/platforms/reference/namespaces.cue

@@ -21,4 +21,5 @@ let Privileged = {
 	{name: "istio-ingress"} & Restricted,
 	{name: "cert-manager"},
 	{name: "argocd"},
+	{name: "prod-iam-zitadel"},
 ]

docs/examples/schema.cue

@@ -9,7 +9,11 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	es "external-secrets.io/externalsecret/v1beta1"
 	ss "external-secrets.io/secretstore/v1beta1"
-	cm "cert-manager.io/clusterissuer/v1"
+	is "cert-manager.io/issuer/v1"
+	ci "cert-manager.io/clusterissuer/v1"
+	crt "cert-manager.io/certificate/v1"
+	gw "networking.istio.io/gateway/v1beta1"
+	vs "networking.istio.io/virtualservice/v1beta1"
 	"encoding/yaml"
 )
 
@@ -37,11 +41,17 @@ _apiVersion: "holos.run/v1alpha1"
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
+// #SelectorLabels are mixed into selectors.
+#SelectorLabels: {
+	"holos.run/stage.name":     #StageName
+	"holos.run/project.name":   #CollectionName
+	"holos.run/component.name": #ComponentName
+	...
+}
+
 // #CommonLabels are mixed into every kubernetes api object.
 #CommonLabels: {
-	"holos.run/stage.name":        #StageName
-	"holos.run/project.name":      #CollectionName
-	"holos.run/component.name":    #ComponentName
+	#SelectorLabels
 	"app.kubernetes.io/part-of":   #StageName
 	"app.kubernetes.io/name":      #CollectionName
 	"app.kubernetes.io/component": #ComponentName
@@ -50,26 +60,26 @@ _apiVersion: "holos.run/v1alpha1"
 }
 
 #ClusterObject: {
+	_description: string | *""
 	metadata: metav1.#ObjectMeta & {
 		labels: #CommonLabels
+		annotations: #Description & {
+			_Description: _description
+			...
+		}
 	}
 	...
 }
 
-#CommonAnnotations: {
+#Description: {
 	_Description:            string | *""
 	"holos.run/description": _Description
 	...
 }
 
 #NamespaceObject: #ClusterObject & {
-	_description: string | *""
-	metadata: {
-		namespace: string
-		annotations: #CommonAnnotations & {
-			_Description: _description
-		}
-	}
+	metadata: namespace: string
+	...
 }
 
 // Kubernetes API Objects
@@ -81,15 +91,42 @@ _apiVersion: "holos.run/v1alpha1"
 }
 #ClusterRole:        #ClusterObject & rbacv1.#ClusterRole
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
-#ClusterIssuer: #ClusterObject & cm.#ClusterIssuer & {...}
+#ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
+
+#Issuer:         #NamespaceObject & is.#Issuer
 #Role:           #NamespaceObject & rbacv1.#Role
 #RoleBinding:    #NamespaceObject & rbacv1.#RoleBinding
 #ConfigMap:      #NamespaceObject & corev1.#ConfigMap
 #ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
 #Pod:            #NamespaceObject & corev1.#Pod
+#Service:        #NamespaceObject & corev1.#Service
 #Job:            #NamespaceObject & batchv1.#Job
 #CronJob:        #NamespaceObject & batchv1.#CronJob
 #Deployment:     #NamespaceObject & appsv1.#Deployment
+#Gateway:        #NamespaceObject & gw.#Gateway
+#VirtualService: #NamespaceObject & vs.#VirtualService
+#Certificate:    #NamespaceObject & crt.#Certificate
+
+// #HTTP01Cert defines a http01 certificate.
+#HTTP01Cert: {
+	_name:      string
+	_secret:    string | *_name
+	SecretName: _secret
+	Host:       _name + "." + #ClusterDomain
+	object: #Certificate & {
+		metadata: {
+			name:      _secret
+			namespace: string | *#TargetNamespace
+		}
+		spec: {
+			commonName: Host
+			dnsNames: [Host]
+			secretName: _secret
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: "letsencrypt"
+		}
+	}
+}
 
 // Flux Kustomization CRDs
 #Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -314,6 +351,15 @@ _apiVersion: "holos.run/v1alpha1"
 // #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
 #SecretName: string
 
+// Cluster Domain is the cluster specific domain
+#ClusterDomain: #InputKeys.cluster + "." + #Platform.org.domain
+
+// #SidecarInject represents the istio sidecar inject label
+#IstioSidecar: {
+	"sidecar.istio.io/inject": "true"
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

pkg/version/embedded/minor

@@ -1 +1 @@
-49
+50

pkg/version/embedded/patch

@@ -1 +1 @@
-2
+0