(#89) Disable project auth proxies by default

Focus on the ingress gateway auth proxy for now and see how far it gets
us.

.github/workflows/lint.yaml

@@ -1,6 +1,7 @@
+---
 # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
 name: Lint
-on:
+"on":
   push:
     branches:
       - main
@@ -14,7 +15,7 @@ permissions:
 jobs:
   golangci:
     name: lint
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
@@ -22,6 +23,6 @@ jobs:
           go-version: stable
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
         with:
           version: latest

.github/workflows/release.yaml

@@ -2,17 +2,20 @@ name: Release
 
 on:
   push:
-    # Run only against tags
     tags:
       - '*'
+    branches:
+      - release
 
 permissions:
   contents: write
 
 jobs:
   goreleaser:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
+      - name: Provide GPG and Git
+        run: sudo apt update && sudo apt -qq -y install gnupg git
       - name: Checkout
         uses: actions/checkout@v4
         with:

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -23,5 +23,14 @@ jobs:
         with:
           go-version: stable
 
+      - name: Provide unzip for Helm
+        run: sudo apt update && sudo apt -qq -y install curl zip unzip tar bzip2
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v3
+
       - name: Test
         run: ./scripts/test

.gitignore

@@ -5,3 +5,4 @@ coverage.out
 dist/
 *.hold/
 /deploy/
+.vscode/

Makefile

@@ -4,7 +4,7 @@ PROJ=holos
 ORG_PATH=github.com/holos-run
 REPO_PATH=$(ORG_PATH)/$(PROJ)
 
-VERSION := $(shell grep "const Version " pkg/version/version.go | sed -E 's/.*"(.+)"$$/\1/')
+VERSION := $(shell cat pkg/version/embedded/major pkg/version/embedded/minor pkg/version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
 DOCKER_REPO=quay.io/openinfrastructure/holos
@@ -39,18 +39,27 @@ bumpmajor: ## Bump the major version.
 	scripts/bump minor 0
 	scripts/bump patch 0
 
+.PHONY: show-version
+show-version: ## Print the full version.
+	@echo $(VERSION)
+
 .PHONY: tidy
 tidy: ## Tidy go module.
 	go mod tidy
 
 .PHONY: fmt
-fmt: ## Format Go code.
+fmt: ## Format code.
+	cd docs/examples && cue fmt ./...
 	go fmt ./...
 
 .PHONY: vet
 vet: ## Vet Go code.
 	go vet ./...
 
+.PHONY: gencue
+gencue: ## Generate CUE definitions
+	cd docs/examples && cue get go github.com/holos-run/holos/api/...
+
 .PHONY: generate
 generate: ## Generate code.
 	go generate ./...

api/v1alpha1/buildplan.go

@@ -0,0 +1,40 @@
+package v1alpha1
+
+import (
+	"fmt"
+	"strings"
+)
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+type BuildPlan struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
+}
+
+type BuildPlanSpec struct {
+	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+}
+
+type BuildPlanComponents struct {
+	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
+	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
+	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
+	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
+}
+
+func (bp *BuildPlan) Validate() error {
+	errs := make([]string, 0, 2)
+	if bp.Kind != BuildPlanKind {
+		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
+	}
+	if bp.APIVersion != APIVersion {
+		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf("invalid BuildPlan: " + strings.Join(errs, ", "))
+	}
+	return nil
+}

api/v1alpha1/component.go

@@ -0,0 +1,22 @@
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+type HolosComponent struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
+	// Kustomization holds the marshalled representation of the flux kustomization
+	// which reconciles resources in git with the api server.
+	Kustomization `json:",inline" yaml:",inline"`
+	// Kustomize represents a kubectl kustomize build post-processing step.
+	Kustomize `json:",inline" yaml:",inline"`
+	// Skip causes holos to take no action regarding the component.
+	Skip bool
+}
+
+func (hc *HolosComponent) NewResult() *Result {
+	return &Result{HolosComponent: *hc}
+}

api/v1alpha1/constants.go

@@ -0,0 +1,11 @@
+package v1alpha1
+
+const (
+	APIVersion    = "holos.run/v1alpha1"
+	BuildPlanKind = "BuildPlan"
+	HelmChartKind = "HelmChart"
+	// ChartDir is the directory name created in the holos component directory to cache a chart.
+	ChartDir = "vendor"
+	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+	ResourcesFile = "resources.yaml"
+)

api/v1alpha1/doc.go

@@ -0,0 +1,2 @@
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

api/v1alpha1/helm.go

@@ -0,0 +1,154 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+type HelmChart struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	Namespace     string `json:"namespace"`
+	Chart         Chart  `json:"chart"`
+	ValuesContent string `json:"valuesContent"`
+	EnableHooks   bool   `json:"enableHooks"`
+}
+
+type Chart struct {
+	Name       string     `json:"name"`
+	Version    string     `json:"version"`
+	Release    string     `json:"release"`
+	Repository Repository `json:"repository,omitempty"`
+}
+
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}
+
+func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: hc.HolosComponent}
+	if err := hc.helm(ctx, &result, path); err != nil {
+		return nil, err
+	}
+	result.addObjectMap(ctx, hc.APIObjectMap)
+	if err := result.kustomize(ctx); err != nil {
+		return nil, wrapper.Wrap(fmt.Errorf("could not kustomize: %w", err))
+	}
+	return &result, nil
+}
+
+// runHelm provides the values produced by CUE to helm template and returns
+// the rendered kubernetes api objects in the result.
+func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
+	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
+	if hc.Chart.Name == "" {
+		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
+		return nil
+	}
+
+	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
+	if isNotExist(cachedChartPath) {
+		// Add repositories
+		repo := hc.Chart.Repository
+		if repo.URL != "" {
+			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
+			}
+			// Update repository
+			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+			}
+		} else {
+			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
+		}
+
+		// Cache the chart
+		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
+			return fmt.Errorf("could not cache chart: %w", err)
+		}
+	}
+
+	// Write values file
+	tempDir, err := os.MkdirTemp("", "holos")
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, tempDir)
+
+	valuesPath := filepath.Join(tempDir, "values.yaml")
+	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not write values: %w", err))
+	}
+	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
+
+	// Run charts
+	chart := hc.Chart
+	args := []string{"template"}
+	if !hc.EnableHooks {
+		args = append(args, "--no-hooks")
+	}
+	namespace := hc.Namespace
+	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
+	helmOut, err := util.RunCmd(ctx, "helm", args...)
+	if err != nil {
+		stderr := helmOut.Stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
+		return wrapper.Wrap(fmt.Errorf("could not run helm template: %w", err))
+	}
+
+	r.accumulatedOutput = helmOut.Stdout.String()
+
+	return nil
+}
+
+// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
+func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
+	log := logger.FromContext(ctx)
+
+	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, cacheTemp)
+
+	chartName := chart.Name
+	if chart.Repository.Name != "" {
+		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
+	}
+	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not run helm pull: %w", err))
+	}
+	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
+
+	cachePath := filepath.Join(string(path), chartDir)
+	if err := os.Rename(cacheTemp, cachePath); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not rename: %w", err))
+	}
+	log.InfoContext(ctx, "cached", "chart", chart.Name, "version", chart.Version, "path", cachePath)
+
+	return nil
+}
+func isNotExist(path string) bool {
+	_, err := os.Stat(path)
+	return os.IsNotExist(err)
+}

api/v1alpha1/kubernetesobjects.go

@@ -0,0 +1,21 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+const KubernetesObjectsKind = "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+type KubernetesObjects struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces kubernetes api objects from the APIObjectMap
+func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: o.HolosComponent}
+	result.addObjectMap(ctx, o.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/kustomization.go

@@ -0,0 +1,7 @@
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+type Kustomization struct {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
+}

api/v1alpha1/kustomize.go

@@ -0,0 +1,47 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+const KustomizeBuildKind = "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+type Kustomize struct {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+type KustomizeBuild struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces a Result by executing kubectl kustomize on the holos
+// component path. Useful for processing raw yaml files.
+func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	log := logger.FromContext(ctx)
+	result := Result{HolosComponent: kb.HolosComponent}
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return nil, wrapper.Wrap(err)
+	}
+	// Replace the accumulated output
+	result.accumulatedOutput = kOut.Stdout.String()
+	// Add CUE based api objects.
+	result.addObjectMap(ctx, kb.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/objectmap.go

@@ -0,0 +1,14 @@
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+type Label string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+type Kind string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+type APIObjectMap map[Kind]map[Label]string
+
+// FileContentMap is a map of file names to file contents.
+type FileContentMap map[string]string

api/v1alpha1/objectmeta.go

@@ -0,0 +1,15 @@
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+type ObjectMeta struct {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}

api/v1alpha1/render.go

@@ -0,0 +1,22 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+type Renderer interface {
+	GetKind() string
+	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
+}
+
+// Render produces a Result representing the kubernetes api objects to
+// configure. Each of the various holos component types, e.g. Helm, Kustomize,
+// et al, should implement the Renderer interface. This process is best
+// conceptualized as a data pipeline, for example a component may render a
+// result by first calling helm template, then passing the result through
+// kustomize, then mixing in overlay api objects.
+func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
+	return r.Render(ctx, path)
+}

api/v1alpha1/result.go

@@ -0,0 +1,138 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"slices"
+
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+type Result struct {
+	HolosComponent
+	// accumulatedOutput accumulates rendered api objects.
+	accumulatedOutput string
+}
+
+func (r *Result) Name() string {
+	return r.Metadata.Name
+}
+
+func (r *Result) Filename(writeTo string, cluster string) string {
+	name := r.Metadata.Name
+	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
+}
+
+func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
+}
+
+// AccumulatedOutput returns the accumulated rendered output.
+func (r *Result) AccumulatedOutput() string {
+	return r.accumulatedOutput
+}
+
+// addObjectMap renders the provided APIObjectMap into the accumulated output.
+func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
+	log := logger.FromContext(ctx)
+	b := []byte(r.AccumulatedOutput())
+	kinds := make([]Kind, 0, len(objectMap))
+	// Sort the keys
+	for kind := range objectMap {
+		kinds = append(kinds, kind)
+	}
+	slices.Sort(kinds)
+
+	for _, kind := range kinds {
+		v := objectMap[kind]
+		// Sort the keys
+		names := make([]Label, 0, len(v))
+		for name := range v {
+			names = append(names, name)
+		}
+		slices.Sort(names)
+
+		for _, name := range names {
+			yamlString := v[name]
+			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
+			b = util.EnsureNewline(b)
+			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
+			b = append(b, []byte(header+yamlString)...)
+			b = util.EnsureNewline(b)
+		}
+	}
+	r.accumulatedOutput = string(b)
+}
+
+// kustomize replaces the accumulated output with the output of kustomize build
+func (r *Result) kustomize(ctx context.Context) error {
+	log := logger.FromContext(ctx)
+	if r.ResourcesFile == "" {
+		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
+		return nil
+	}
+	if len(r.KustomizeFiles) < 1 {
+		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
+		return nil
+	}
+	tempDir, err := os.MkdirTemp("", "holos.kustomize")
+	if err != nil {
+		return wrapper.Wrap(err)
+	}
+	defer util.Remove(ctx, tempDir)
+
+	// Write the main api object resources file for kustomize.
+	target := filepath.Join(tempDir, r.ResourcesFile)
+	b := []byte(r.AccumulatedOutput())
+	b = util.EnsureNewline(b)
+	if err := os.WriteFile(target, b, 0644); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not write resources: %w", err))
+	}
+	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+
+	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
+	for file, content := range r.KustomizeFiles {
+		target := filepath.Join(tempDir, file)
+		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+			return wrapper.Wrap(err)
+		}
+		b := []byte(content)
+		b = util.EnsureNewline(b)
+		if err := os.WriteFile(target, b, 0644); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not write: %w", err))
+		}
+		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+	}
+
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return wrapper.Wrap(err)
+	}
+	// Replace the accumulated output
+	r.accumulatedOutput = kOut.Stdout.String()
+	return nil
+}
+
+// Save writes the content to the filesystem for git ops.
+func (r *Result) Save(ctx context.Context, path string, content string) error {
+	log := logger.FromContext(ctx)
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
+		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
+		return wrapper.Wrap(err)
+	}
+	// Write the kube api objects
+	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
+		log.WarnContext(ctx, "could not write", "path", path, "err", err)
+		return wrapper.Wrap(err)
+	}
+	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
+	return nil
+}

api/v1alpha1/typemeta.go

@@ -0,0 +1,10 @@
+package v1alpha1
+
+type TypeMeta struct {
+	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+}
+
+func (tm *TypeMeta) GetKind() string {
+	return tm.Kind
+}

cmd/holos/testdata/constraints.txt

@@ -1,7 +1,6 @@
 # Want support for intermediary constraints
 exec holos build ./foo/... --log-level debug
 stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
-stderr 'processing holos component kind Skip'
 
 -- cue.mod --
 package holos
@@ -12,31 +11,21 @@ metadata: name: "jeff"
 -- foo/bar/bar.cue --
 package holos
 
-#KubernetesObjects & {
-  apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
-}
+spec: components: KubernetesObjectsList: [
+  #KubernetesObjects & {
+    apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
+  }
+]
 -- schema.cue --
 package holos
 
-cluster: string @tag(cluster, string)
-
-// #OutputTypeMeta is shared among all output types
-#OutputTypeMeta: {
-	apiVersion: "holos.run/v1alpha1"
-	kind: #KubernetesObjects.kind | #NoOutput.kind
-	metadata: name: string
-}
+_cluster: string @tag(cluster, string)
 
 #KubernetesObjects: {
-	#OutputTypeMeta
+	apiVersion: "holos.run/v1alpha1"
 	kind: "KubernetesObjects"
 	apiObjectMap: {...}
 }
 
-#NoOutput: {
-	#OutputTypeMeta
-	kind: string | *"Skip"
-	metadata: name: string | *"skipped"
-}
-
-#NoOutput & {}
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"

cmd/holos/testdata/issue15_cue_errors.txt

@@ -1,16 +1,17 @@
 # Want cue errors to show files and lines
 ! exec holos build .
-stderr '^apiObjectMap.foo.bar: cannot convert non-concrete value string'
-stderr '/component.cue:7:20$'
+stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
+stderr '/component.cue:\d+:\d+$'
 
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
-apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
+_cluster: string @tag(cluster, string)
 
-apiObjectMap: foo: bar: baz
-baz: string
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: foo: bar: _baz}]
+
+_baz: string

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -9,15 +9,17 @@ package holos
 package holos
 
 apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
 
 #SecretStore: {
     kind: string
     metadata: name: string
 }
 
-#APIObjects & {
+#APIObjects: {
   apiObjects: {
     SecretStore: {
       default: #SecretStore & { metadata: name: "default" }
@@ -54,4 +56,3 @@ import "encoding/yaml"
 		}
 	}
 }
-

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -10,15 +10,17 @@ package holos
 package holos
 
 apiVersion: "holos.run/v1alpha1"
-kind: "HelmChart"
-cluster: string @tag(cluster, string)
+kind: "BuildPlan"
+spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
 
 #SecretStore: {
     kind: string
     metadata: name: string
 }
 
-#APIObjects & {
+#APIObjects: {
   apiObjects: {
     SecretStore: {
       default: #SecretStore & { metadata: name: "default" }
@@ -55,4 +57,3 @@ import "encoding/yaml"
 		}
 	}
 }
-

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -0,0 +1,286 @@
+# Want helm errors to show up
+! exec holos build .
+stderr 'Error: execution error at \(zitadel/templates/secret_zitadel-masterkey.yaml:2:4\): Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName'
+
+-- cue.mod --
+package holos
+-- zitadel.cue --
+package holos
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: HelmChartList: [_HelmChart]
+
+_cluster: string @tag(cluster, string)
+
+_HelmChart: {
+  apiVersion: "holos.run/v1alpha1"
+  kind: "HelmChart"
+  metadata: name: "zitadel"
+  namespace: "zitadel"
+  chart: {
+    name:    "zitadel"
+    version: "7.9.0"
+    release: name
+    repository: {
+      name: "zitadel"
+      url:  "https://charts.zitadel.com"
+    }
+  }
+}
+
+-- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
+{{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}
+{{- fail "Either set .Values.zitadel.masterkey xor .Values.zitadel.masterkeySecretName" }}
+{{- end }}
+{{- if .Values.zitadel.masterkey -}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: zitadel-masterkey
+  {{- with .Values.zitadel.masterkeyAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "zitadel.labels" . | nindent 4 }}
+stringData:
+  masterkey: {{ .Values.zitadel.masterkey }}
+{{- end -}}
+-- vendor/zitadel/Chart.yaml --
+apiVersion: v2
+appVersion: v2.46.0
+description: A Helm chart for ZITADEL
+icon: https://zitadel.com/zitadel-logo-dark.svg
+kubeVersion: '>= 1.21.0-0'
+maintainers:
+- email: support@zitadel.com
+  name: zitadel
+  url: https://zitadel.com
+name: zitadel
+type: application
+version: 7.9.0
+-- vendor/zitadel/values.yaml --
+# Default values for zitadel.
+zitadel:
+  # The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  configmapConfig:
+    ExternalSecure: true
+    Machine:
+      Identification:
+        Hostname:
+          Enabled: true
+        Webhook:
+          Enabled: false
+
+  # The ZITADEL config under secretConfig is written to a Kubernetes Secret
+  # See all defaults here:
+  # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+  secretConfig:
+
+  # Annotations set on secretConfig secret
+  secretConfigAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # Reference the name of a secret that contains ZITADEL configuration.
+  configSecretName:
+  # The key under which the ZITADEL configuration is located in the secret.
+  configSecretKey: config-yaml
+
+  # ZITADEL uses the masterkey for symmetric encryption.
+  # You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+  masterkey: ""
+  # Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+  # Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+  masterkeySecretName: ""
+
+  # Annotations set on masterkey secret
+  masterkeyAnnotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+  # The CA Certificate needed for establishing secure database connections
+  dbSslCaCrt: ""
+
+  # The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+  dbSslCaCrtSecret: ""
+
+  # The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslAdminCrtSecret: ""
+
+  # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+  dbSslUserCrtSecret: ""
+
+  # Generate a self-signed certificate using an init container
+  # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+  # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+  # By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+  selfSignedCert:
+    enabled: false
+    additionalDnsName:
+
+replicaCount: 3
+
+image:
+  repository: ghcr.io/zitadel/zitadel
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+chownImage:
+  repository: alpine
+  pullPolicy: IfNotPresent
+  tag: "3.19"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# Annotations to add to the deployment
+annotations: {}
+
+# Annotations to add to the configMap
+configMap:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "0"
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podAdditionalLabels: {}
+
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+
+securityContext: {}
+
+# Additional environment variables
+env:
+  []
+  # - name: ZITADEL_DATABASE_POSTGRES_HOST
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: postgres-pguser-postgres
+  #       key: host
+
+service:
+  type: ClusterIP
+  # If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+  clusterIP: ""
+  port: 8080
+  protocol: http2
+  annotations: {}
+  scheme: HTTP
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  hosts:
+    - host: localhost
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+initJob:
+  # Once ZITADEL is installed, the initJob can be disabled.
+  enabled: true
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "1"
+  resources: {}
+  backoffLimit: 5
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  # Available init commands :
+  # "": initialize ZITADEL instance (without skip anything)
+  # database: initialize only the database
+  # grant: set ALL grant to user
+  # user: initialize only the database user
+  # zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+  command: ""
+
+setupJob:
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation
+    helm.sh/hook-weight: "2"
+  resources: {}
+  activeDeadlineSeconds: 300
+  extraContainers: []
+  podAnnotations: {}
+  additionalArgs:
+    - "--init-projections=true"
+  machinekeyWriter:
+    image:
+      repository: bitnami/kubectl
+      tag: ""
+    resources: {}
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  periodSeconds: 5
+  failureThreshold: 3
+
+startupProbe:
+  enabled: true
+  periodSeconds: 1
+  failureThreshold: 30
+
+metrics:
+  enabled: false
+  serviceMonitor:
+    # If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+    # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+    # The Prometheus community Helm chart installs this operator
+    # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+    enabled: false
+    honorLabels: false
+    honorTimestamps: true
+
+pdb:
+  enabled: false
+  # these values are used for the PDB and are mutally exclusive
+  minAvailable: 1
+  # maxUnavailable: 1
+  annotations: {}

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -0,0 +1,36 @@
+# Kustomize is a supported holos component kind
+exec holos render --cluster-name=mycluster . --log-level=debug
+
+# Want generated output
+cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+_cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: KustomizeBuildList: [{metadata: name: "kstest"}]
+
+-- kustomization.yaml --
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mynamespace
+resources:
+- serviceaccount.yaml
+
+-- serviceaccount.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+
+-- want.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+  namespace: mynamespace

cmd/holos/testdata/issue72_disallow_unknown_fields.txt

@@ -0,0 +1,14 @@
+# https://github.com/holos-run/holos/issues/72
+# Want holos to fail on unknown fields to catch typos and aid refactors
+! exec holos build .
+stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+_cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: TypoKubernetesObjectsList: []

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/buildplan_go_gen.cue

@@ -0,0 +1,26 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+#BuildPlan: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta    @go(Metadata)
+	spec?:     #BuildPlanSpec @go(Spec)
+}
+
+#BuildPlanSpec: {
+	disabled?:   bool                 @go(Disabled)
+	components?: #BuildPlanComponents @go(Components)
+}
+
+#BuildPlanComponents: {
+	helmChartList?: [...#HelmChart] @go(HelmChartList,[]HelmChart)
+	kubernetesObjectsList?: [...#KubernetesObjects] @go(KubernetesObjectsList,[]KubernetesObjects)
+	kustomizeBuildList?: [...#KustomizeBuild] @go(KustomizeBuildList,[]KustomizeBuild)
+	resources?: {[string]: #KubernetesObjects} @go(Resources,map[string]KubernetesObjects)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/component_go_gen.cue

@@ -0,0 +1,24 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+#HolosComponent: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta @go(Metadata)
+
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	apiObjectMap?: #APIObjectMap @go(APIObjectMap)
+
+	#Kustomization
+
+	#Kustomize
+
+	// Skip causes holos to take no action regarding the component.
+	Skip: bool
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/constants_go_gen.cue

@@ -0,0 +1,15 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#APIVersion:    "holos.run/v1alpha1"
+#BuildPlanKind: "BuildPlan"
+#HelmChartKind: "HelmChart"
+
+// ChartDir is the directory name created in the holos component directory to cache a chart.
+#ChartDir: "vendor"
+
+// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+#ResourcesFile: "resources.yaml"

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/helm_go_gen.cue

@@ -0,0 +1,28 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+#HelmChart: {
+	#HolosComponent
+
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	namespace:     string @go(Namespace)
+	chart:         #Chart @go(Chart)
+	valuesContent: string @go(ValuesContent)
+	enableHooks:   bool   @go(EnableHooks)
+}
+
+#Chart: {
+	name:        string      @go(Name)
+	version:     string      @go(Version)
+	release:     string      @go(Release)
+	repository?: #Repository @go(Repository)
+}
+
+#Repository: {
+	name: string @go(Name)
+	url:  string @go(URL)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kubernetesobjects_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KubernetesObjectsKind: "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+#KubernetesObjects: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomization_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+#Kustomization: {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	ksContent?: string @go(KsContent)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomize_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+#Kustomize: {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	kustomizeFiles?: #FileContentMap @go(KustomizeFiles)
+
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	resourcesFile?: string @go(ResourcesFile)
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomizebuild_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// KustomizeBuild
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmap_go_gen.cue

@@ -0,0 +1,18 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+#Label: string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+#Kind: string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+#APIObjectMap: {[string]: [string]: string}
+
+// FileContentMap is a map of file names to file contents.
+#FileContentMap: {[string]: string}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmeta_go_gen.cue

@@ -0,0 +1,22 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+#ObjectMeta: {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	name?: string @go(Name)
+
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	namespace?: string @go(Namespace)
+
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/render_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#Renderer: _

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/result_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+#Result: {
+	HolosComponent: #HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/typemeta_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#TypeMeta: {
+	kind?:       string @go(Kind)
+	apiVersion?: string @go(APIVersion)
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -306,19 +306,10 @@ import "strings"
 			// "value"` for prefix-based match - `regex: "value"` for RE2
 			// style regex-based match
 			// (https://github.com/google/re2/wiki/Syntax).
-			uri?: ({} | {
-				exact: _
-			} | {
-				prefix: _
-			} | {
-				regex: _
-			}) & {
+			uri?: {
 				exact?:  string
 				prefix?: string
-
-				// RE2 style regex-based match
-				// (https://github.com/google/re2/wiki/Syntax).
-				regex?: string
+				regex?:  string
 			}
 
 			// withoutHeader has the same syntax with the header, but has

docs/examples/cue.mod/gen/postgres-operator.crunchydata.com/pgadmin/v1beta1/types_gen.cue

@@ -0,0 +1,975 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/core2/components/prod-pgo-crds/prod-pgo-crds.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+// PGAdmin is the Schema for the pgadmins API
+#PGAdmin: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PGAdmin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PGAdminSpec defines the desired state of PGAdmin
+	spec!: #PGAdminSpec
+}
+
+// PGAdminSpec defines the desired state of PGAdmin
+#PGAdminSpec: {
+	// Scheduling constraints of the PGAdmin pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node
+	affinity?: {
+		// Describes node affinity scheduling rules for the pod.
+		nodeAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node matches the
+			// corresponding matchExpressions; the node(s) with the highest
+			// sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A node selector term, associated with the corresponding weight.
+				preference: {
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}
+
+				// Weight associated with matching the corresponding
+				// nodeSelectorTerm, in the range 1-100.
+				weight: int
+			}]
+			requiredDuringSchedulingIgnoredDuringExecution?: {
+				// Required. A list of node selector terms. The terms are ORed.
+				nodeSelectorTerms: [...{
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}]
+			}
+		}
+
+		// Describes pod affinity scheduling rules (e.g. co-locate this
+		// pod in the same node, zone, etc. as some other pod(s)).
+		podAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node has pods which matches
+			// the corresponding podAffinityTerm; the node(s) with the
+			// highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the affinity requirements specified by this field are not
+			// met at scheduling time, the pod will not be scheduled onto the
+			// node. If the affinity requirements specified by this field
+			// cease to be met at some point during pod execution (e.g. due
+			// to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+
+		// Describes pod anti-affinity scheduling rules (e.g. avoid
+		// putting this pod in the same node, zone, etc. as some other
+		// pod(s)).
+		podAntiAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the anti-affinity expressions specified by this field,
+			// but it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling anti-affinity expressions, etc.),
+			// compute a sum by iterating through the elements of this field
+			// and adding "weight" to the sum if the node has pods which
+			// matches the corresponding podAffinityTerm; the node(s) with
+			// the highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the anti-affinity requirements specified by this field are
+			// not met at scheduling time, the pod will not be scheduled onto
+			// the node. If the anti-affinity requirements specified by this
+			// field cease to be met at some point during pod execution (e.g.
+			// due to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+	}
+
+	// Configuration settings for the pgAdmin process. Changes to any
+	// of these values will be loaded without validation. Be careful,
+	// as you may put pgAdmin into an unusable state.
+	config?: {
+		// Files allows the user to mount projected volumes into the
+		// pgAdmin container so that files can be referenced by pgAdmin
+		// as needed.
+		files?: [...{
+			// configMap information about the configMap data to project
+			configMap?: {
+				// items if unspecified, each key-value pair in the Data field of
+				// the referenced ConfigMap will be projected into the volume as
+				// a file whose name is the key and content is the value. If
+				// specified, the listed keys will be projected into the
+				// specified paths, and unlisted keys will not be present. If a
+				// key is specified which is not present in the ConfigMap, the
+				// volume setup will error unless it is marked optional. Paths
+				// must be relative and may not contain the '..' path or start
+				// with '..'.
+				items?: [...{
+					// key is the key to project.
+					key: string
+
+					// mode is Optional: mode bits used to set permissions on this
+					// file. Must be an octal value between 0000 and 0777 or a
+					// decimal value between 0 and 511. YAML accepts both octal and
+					// decimal values, JSON requires decimal values for mode bits. If
+					// not specified, the volume defaultMode will be used. This might
+					// be in conflict with other options that affect the file mode,
+					// like fsGroup, and the result can be other mode bits set.
+					mode?: int
+
+					// path is the relative path of the file to map the key to. May
+					// not be an absolute path. May not contain the path element
+					// '..'. May not start with the string '..'.
+					path: string
+				}]
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name?: string
+
+				// optional specify whether the ConfigMap or its keys must be
+				// defined
+				optional?: bool
+			}
+			downwardAPI?: {
+				// Items is a list of DownwardAPIVolume file
+				items?: [...{
+					// Required: Selects a field of the pod: only annotations, labels,
+					// name and namespace are supported.
+					fieldRef?: {
+						// Version of the schema the FieldPath is written in terms of,
+						// defaults to "v1".
+						apiVersion?: string
+
+						// Path of the field to select in the specified API version.
+						fieldPath: string
+					}
+
+					// Optional: mode bits used to set permissions on this file, must
+					// be an octal value between 0000 and 0777 or a decimal value
+					// between 0 and 511. YAML accepts both octal and decimal values,
+					// JSON requires decimal values for mode bits. If not specified,
+					// the volume defaultMode will be used. This might be in conflict
+					// with other options that affect the file mode, like fsGroup,
+					// and the result can be other mode bits set.
+					mode?: int
+
+					// Required: Path is the relative path name of the file to be
+					// created. Must not be absolute or contain the '..' path. Must
+					// be utf-8 encoded. The first item of the relative path must not
+					// start with '..'
+					path: string
+
+					// Selects a resource of the container: only resources limits and
+					// requests (limits.cpu, limits.memory, requests.cpu and
+					// requests.memory) are currently supported.
+					resourceFieldRef?: {
+						// Container name: required for volumes, optional for env vars
+						containerName?: string
+
+						// Specifies the output format of the exposed resources, defaults
+						// to "1"
+						divisor?: (int | string) & {
+							=~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+						}
+
+						// Required: resource to select
+						resource: string
+					}
+				}]
+			}
+
+			// secret information about the secret data to project
+			secret?: {
+				// items if unspecified, each key-value pair in the Data field of
+				// the referenced Secret will be projected into the volume as a
+				// file whose name is the key and content is the value. If
+				// specified, the listed keys will be projected into the
+				// specified paths, and unlisted keys will not be present. If a
+				// key is specified which is not present in the Secret, the
+				// volume setup will error unless it is marked optional. Paths
+				// must be relative and may not contain the '..' path or start
+				// with '..'.
+				items?: [...{
+					// key is the key to project.
+					key: string
+
+					// mode is Optional: mode bits used to set permissions on this
+					// file. Must be an octal value between 0000 and 0777 or a
+					// decimal value between 0 and 511. YAML accepts both octal and
+					// decimal values, JSON requires decimal values for mode bits. If
+					// not specified, the volume defaultMode will be used. This might
+					// be in conflict with other options that affect the file mode,
+					// like fsGroup, and the result can be other mode bits set.
+					mode?: int
+
+					// path is the relative path of the file to map the key to. May
+					// not be an absolute path. May not contain the path element
+					// '..'. May not start with the string '..'.
+					path: string
+				}]
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name?: string
+
+				// optional field specify whether the Secret or its key must be
+				// defined
+				optional?: bool
+			}
+
+			// serviceAccountToken is information about the
+			// serviceAccountToken data to project
+			serviceAccountToken?: {
+				// audience is the intended audience of the token. A recipient of
+				// a token must identify itself with an identifier specified in
+				// the audience of the token, and otherwise should reject the
+				// token. The audience defaults to the identifier of the
+				// apiserver.
+				audience?: string
+
+				// expirationSeconds is the requested duration of validity of the
+				// service account token. As the token approaches expiration, the
+				// kubelet volume plugin will proactively rotate the service
+				// account token. The kubelet will start trying to rotate the
+				// token if the token is older than 80 percent of its time to
+				// live or if the token is older than 24 hours.Defaults to 1 hour
+				// and must be at least 10 minutes.
+				expirationSeconds?: int
+
+				// path is the path relative to the mount point of the file to
+				// project the token into.
+				path: string
+			}
+		}]
+
+		// A Secret containing the value for the LDAP_BIND_PASSWORD
+		// setting. More info:
+		// https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
+		ldapBindPassword?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// Settings for the pgAdmin server process. Keys should be
+		// uppercase and values must be constants. More info:
+		// https://www.pgadmin.org/docs/pgadmin4/latest/config_py.html
+		settings?: {
+			...
+		}
+	}
+
+	// Defines a PersistentVolumeClaim for pgAdmin data. More info:
+	// https://kubernetes.io/docs/concepts/storage/persistent-volumes
+	dataVolumeClaimSpec: {
+		// accessModes contains the desired access modes the volume should
+		// have. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+		accessModes?: [...string]
+
+		// dataSource field can be used to specify either: * An existing
+		// VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+		// * An existing PVC (PersistentVolumeClaim) If the provisioner
+		// or an external controller can support the specified data
+		// source, it will create a new volume based on the contents of
+		// the specified data source. If the AnyVolumeDataSource feature
+		// gate is enabled, this field will always have the same contents
+		// as the DataSourceRef field.
+		dataSource?: {
+			// APIGroup is the group for the resource being referenced. If
+			// APIGroup is not specified, the specified Kind must be in the
+			// core API group. For any other third-party types, APIGroup is
+			// required.
+			apiGroup?: string
+
+			// Kind is the type of resource being referenced
+			kind: string
+
+			// Name is the name of resource being referenced
+			name: string
+		}
+
+		// dataSourceRef specifies the object from which to populate the
+		// volume with data, if a non-empty volume is desired. This may
+		// be any local object from a non-empty API group (non core
+		// object) or a PersistentVolumeClaim object. When this field is
+		// specified, volume binding will only succeed if the type of the
+		// specified object matches some installed volume populator or
+		// dynamic provisioner. This field will replace the functionality
+		// of the DataSource field and as such if both fields are
+		// non-empty, they must have the same value. For backwards
+		// compatibility, both fields (DataSource and DataSourceRef) will
+		// be set to the same value automatically if one of them is empty
+		// and the other is non-empty. There are two important
+		// differences between DataSource and DataSourceRef: * While
+		// DataSource only allows two specific types of objects,
+		// DataSourceRef allows any non-core object, as well as
+		// PersistentVolumeClaim objects. * While DataSource ignores
+		// disallowed values (dropping them), DataSourceRef preserves all
+		// values, and generates an error if a disallowed value is
+		// specified. (Beta) Using this field requires the
+		// AnyVolumeDataSource feature gate to be enabled.
+		dataSourceRef?: {
+			// APIGroup is the group for the resource being referenced. If
+			// APIGroup is not specified, the specified Kind must be in the
+			// core API group. For any other third-party types, APIGroup is
+			// required.
+			apiGroup?: string
+
+			// Kind is the type of resource being referenced
+			kind: string
+
+			// Name is the name of resource being referenced
+			name: string
+		}
+
+		// resources represents the minimum resources the volume should
+		// have. If RecoverVolumeExpansionFailure feature is enabled
+		// users are allowed to specify resource requirements that are
+		// lower than previous value but must still be higher than
+		// capacity recorded in the status field of the claim. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+		resources?: {
+			// Limits describes the maximum amount of compute resources
+			// allowed. More info:
+			// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+			limits?: {
+				[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+			}
+
+			// Requests describes the minimum amount of compute resources
+			// required. If Requests is omitted for a container, it defaults
+			// to Limits if that is explicitly specified, otherwise to an
+			// implementation-defined value. More info:
+			// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+			requests?: {
+				[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+			}
+		}
+
+		// selector is a label query over volumes to consider for binding.
+		selector?: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn, the values array must be non-empty. If the operator is
+				// Exists or DoesNotExist, the values array must be empty. This
+				// array is replaced during a strategic merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+
+		// storageClassName is the name of the StorageClass required by
+		// the claim. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+		storageClassName?: string
+
+		// volumeMode defines what type of volume is required by the
+		// claim. Value of Filesystem is implied when not included in
+		// claim spec.
+		volumeMode?: string
+
+		// volumeName is the binding reference to the PersistentVolume
+		// backing this claim.
+		volumeName?: string
+	}
+
+	// The image name to use for pgAdmin instance.
+	image?: string
+
+	// ImagePullPolicy is used to determine when Kubernetes will
+	// attempt to pull (download) container images. More info:
+	// https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+	// The image pull secrets used to pull from a private registry.
+	// Changing this value causes all running PGAdmin pods to
+	// restart.
+	// https://k8s.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+	imagePullSecrets?: [...{
+		// Name of the referent. More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		name?: string
+	}]
+
+	// Metadata contains metadata for custom resources
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Priority class name for the PGAdmin pod. Changing this value
+	// causes PGAdmin pod to restart. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+	priorityClassName?: string
+
+	// Resource requirements for the PGAdmin container.
+	resources?: {
+		// Limits describes the maximum amount of compute resources
+		// allowed. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		limits?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+
+		// Requests describes the minimum amount of compute resources
+		// required. If Requests is omitted for a container, it defaults
+		// to Limits if that is explicitly specified, otherwise to an
+		// implementation-defined value. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		requests?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+	}
+
+	// ServerGroups for importing PostgresClusters to pgAdmin. To
+	// create a pgAdmin with no selectors, leave this field empty. A
+	// pgAdmin created with no `ServerGroups` will not automatically
+	// add any servers through discovery. PostgresClusters can still
+	// be added manually.
+	serverGroups?: [...{
+		// The name for the ServerGroup in pgAdmin. Must be unique in the
+		// pgAdmin's ServerGroups since it becomes the ServerGroup name
+		// in pgAdmin.
+		name: string
+
+		// PostgresClusterSelector selects clusters to dynamically add to
+		// pgAdmin by matching labels. An empty selector like `{}` will
+		// select ALL clusters in the namespace.
+		postgresClusterSelector: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn, the values array must be non-empty. If the operator is
+				// Exists or DoesNotExist, the values array must be empty. This
+				// array is replaced during a strategic merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+	}]
+
+	// Tolerations of the PGAdmin pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
+	tolerations?: [...{
+		// Effect indicates the taint effect to match. Empty means match
+		// all taint effects. When specified, allowed values are
+		// NoSchedule, PreferNoSchedule and NoExecute.
+		effect?: string
+
+		// Key is the taint key that the toleration applies to. Empty
+		// means match all taint keys. If the key is empty, operator must
+		// be Exists; this combination means to match all values and all
+		// keys.
+		key?: string
+
+		// Operator represents a key's relationship to the value. Valid
+		// operators are Exists and Equal. Defaults to Equal. Exists is
+		// equivalent to wildcard for value, so that a pod can tolerate
+		// all taints of a particular category.
+		operator?: string
+
+		// TolerationSeconds represents the period of time the toleration
+		// (which must be of effect NoExecute, otherwise this field is
+		// ignored) tolerates the taint. By default, it is not set, which
+		// means tolerate the taint forever (do not evict). Zero and
+		// negative values will be treated as 0 (evict immediately) by
+		// the system.
+		tolerationSeconds?: int
+
+		// Value is the taint value the toleration matches to. If the
+		// operator is Exists, the value should be empty, otherwise just
+		// a regular string.
+		value?: string
+	}]
+}

docs/examples/cue.mod/gen/postgres-operator.crunchydata.com/pgupgrade/v1beta1/types_gen.cue

@@ -0,0 +1,632 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/core2/components/prod-pgo-crds/prod-pgo-crds.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+// PGUpgrade is the Schema for the pgupgrades API
+#PGUpgrade: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PGUpgrade"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PGUpgradeSpec defines the desired state of PGUpgrade
+	spec!: #PGUpgradeSpec
+}
+
+// PGUpgradeSpec defines the desired state of PGUpgrade
+#PGUpgradeSpec: {
+	// Scheduling constraints of the PGUpgrade pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node
+	affinity?: {
+		// Describes node affinity scheduling rules for the pod.
+		nodeAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node matches the
+			// corresponding matchExpressions; the node(s) with the highest
+			// sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A node selector term, associated with the corresponding weight.
+				preference: {
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}
+
+				// Weight associated with matching the corresponding
+				// nodeSelectorTerm, in the range 1-100.
+				weight: int
+			}]
+			requiredDuringSchedulingIgnoredDuringExecution?: {
+				// Required. A list of node selector terms. The terms are ORed.
+				nodeSelectorTerms: [...{
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}]
+			}
+		}
+
+		// Describes pod affinity scheduling rules (e.g. co-locate this
+		// pod in the same node, zone, etc. as some other pod(s)).
+		podAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node has pods which matches
+			// the corresponding podAffinityTerm; the node(s) with the
+			// highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the affinity requirements specified by this field are not
+			// met at scheduling time, the pod will not be scheduled onto the
+			// node. If the affinity requirements specified by this field
+			// cease to be met at some point during pod execution (e.g. due
+			// to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+
+		// Describes pod anti-affinity scheduling rules (e.g. avoid
+		// putting this pod in the same node, zone, etc. as some other
+		// pod(s)).
+		podAntiAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the anti-affinity expressions specified by this field,
+			// but it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling anti-affinity expressions, etc.),
+			// compute a sum by iterating through the elements of this field
+			// and adding "weight" to the sum if the node has pods which
+			// matches the corresponding podAffinityTerm; the node(s) with
+			// the highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the anti-affinity requirements specified by this field are
+			// not met at scheduling time, the pod will not be scheduled onto
+			// the node. If the anti-affinity requirements specified by this
+			// field cease to be met at some point during pod execution (e.g.
+			// due to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+	}
+
+	// The major version of PostgreSQL before the upgrade.
+	fromPostgresVersion: uint & >=10 & <=16
+
+	// The image name to use for major PostgreSQL upgrades.
+	image?: string
+
+	// ImagePullPolicy is used to determine when Kubernetes will
+	// attempt to pull (download) container images. More info:
+	// https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+	// The image pull secrets used to pull from a private registry.
+	// Changing this value causes all running PGUpgrade pods to
+	// restart.
+	// https://k8s.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+	imagePullSecrets?: [...{
+		// Name of the referent. More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		name?: string
+	}]
+
+	// Metadata contains metadata for custom resources
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// The name of the cluster to be updated
+	postgresClusterName: strings.MinRunes(1)
+
+	// Priority class name for the PGUpgrade pod. Changing this value
+	// causes PGUpgrade pod to restart. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+	priorityClassName?: string
+
+	// Resource requirements for the PGUpgrade container.
+	resources?: {
+		// Limits describes the maximum amount of compute resources
+		// allowed. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		limits?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+
+		// Requests describes the minimum amount of compute resources
+		// required. If Requests is omitted for a container, it defaults
+		// to Limits if that is explicitly specified, otherwise to an
+		// implementation-defined value. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		requests?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+	}
+
+	// The image name to use for PostgreSQL containers after upgrade.
+	// When omitted, the value comes from an operator environment
+	// variable.
+	toPostgresImage?: string
+
+	// The major version of PostgreSQL to be upgraded to.
+	toPostgresVersion: uint & >=10 & <=16
+
+	// Tolerations of the PGUpgrade pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
+	tolerations?: [...{
+		// Effect indicates the taint effect to match. Empty means match
+		// all taint effects. When specified, allowed values are
+		// NoSchedule, PreferNoSchedule and NoExecute.
+		effect?: string
+
+		// Key is the taint key that the toleration applies to. Empty
+		// means match all taint keys. If the key is empty, operator must
+		// be Exists; this combination means to match all values and all
+		// keys.
+		key?: string
+
+		// Operator represents a key's relationship to the value. Valid
+		// operators are Exists and Equal. Defaults to Equal. Exists is
+		// equivalent to wildcard for value, so that a pod can tolerate
+		// all taints of a particular category.
+		operator?: string
+
+		// TolerationSeconds represents the period of time the toleration
+		// (which must be of effect NoExecute, otherwise this field is
+		// ignored) tolerates the taint. By default, it is not set, which
+		// means tolerate the taint forever (do not evict). Zero and
+		// negative values will be treated as 0 (evict immediately) by
+		// the system.
+		tolerationSeconds?: int
+
+		// Value is the taint value the toleration matches to. If the
+		// operator is Exists, the value should be empty, otherwise just
+		// a regular string.
+		value?: string
+	}]
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_BuiltinPluginLoadingOptions_name: "BploUndefinedBploUseStaticallyLinkedBploLoadFromFileSys"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/configmapargs_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// ConfigMapArgs contains the metadata of how to generate a configmap.
+#ConfigMapArgs: {
+	#GeneratorArgs
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/doc_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+// Package types holds the definition of the kustomization struct and
+// supporting structs.  It's the k8s API conformant object that describes
+// a set of generation and transformation operations to create and/or
+// modify k8s resources.
+// A kustomization file is a serialization of this struct.
+package types

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/fieldspec_go_gen.cue

@@ -0,0 +1,29 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// FieldSpec completely specifies a kustomizable field in a k8s API object.
+// It helps define the operands of transformations.
+//
+// For example, a directive to add a common label to objects
+// will need to know that a 'Deployment' object (in API group
+// 'apps', any version) can have labels at field path
+// 'spec/template/metadata/labels', and further that it is OK
+// (or not OK) to add that field path to the object if the
+// field path doesn't exist already.
+//
+// This would look like
+// {
+//   group: apps
+//   kind: Deployment
+//   path: spec/template/metadata/labels
+//   create: true
+// }
+#FieldSpec: {
+	path?:   string @go(Path)
+	create?: bool   @go(CreateIfNotPresent)
+}
+
+#FsSlice: [...#FieldSpec]

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generationbehavior_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GenerationBehavior specifies generation behavior of configmaps, secrets and maybe other resources.
+#GenerationBehavior: int // #enumGenerationBehavior
+
+#enumGenerationBehavior:
+	#BehaviorUnspecified |
+	#BehaviorCreate |
+	#BehaviorReplace |
+	#BehaviorMerge
+
+#values_GenerationBehavior: {
+	BehaviorUnspecified: #BehaviorUnspecified
+	BehaviorCreate:      #BehaviorCreate
+	BehaviorReplace:     #BehaviorReplace
+	BehaviorMerge:       #BehaviorMerge
+}
+
+// BehaviorUnspecified is an Unspecified behavior; typically treated as a Create.
+#BehaviorUnspecified: #GenerationBehavior & 0
+
+// BehaviorCreate makes a new resource.
+#BehaviorCreate: #GenerationBehavior & 1
+
+// BehaviorReplace replaces a resource.
+#BehaviorReplace: #GenerationBehavior & 2
+
+// BehaviorMerge attempts to merge a new resource with an existing resource.
+#BehaviorMerge: #GenerationBehavior & 3

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatorargs_go_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GeneratorArgs contains arguments common to ConfigMap and Secret generators.
+#GeneratorArgs: {
+	// Namespace for the resource, optional
+	namespace?: string @go(Namespace)
+
+	// Name - actually the partial name - of the generated resource.
+	// The full name ends up being something like
+	// NamePrefix + this.Name + hash(content of generated resource).
+	name?: string @go(Name)
+
+	// Behavior of generated resource, must be one of:
+	//   'create': create a new one
+	//   'replace': replace the existing one
+	//   'merge': merge with the existing one
+	behavior?: string @go(Behavior)
+
+	#KvPairSources
+
+	// Local overrides to global generatorOptions field.
+	options?: null | #GeneratorOptions @go(Options,*GeneratorOptions)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/generatoroptions_go_gen.cue

@@ -0,0 +1,22 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+#GeneratorOptions: {
+	// Labels to add to all generated resources.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+
+	// Annotations to add to all generated resources.
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+
+	// DisableNameSuffixHash if true disables the default behavior of adding a
+	// suffix to the names of generated resources that is a hash of the
+	// resource contents.
+	disableNameSuffixHash?: bool @go(DisableNameSuffixHash)
+
+	// Immutable if true add to all generated resources.
+	immutable?: bool @go(Immutable)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/helmchartargs_go_gen.cue

@@ -0,0 +1,116 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#HelmDefaultHome: "charts"
+
+#HelmGlobals: {
+	// ChartHome is a file path, relative to the kustomization root,
+	// to a directory containing a subdirectory for each chart to be
+	// included in the kustomization.
+	// The default value of this field is "charts".
+	// So, for example, kustomize looks for the minecraft chart
+	// at {kustomizationRoot}/{ChartHome}/minecraft.
+	// If the chart is there at build time, kustomize will use it as found,
+	// and not check version numbers or dates.
+	// If the chart is not there, kustomize will attempt to pull it
+	// using the version number specified in the kustomization file,
+	// and put it there.  To suppress the pull attempt, simply assure
+	// that the chart is already there.
+	chartHome?: string @go(ChartHome)
+
+	// ConfigHome defines a value that kustomize should pass to helm via
+	// the HELM_CONFIG_HOME environment variable.  kustomize doesn't attempt
+	// to read or write this directory.
+	// If omitted, {tmpDir}/helm is used, where {tmpDir} is some temporary
+	// directory created by kustomize for the benefit of helm.
+	// Likewise, kustomize sets
+	//   HELM_CACHE_HOME={ConfigHome}/.cache
+	//   HELM_DATA_HOME={ConfigHome}/.data
+	// for the helm subprocess.
+	configHome?: string @go(ConfigHome)
+}
+
+#HelmChart: {
+	// Name is the name of the chart, e.g. 'minecraft'.
+	name?: string @go(Name)
+
+	// Version is the version of the chart, e.g. '3.1.3'
+	version?: string @go(Version)
+
+	// Repo is a URL locating the chart on the internet.
+	// This is the argument to helm's  `--repo` flag, e.g.
+	// `https://itzg.github.io/minecraft-server-charts`.
+	repo?: string @go(Repo)
+
+	// ReleaseName replaces RELEASE-NAME in chart template output,
+	// making a particular inflation of a chart unique with respect to
+	// other inflations of the same chart in a cluster. It's the first
+	// argument to the helm `install` and `template` commands, i.e.
+	//   helm install {RELEASE-NAME} {chartName}
+	//   helm template {RELEASE-NAME} {chartName}
+	// If omitted, the flag --generate-name is passed to 'helm template'.
+	releaseName?: string @go(ReleaseName)
+
+	// Namespace set the target namespace for a release. It is .Release.Namespace
+	// in the helm template
+	namespace?: string @go(Namespace)
+
+	// AdditionalValuesFiles are local file paths to values files to be used in
+	// addition to either the default values file or the values specified in ValuesFile.
+	additionalValuesFiles?: [...string] @go(AdditionalValuesFiles,[]string)
+
+	// ValuesFile is a local file path to a values file to use _instead of_
+	// the default values that accompanied the chart.
+	// The default values are in '{ChartHome}/{Name}/values.yaml'.
+	valuesFile?: string @go(ValuesFile)
+
+	// ValuesInline holds value mappings specified directly,
+	// rather than in a separate file.
+	valuesInline?: {...} @go(ValuesInline,map[string]interface{})
+
+	// ValuesMerge specifies how to treat ValuesInline with respect to Values.
+	// Legal values: 'merge', 'override', 'replace'.
+	// Defaults to 'override'.
+	valuesMerge?: string @go(ValuesMerge)
+
+	// IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions.
+	// Defaults to 'false'.
+	includeCRDs?: bool @go(IncludeCRDs)
+
+	// SkipHooks sets the --no-hooks flag when calling helm template. This prevents
+	// helm from erroneously rendering test templates.
+	skipHooks?: bool @go(SkipHooks)
+
+	// ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions
+	apiVersions?: [...string] @go(ApiVersions,[]string)
+
+	// KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion"
+	kubeVersion?: string @go(KubeVersion)
+
+	// NameTemplate is for specifying the name template used to name the release.
+	nameTemplate?: string @go(NameTemplate)
+
+	// SkipTests skips tests from templated output.
+	skipTests?: bool @go(SkipTests)
+}
+
+// HelmChartArgs contains arguments to helm.
+// Deprecated.  Use HelmGlobals and HelmChart instead.
+#HelmChartArgs: {
+	chartName?:     string @go(ChartName)
+	chartVersion?:  string @go(ChartVersion)
+	chartRepoUrl?:  string @go(ChartRepoURL)
+	chartHome?:     string @go(ChartHome)
+	chartRepoName?: string @go(ChartRepoName)
+	helmBin?:       string @go(HelmBin)
+	helmHome?:      string @go(HelmHome)
+	values?:        string @go(Values)
+	valuesLocal?: {...} @go(ValuesLocal,map[string]interface{})
+	valuesMerge?:      string @go(ValuesMerge)
+	releaseName?:      string @go(ReleaseName)
+	releaseNamespace?: string @go(ReleaseNamespace)
+	extraArgs?: [...string] @go(ExtraArgs,[]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/iampolicygenerator_go_gen.cue

@@ -0,0 +1,40 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#Cloud: string // #enumCloud
+
+#enumCloud:
+	#GKE
+
+#GKE: #Cloud & "gke"
+
+// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource.
+#IAMPolicyGeneratorArgs: {
+	// which cloud provider to generate for (e.g. "gke")
+	cloud: #Cloud @go(Cloud)
+
+	// information about the kubernetes cluster for this object
+	kubernetesService: #KubernetesService @go(KubernetesService)
+
+	// information about the service account and project
+	serviceAccount: #ServiceAccount @go(ServiceAccount)
+}
+
+#KubernetesService: {
+	// the name used for the Kubernetes service account
+	name: string @go(Name)
+
+	// the name of the Kubernetes namespace for this object
+	namespace?: string @go(Namespace)
+}
+
+#ServiceAccount: {
+	// the name of the new cloud provider service account
+	name: string @go(Name)
+
+	// The ID of the project
+	projectId: string @go(ProjectId)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/image_go_gen.cue

@@ -0,0 +1,26 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Image contains an image name, a new name, a new tag or digest,
+// which will replace the original name and tag.
+#Image: {
+	// Name is a tag-less image name.
+	name?: string @go(Name)
+
+	// NewName is the value used to replace the original name.
+	newName?: string @go(NewName)
+
+	// TagSuffix is the value used to suffix the original tag
+	// If Digest and NewTag is present an error is thrown
+	tagSuffix?: string @go(TagSuffix)
+
+	// NewTag is the value used to replace the original tag.
+	newTag?: string @go(NewTag)
+
+	// Digest is the value used to replace the original image tag.
+	// If digest is present NewTag value is ignored.
+	digest?: string @go(Digest)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kustomization_go_gen.cue

@@ -0,0 +1,163 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#KustomizationVersion:        "kustomize.config.k8s.io/v1beta1"
+#KustomizationKind:           "Kustomization"
+#ComponentVersion:            "kustomize.config.k8s.io/v1alpha1"
+#ComponentKind:               "Component"
+#MetadataNamespacePath:       "metadata/namespace"
+#MetadataNamespaceApiVersion: "v1"
+#MetadataNamePath:            "metadata/name"
+#OriginAnnotations:           "originAnnotations"
+#TransformerAnnotations:      "transformerAnnotations"
+#ManagedByLabelOption:        "managedByLabel"
+
+// Kustomization holds the information needed to generate customized k8s api resources.
+#Kustomization: {
+	#TypeMeta
+
+	// MetaData is a pointer to avoid marshalling empty struct
+	metadata?: null | #ObjectMeta @go(MetaData,*ObjectMeta)
+
+	// OpenAPI contains information about what kubernetes schema to use.
+	openapi?: {[string]: string} @go(OpenAPI,map[string]string)
+
+	// NamePrefix will prefix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	namePrefix?: string @go(NamePrefix)
+
+	// NameSuffix will suffix the names of all resources mentioned in the kustomization
+	// file including generated configmaps and secrets.
+	nameSuffix?: string @go(NameSuffix)
+
+	// Namespace to add to all objects.
+	namespace?: string @go(Namespace)
+
+	// CommonLabels to add to all objects and selectors.
+	commonLabels?: {[string]: string} @go(CommonLabels,map[string]string)
+
+	// Labels to add to all objects but not selectors.
+	labels?: [...#Label] @go(Labels,[]Label)
+
+	// CommonAnnotations to add to all objects.
+	commonAnnotations?: {[string]: string} @go(CommonAnnotations,map[string]string)
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of PatchesStrategicMerge.
+	// PatchesStrategicMerge specifies the relative path to a file
+	// containing a strategic merge patch.  Format documented at
+	// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+	// URLs and globs are not supported.
+	patchesStrategicMerge?: [...#PatchStrategicMerge] @go(PatchesStrategicMerge,[]PatchStrategicMerge)
+
+	// Deprecated: Use the Patches field instead, which provides a superset of the functionality of JSONPatches.
+	// JSONPatches is a list of JSONPatch for applying JSON patch.
+	// Format documented at https://tools.ietf.org/html/rfc6902
+	// and http://jsonpatch.com
+	patchesJson6902?: [...#Patch] @go(PatchesJson6902,[]Patch)
+
+	// Patches is a list of patches, where each one can be either a
+	// Strategic Merge Patch or a JSON patch.
+	// Each patch can be applied to multiple target objects.
+	patches?: [...#Patch] @go(Patches,[]Patch)
+
+	// Images is a list of (image name, new name, new tag or digest)
+	// for changing image names, tags or digests. This can also be achieved with a
+	// patch, but this operator is simpler to specify.
+	images?: [...#Image] @go(Images,[]Image)
+
+	// Deprecated: Use the Images field instead.
+	imageTags?: [...#Image] @go(ImageTags,[]Image)
+
+	// Replacements is a list of replacements, which will copy nodes from a
+	// specified source to N specified targets.
+	replacements?: [...#ReplacementField] @go(Replacements,[]ReplacementField)
+
+	// Replicas is a list of {resourcename, count} that allows for simpler replica
+	// specification. This can also be done with a patch.
+	replicas?: [...#Replica] @go(Replicas,[]Replica)
+
+	// Deprecated: Vars will be removed in future release. Migrate to Replacements instead.
+	// Vars allow things modified by kustomize to be injected into a
+	// kubernetes object specification. A var is a name (e.g. FOO) associated
+	// with a field in a specific resource instance.  The field must
+	// contain a value of type string/bool/int/float, and defaults to the name field
+	// of the instance.  Any appearance of "$(FOO)" in the object
+	// spec will be replaced at kustomize build time, after the final
+	// value of the specified field has been determined.
+	vars?: [...#Var] @go(Vars,[]Var)
+
+	// SortOptions change the order that kustomize outputs resources.
+	sortOptions?: null | #SortOptions @go(SortOptions,*SortOptions)
+
+	// Resources specifies relative paths to files holding YAML representations
+	// of kubernetes API objects, or specifications of other kustomizations
+	// via relative paths, absolute paths, or URLs.
+	resources?: [...string] @go(Resources,[]string)
+
+	// Components specifies relative paths to specifications of other Components
+	// via relative paths, absolute paths, or URLs.
+	components?: [...string] @go(Components,[]string)
+
+	// Crds specifies relative paths to Custom Resource Definition files.
+	// This allows custom resources to be recognized as operands, making
+	// it possible to add them to the Resources list.
+	// CRDs themselves are not modified.
+	crds?: [...string] @go(Crds,[]string)
+
+	// Deprecated: Anything that would have been specified here should be specified in the Resources field instead.
+	bases?: [...string] @go(Bases,[]string)
+
+	// ConfigMapGenerator is a list of configmaps to generate from
+	// local data (one configMap per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	configMapGenerator?: [...#ConfigMapArgs] @go(ConfigMapGenerator,[]ConfigMapArgs)
+
+	// SecretGenerator is a list of secrets to generate from
+	// local data (one secret per list item).
+	// The resulting resource is a normal operand, subject to
+	// name prefixing, patching, etc.  By default, the name of
+	// the map will have a suffix hash generated from its contents.
+	secretGenerator?: [...#SecretArgs] @go(SecretGenerator,[]SecretArgs)
+
+	// HelmGlobals contains helm configuration that isn't chart specific.
+	helmGlobals?: null | #HelmGlobals @go(HelmGlobals,*HelmGlobals)
+
+	// HelmCharts is a list of helm chart configuration instances.
+	helmCharts?: [...#HelmChart] @go(HelmCharts,[]HelmChart)
+
+	// HelmChartInflationGenerator is a list of helm chart configurations.
+	// Deprecated.  Auto-converted to HelmGlobals and HelmCharts.
+	helmChartInflationGenerator?: [...#HelmChartArgs] @go(HelmChartInflationGenerator,[]HelmChartArgs)
+
+	// GeneratorOptions modify behavior of all ConfigMap and Secret generators.
+	generatorOptions?: null | #GeneratorOptions @go(GeneratorOptions,*GeneratorOptions)
+
+	// Configurations is a list of transformer configuration files
+	configurations?: [...string] @go(Configurations,[]string)
+
+	// Generators is a list of files containing custom generators
+	generators?: [...string] @go(Generators,[]string)
+
+	// Transformers is a list of files containing transformers
+	transformers?: [...string] @go(Transformers,[]string)
+
+	// Validators is a list of files containing validators
+	validators?: [...string] @go(Validators,[]string)
+
+	// BuildMetadata is a list of strings used to toggle different build options
+	buildMetadata?: [...string] @go(BuildMetadata,[]string)
+}
+
+_#deprecatedWarningToRunEditFix:              "Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedWarningToRunEditFixExperimential: "[EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedBaseWarningMessage:               "# Warning: 'bases' is deprecated. Please use 'resources' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedImageTagsWarningMessage:          "# Warning: 'imageTags' is deprecated. Please use 'images' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedPatchesJson6902Message:           "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedPatchesStrategicMergeMessage:     "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead. Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedVarsMessage:                      "# Warning: 'vars' is deprecated. Please use 'replacements' instead. [EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically."
+_#deprecatedCommonLabelsWarningMessage:       "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead. Run 'kustomize edit fix' to update your Kustomization automatically."

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/kvpairsources_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// KvPairSources defines places to obtain key value pairs.
+#KvPairSources: {
+	// LiteralSources is a list of literal
+	// pair sources. Each literal source should
+	// be a key and literal value, e.g. `key=value`
+	literals?: [...string] @go(LiteralSources,[]string)
+
+	// FileSources is a list of file "sources" to
+	// use in creating a list of key, value pairs.
+	// A source takes the form:  [{key}=]{path}
+	// If the "key=" part is missing, the key is the
+	// path's basename. If they "key=" part is present,
+	// it becomes the key (replacing the basename).
+	// In either case, the value is the file contents.
+	// Specifying a directory will iterate each named
+	// file in the directory whose basename is a
+	// valid configmap key.
+	files?: [...string] @go(FileSources,[]string)
+
+	// EnvSources is a list of file paths.
+	// The contents of each file should be one
+	// key=value pair per line, e.g. a Docker
+	// or npm ".env" file or a ".ini" file
+	// (wikipedia.org/wiki/INI_file)
+	envs?: [...string] @go(EnvSources,[]string)
+
+	// Older, singular form of EnvSources.
+	// On edits (e.g. `kustomize fix`) this is merged into the plural form
+	// for consistency with LiteralSources and FileSources.
+	env?: string @go(EnvSource)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/labels_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#Label: {
+	// Pairs contains the key-value pairs for labels to add
+	pairs?: {[string]: string} @go(Pairs,map[string]string)
+
+	// IncludeSelectors inidicates should transformer include the
+	// fieldSpecs for selectors. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with builtin fieldSpecs if this
+	// is true.
+	includeSelectors?: bool @go(IncludeSelectors)
+
+	// IncludeTemplates inidicates should transformer include the
+	// spec/template/metadata fieldSpec. Custom fieldSpecs specified by
+	// FieldSpecs will be merged with spec/template/metadata fieldSpec if this
+	// is true. If IncludeSelectors is true, IncludeTemplates is not needed.
+	includeTemplates?: bool @go(IncludeTemplates)
+	fields?: [...#FieldSpec] @go(FieldSpecs,[]FieldSpec)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_go_gen.cue

@@ -0,0 +1,34 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Restrictions on what things can be referred to
+// in a kustomization file.
+//
+//go:generate stringer -type=LoadRestrictions
+#LoadRestrictions: int // #enumLoadRestrictions
+
+#enumLoadRestrictions:
+	#LoadRestrictionsUnknown |
+	#LoadRestrictionsRootOnly |
+	#LoadRestrictionsNone
+
+#values_LoadRestrictions: {
+	LoadRestrictionsUnknown:  #LoadRestrictionsUnknown
+	LoadRestrictionsRootOnly: #LoadRestrictionsRootOnly
+	LoadRestrictionsNone:     #LoadRestrictionsNone
+}
+
+#LoadRestrictionsUnknown: #LoadRestrictions & 0
+
+// Files referenced by a kustomization file must be in
+// or under the directory holding the kustomization
+// file itself.
+#LoadRestrictionsRootOnly: #LoadRestrictions & 1
+
+// The kustomization file may specify absolute or
+// relative paths to patch or resources files outside
+// its own tree.
+#LoadRestrictionsNone: #LoadRestrictions & 2

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/loadrestrictions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_LoadRestrictions_name: "LoadRestrictionsUnknownLoadRestrictionsRootOnlyLoadRestrictionsNone"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/objectmeta_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// ObjectMeta partially copies apimachinery/pkg/apis/meta/v1.ObjectMeta
+// No need for a direct dependence; the fields are stable.
+#ObjectMeta: {
+	name?:      string @go(Name)
+	namespace?: string @go(Namespace)
+	labels?: {[string]: string} @go(Labels,map[string]string)
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pair_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Pair is a key value pair.
+#Pair: {
+	Key:   string
+	Value: string
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patch_go_gen.cue

@@ -0,0 +1,23 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Patch represent either a Strategic Merge Patch or a JSON patch
+// and its targets.
+// The content of the patch can either be from a file
+// or from an inline string.
+#Patch: {
+	// Path is a relative file path to the patch file.
+	path?: string @go(Path)
+
+	// Patch is the content of a patch.
+	patch?: string @go(Patch)
+
+	// Target points to the resources that the patch is applied to
+	target?: #Target | #Selector @go(Target,*Selector)
+
+	// Options is a list of options for the patch
+	options?: {[string]: bool} @go(Options,map[string]bool)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/patchstrategicmerge_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// PatchStrategicMerge represents a relative path to a
+// stategic merge patch with the format
+// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md
+#PatchStrategicMerge: string

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginconfig_go_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#HelmConfig: {
+	Enabled: bool
+	Command: string
+	ApiVersions: [...string] @go(,[]string)
+	KubeVersion: string
+}
+
+// PluginConfig holds plugin configuration.
+#PluginConfig: {
+	// PluginRestrictions distinguishes plugin restrictions.
+	PluginRestrictions: #PluginRestrictions
+
+	// BpLoadingOptions distinguishes builtin plugin behaviors.
+	BpLoadingOptions: #BuiltinPluginLoadingOptions
+
+	// FnpLoadingOptions sets the way function-based plugin behaviors.
+	FnpLoadingOptions: #FnPluginLoadingOptions
+
+	// HelmConfig contains metadata needed for allowing and running helm.
+	HelmConfig: #HelmConfig
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_go_gen.cue

@@ -0,0 +1,87 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Some plugin classes
+// - builtin: plugins defined in the kustomize repo.
+//   May be freely used and re-configured.
+// - local: plugins that aren't builtin but are
+//   locally defined (presumably by the user), meaning
+//   the kustomization refers to them via a relative
+//   file path, not a URL.
+// - remote: require a build-time download to obtain.
+//   Unadvised, unless one controls the
+//   serving site.
+//
+//go:generate stringer -type=PluginRestrictions
+#PluginRestrictions: int // #enumPluginRestrictions
+
+#enumPluginRestrictions:
+	#PluginRestrictionsUnknown |
+	#PluginRestrictionsBuiltinsOnly |
+	#PluginRestrictionsNone
+
+#values_PluginRestrictions: {
+	PluginRestrictionsUnknown:      #PluginRestrictionsUnknown
+	PluginRestrictionsBuiltinsOnly: #PluginRestrictionsBuiltinsOnly
+	PluginRestrictionsNone:         #PluginRestrictionsNone
+}
+
+#PluginRestrictionsUnknown: #PluginRestrictions & 0
+
+// Non-builtin plugins completely disabled.
+#PluginRestrictionsBuiltinsOnly: #PluginRestrictions & 1
+
+// No restrictions, do whatever you want.
+#PluginRestrictionsNone: #PluginRestrictions & 2
+
+// BuiltinPluginLoadingOptions distinguish ways in which builtin plugins are used.
+//go:generate stringer -type=BuiltinPluginLoadingOptions
+#BuiltinPluginLoadingOptions: int // #enumBuiltinPluginLoadingOptions
+
+#enumBuiltinPluginLoadingOptions:
+	#BploUndefined |
+	#BploUseStaticallyLinked |
+	#BploLoadFromFileSys
+
+#values_BuiltinPluginLoadingOptions: {
+	BploUndefined:           #BploUndefined
+	BploUseStaticallyLinked: #BploUseStaticallyLinked
+	BploLoadFromFileSys:     #BploLoadFromFileSys
+}
+
+#BploUndefined: #BuiltinPluginLoadingOptions & 0
+
+// Desired in production use for performance.
+#BploUseStaticallyLinked: #BuiltinPluginLoadingOptions & 1
+
+// Desired in testing and development cycles where it's undesirable
+// to generate static code.
+#BploLoadFromFileSys: #BuiltinPluginLoadingOptions & 2
+
+// FnPluginLoadingOptions set way functions-based plugins are restricted
+#FnPluginLoadingOptions: {
+	// Allow to run executables
+	EnableExec: bool
+
+	// Allow to run starlark
+	EnableStar: bool
+
+	// Allow container access to network
+	Network:     bool
+	NetworkName: string
+
+	// list of mounts
+	Mounts: [...string] @go(,[]string)
+
+	// list of env variables to pass to fn
+	Env: [...string] @go(,[]string)
+
+	// Run as uid and gid of the command executor
+	AsCurrentUser: bool
+
+	// Run in this working directory
+	WorkingDir: string
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+_#_PluginRestrictions_name: "PluginRestrictionsUnknownPluginRestrictionsBuiltinsOnlyPluginRestrictionsNone"

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacement_go_gen.cue

@@ -0,0 +1,57 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#DefaultReplacementFieldPath: "metadata.name"
+
+// Replacement defines how to perform a substitution
+// where it is from and where it is to.
+#Replacement: {
+	// The source of the value.
+	source?: null | #SourceSelector @go(Source,*SourceSelector)
+
+	// The N fields to write the value to.
+	targets?: [...null | #TargetSelector] @go(Targets,[]*TargetSelector)
+}
+
+// SourceSelector is the source of the replacement transformer.
+#SourceSelector: {
+	// Structured field path expected in the allowed object.
+	fieldPath?: string @go(FieldPath)
+
+	// Used to refine the interpretation of the field.
+	options?: null | #FieldOptions @go(Options,*FieldOptions)
+}
+
+// TargetSelector specifies fields in one or more objects.
+#TargetSelector: {
+	// Include objects that match this.
+	select?: null | #Selector @go(Select,*Selector)
+
+	// From the allowed set, remove objects that match this.
+	reject?: [...null | #Selector] @go(Reject,[]*Selector)
+
+	// Structured field paths expected in each allowed object.
+	fieldPaths?: [...string] @go(FieldPaths,[]string)
+
+	// Used to refine the interpretation of the field.
+	options?: null | #FieldOptions @go(Options,*FieldOptions)
+}
+
+// FieldOptions refine the interpretation of FieldPaths.
+#FieldOptions: {
+	// Used to split/join the field.
+	delimiter?: string @go(Delimiter)
+
+	// Which position in the split to consider.
+	index?: int @go(Index)
+
+	// TODO (#3492): Implement use of this option
+	// None, Base64, URL, Hex, etc
+	encoding?: string @go(Encoding)
+
+	// If field missing, add it.
+	create?: bool @go(Create)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replacementfield_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+#ReplacementField: {
+	#Replacement
+	path?: string @go(Path)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/replica_go_gen.cue

@@ -0,0 +1,17 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Replica specifies a modification to a replica config.
+// The number of replicas of a resource whose name matches will be set to count.
+// This struct is used by the ReplicaCountTransform, and is meant to supplement
+// the existing patch functionality with a simpler syntax for replica configuration.
+#Replica: {
+	// The name of the resource to change the replica count
+	name?: string @go(Name)
+
+	// The number of replicas required.
+	count: int64 @go(Count)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/secretargs_go_gen.cue

@@ -0,0 +1,19 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// SecretArgs contains the metadata of how to generate a secret.
+#SecretArgs: {
+	#GeneratorArgs
+
+	// Type of the secret.
+	//
+	// This is the same field as the secret type field in v1/Secret:
+	// It can be "Opaque" (default), or "kubernetes.io/tls".
+	//
+	// If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two
+	// keys: "tls.key" and "tls.crt"
+	type?: string @go(Type)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/selector_go_gen.cue

@@ -0,0 +1,20 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Selector specifies a set of resources.
+// Any resource that matches intersection of all conditions
+// is included in this set.
+#Selector: {
+	// AnnotationSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource annotations.
+	annotationSelector?: string @go(AnnotationSelector)
+
+	// LabelSelector is a string that follows the label selection expression
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
+	// It matches with the resource labels.
+	labelSelector?: string @go(LabelSelector)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/sortoptions_go_gen.cue

@@ -0,0 +1,36 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// SortOptions defines the order that kustomize outputs resources.
+#SortOptions: {
+	// Order selects the ordering strategy.
+	order?: #SortOrder @go(Order)
+
+	// LegacySortOptions tweaks the sorting for the "legacy" sort ordering
+	// strategy.
+	legacySortOptions?: null | #LegacySortOptions @go(LegacySortOptions,*LegacySortOptions)
+}
+
+// SortOrder defines different ordering strategies.
+#SortOrder: string // #enumSortOrder
+
+#enumSortOrder:
+	#LegacySortOrder |
+	#FIFOSortOrder
+
+#LegacySortOrder: #SortOrder & "legacy"
+
+#FIFOSortOrder: #SortOrder & "fifo"
+
+// LegacySortOptions define various options for tweaking the "legacy" ordering
+// strategy.
+#LegacySortOptions: {
+	// OrderFirst selects the resource kinds to order first.
+	orderFirst: [...string] @go(OrderFirst,[]string)
+
+	// OrderLast selects the resource kinds to order last.
+	orderLast: [...string] @go(OrderLast,[]string)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/typemeta_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta
+// No need for a direct dependence; the fields are stable.
+#TypeMeta: {
+	kind?:       string @go(Kind)
+	apiVersion?: string @go(APIVersion)
+}

docs/examples/cue.mod/gen/sigs.k8s.io/kustomize/api/types/var_go_gen.cue

@@ -0,0 +1,45 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go sigs.k8s.io/kustomize/api/types
+
+package types
+
+// Var represents a variable whose value will be sourced
+// from a field in a Kubernetes object.
+#Var: {
+	// Value of identifier name e.g. FOO used in container args, annotations
+	// Appears in pod template as $(FOO)
+	name: string @go(Name)
+
+	// ObjRef must refer to a Kubernetes resource under the
+	// purview of this kustomization. ObjRef should use the
+	// raw name of the object (the name specified in its YAML,
+	// before addition of a namePrefix and a nameSuffix).
+	objref: #Target @go(ObjRef)
+
+	// FieldRef refers to the field of the object referred to by
+	// ObjRef whose value will be extracted for use in
+	// replacing $(FOO).
+	// If unspecified, this defaults to fieldPath: $defaultFieldPath
+	fieldref?: #FieldSelector @go(FieldRef)
+}
+
+// Target refers to a kubernetes object by Group, Version, Kind and Name
+// gvk.Gvk contains Group, Version and Kind
+// APIVersion is added to keep the backward compatibility of using ObjectReference
+// for Var.ObjRef
+#Target: {
+	apiVersion?: string @go(APIVersion)
+	name:        string @go(Name)
+	namespace?:  string @go(Namespace)
+}
+
+// FieldSelector contains the fieldPath to an object field.
+// This struct is added to keep the backward compatibility of using ObjectFieldSelector
+// for Var.FieldRef
+#FieldSelector: {
+	fieldPath?: string @go(FieldPath)
+}
+
+// byName is a sort interface which sorts Vars by name alphabetically
+_#byName: [...#Var]

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/buildplan.cue

@@ -0,0 +1,8 @@
+package v1alpha1
+
+// #BuildPlan is the API contract between CUE and the Holos cli.
+// Holos requires CUE to evaluate and provide a valid #BuildPlan.
+#BuildPlan: {
+	kind:       #BuildPlanKind
+	apiVersion: #APIVersion
+}

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/constraints.cue

@@ -0,0 +1 @@
+package v1alpha1

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/defaults.cue

@@ -0,0 +1,5 @@
+package v1alpha1
+
+#HolosComponent: Skip: true | *false
+
+#HelmChart: enableHooks: true | *false

docs/examples/cue.mod/usr/k8s.io/api/apps/v1/types.cue

@@ -1,6 +1,6 @@
 package v1
 
 #Deployment: {
-  apiVersion: "apps/v1"
-  kind: "Deployment"
+	apiVersion: "apps/v1"
+	kind:       "Deployment"
 }

docs/examples/cue.mod/usr/k8s.io/api/batch/v1/types.cue

@@ -1,11 +1,11 @@
 package v1
 
 #CronJob: {
-  apiVersion: "batch/v1"
-  kind: "CronJob"
+	apiVersion: "batch/v1"
+	kind:       "CronJob"
 }
 
 #Job: {
-  apiVersion: "batch/v1"
-  kind: "Job"
+	apiVersion: "batch/v1"
+	kind:       "Job"
 }

docs/examples/cue.mod/usr/k8s.io/api/core/v1/types.cue

@@ -1,26 +1,26 @@
 package v1
 
 #Namespace: {
-  apiVersion: "v1"
-  kind: "Namespace"
+	apiVersion: "v1"
+	kind:       "Namespace"
 }
 
 #ConfigMap: {
-  apiVersion: "v1"
-  kind: "ConfigMap"
+	apiVersion: "v1"
+	kind:       "ConfigMap"
 }
 
 #ServiceAccount: {
-  apiVersion: "v1"
-  kind: "ServiceAccount"
+	apiVersion: "v1"
+	kind:       "ServiceAccount"
 }
 
 #Pod: {
-  apiVersion: "v1"
-  kind: "Pod"
+	apiVersion: "v1"
+	kind:       "Pod"
 }
 
 #Service: {
-  apiVersion: "v1"
-  kind: "Service"
+	apiVersion: "v1"
+	kind:       "Service"
 }

docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/patch_go.cue

@@ -0,0 +1,15 @@
+package types
+
+#Patch: {
+	// Path is a relative file path to the patch file.
+	path?: string @go(Path)
+
+	// Patch is the content of a patch.
+	patch?: string @go(Patch)
+
+	// Target points to the resources that the patch is applied to
+	target?: #Target | #Selector @go(Target,*Selector)
+
+	// Options is a list of options for the patch
+	options?: {[string]: bool} @go(Options,map[string]bool)
+}

docs/examples/cue.mod/usr/sigs.k8s.io/kustomize/api/types/var_go.cue

@@ -0,0 +1,7 @@
+package types
+
+#Target: {
+	group?:   string @go(Group)
+	version?: string @go(Version)
+	kind?:    string @go(Kind)
+}

docs/examples/helpers.cue

@@ -0,0 +1,38 @@
+package holos
+
+import "encoding/yaml"
+
+// #APIObjects is the output type for api objects produced by cue.
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[string]: {
+				kind: Kind
+				...
+			}
+		}
+		Namespace?: [Name=_]: #Namespace & {metadata: name: Name}
+		ExternalSecret?: [Name=_]: #ExternalSecret & {_name: Name}
+		VirtualService?: [Name=_]: #VirtualService & {metadata: name: Name}
+		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
+		Gateway?: [Name=_]: #Gateway & {metadata: name: Name}
+		ConfigMap?: [Name=_]: #ConfigMap & {metadata: name: Name}
+
+		Deployment?: [_]:            #Deployment
+		RequestAuthentication?: [_]: #RequestAuthentication
+		AuthorizationPolicy?: [_]:   #AuthorizationPolicy
+	}
+
+	// apiObjectMap holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+					"\(name)": yaml.Marshal(obj)
+				}
+			}
+		}
+		...
+	}
+}

docs/examples/holos.cue

@@ -0,0 +1,117 @@
+package holos
+
+import (
+	"encoding/yaml"
+	h "github.com/holos-run/holos/api/v1alpha1"
+	kc "sigs.k8s.io/kustomize/api/types"
+	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
+)
+
+// The overall structure of the data is:
+// 1 CUE Instance => 1 BuildPlan => 0..N HolosComponents
+
+// Holos requires CUE to evaluate and provide a valid BuildPlan.
+// Constrain each CUE instance to output a BuildPlan.
+{} & h.#BuildPlan
+
+let DependsOn = {[Name=_]: name: string & Name}
+
+// #HolosComponent defines struct fields common to all holos component types.
+#HolosComponent: {
+	h.#HolosComponent
+	_dependsOn: DependsOn
+	let DEPENDS_ON = _dependsOn
+	metadata: name: string
+	#namelen: len(metadata.name) & >=1
+	let Name = metadata.name
+
+	// TODO: ksContent needs to be component scoped, not instance scoped.
+	ksContent: yaml.Marshal(#Kustomization & {
+		_dependsOn: DEPENDS_ON
+		metadata: name: Name
+	})
+	// Leave the HolosComponent open for components with additional fields like HelmChart.
+	// Refer to https://cuelang.org/docs/tour/types/closed/
+	...
+}
+
+//#KustomizeFiles represents resources for holos to write into files for kustomize post-processing.
+#KustomizeFiles: {
+	// Objects collects files for Holos to write for kustomize post-processing.
+	Objects: "kustomization.yaml": #Kustomize
+	// Files holds the marshaled output of Objects holos writes to the filesystem before calling the kustomize post-processor.
+	Files: {
+		for filename, obj in Objects {
+			"\(filename)": yaml.Marshal(obj)
+		}
+	}
+}
+
+// Holos component types.
+#HelmChart: #HolosComponent & h.#HelmChart & {
+	_values: {...}
+	_kustomizeFiles: #KustomizeFiles
+
+	// Render the values to yaml for holos to provide to helm.
+	valuesContent: yaml.Marshal(_values)
+	// Kustomize post-processor
+	// resources is the intermediate file name for api objects.
+	resourcesFile: h.#ResourcesFile
+	// kustomizeFiles represents the files in a kustomize directory tree.
+	kustomizeFiles: _kustomizeFiles.Files
+
+	chart: h.#Chart & {
+		name:    string
+		release: string | *name
+	}
+}
+#KubernetesObjects: #HolosComponent & h.#KubernetesObjects
+#KustomizeBuild:    #HolosComponent & h.#KustomizeBuild
+
+// #ClusterName is the cluster name for cluster scoped resources.
+#ClusterName: #InputKeys.cluster
+
+// Flux Kustomization CRDs
+#Kustomization: #NamespaceObject & ksv1.#Kustomization & {
+	_dependsOn: DependsOn
+
+	metadata: {
+		name:      string
+		namespace: string | *"flux-system"
+	}
+	spec: ksv1.#KustomizationSpec & {
+		interval:      string | *"30m0s"
+		path:          string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(metadata.name)"
+		prune:         bool | *true
+		retryInterval: string | *"2m0s"
+		sourceRef: {
+			kind: string | *"GitRepository"
+			name: string | *"flux-system"
+		}
+		suspend?:         bool
+		targetNamespace?: string
+		timeout:          string | *"3m0s"
+		// wait performs health checks for all reconciled resources. If set to true, .spec.healthChecks is ignored.
+		// Setting this to true for all components generates considerable load on the api server from watches.
+		// Operations are additionally more complicated when all resources are watched.  Consider setting wait true for
+		// relatively simple components, otherwise target specific resources with spec.healthChecks.
+		wait: true | *false
+		dependsOn: [for k, v in _dependsOn {v}, ...]
+	}
+}
+
+// #Kustomize represents the kustomize post processor.
+#Kustomize: kc.#Kustomization & {
+	_patches: {[_]: kc.#Patch}
+	apiVersion: "kustomize.config.k8s.io/v1beta1"
+	kind:       "Kustomization"
+	// resources are file names holos will use to store intermediate component output for kustomize to post-process (i.e. helm template | kubectl kustomize)
+	// See the related resourcesFile field of the holos component.
+	resources: [h.#ResourcesFile]
+	if len(_patches) > 0 {
+		patches: [for v in _patches {v}]
+	}
+}
+
+// So components don't need to import the package.
+#Patch: kc.#Patch

docs/examples/meshconfig.cue

@@ -0,0 +1,54 @@
+package holos
+
+// #MeshConfig provides the istio meshconfig in the config key given projects.
+#MeshConfig: {
+	projects: #Projects
+	// clusterName is the value of the --cluster-name flag, the cluster currently being manged / rendered.
+	clusterName: string | *#ClusterName
+
+	// for extAuthzHttp extension providers
+	extensionProviderMap: [Name=_]: #ExtAuthzProxy & {name: Name}
+	// for other extension providers like zipkin
+	extensionProviderExtraMap: [Name=_]: {name: Name}
+
+	config: {
+		accessLogEncoding: string | *"JSON"
+		accessLogFile:     string | *"/dev/stdout"
+		defaultConfig: {
+			discoveryAddress: string | *"istiod.istio-system.svc:15012"
+			tracing: zipkin: address: string | *"zipkin.istio-system:9411"
+		}
+		defaultProviders: metrics: [...string] | *["prometheus"]
+		enablePrometheusMerge: false | *true
+		rootNamespace:         string | *"istio-system"
+		trustDomain:           string | *"cluster.local"
+		extensionProviders: [
+			for x in extensionProviderMap {x},
+			for y in extensionProviderExtraMap {y},
+		]
+	}
+}
+
+// #ExtAuthzProxy defines the provider configuration for an istio external authorization auth proxy.
+#ExtAuthzProxy: {
+	name: string
+	envoyExtAuthzHttp: {
+		headersToDownstreamOnDeny: [
+			"content-type",
+			"set-cookie",
+		]
+		headersToUpstreamOnAllow: [
+			"authorization",
+			"path",
+			"x-oidc-id-token",
+		]
+		includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+		includeRequestHeadersInCheck: [
+			"authorization",
+			"cookie",
+			"x-forwarded-for",
+		]
+		port:    4180
+		service: string
+	}
+}

docs/examples/optionalservices.cue

@@ -0,0 +1,46 @@
+// Controls optional feature flags for services distributed across multiple holos components.
+// For example, enable issuing certificates in the provisioner cluster when an optional service is
+// enabled for a workload cluster.
+package holos
+
+import "list"
+
+#OptionalService: {
+	name:    string
+	enabled: true | *false
+	clusters: [Name=_]: #Platform.clusters[Name]
+	clusterNames: [for c in clusters {c.name}]
+
+	managedNamespaces: [Name=_]: #ManagedNamespace & {
+		namespace: metadata: name: Name
+		clusterNames: ["provisioner", for c in clusters {c.name}]
+	}
+	// servers represents istio Gateway.spec.servers.hosts entries
+	// Refer to istio/gateway/gateway.cue
+	servers: [Name=_]: {
+		hosts: [...string]
+		port: name:          Name
+		port: number:        443
+		port: protocol:      "HTTPS"
+		tls: credentialName: string
+		tls: mode:           "SIMPLE"
+	}
+	// public tls certs should align to hosts.
+	certs: [Name=_]: #Certificate & {
+		metadata: name: Name
+	}
+}
+
+#OptionalServices: {
+	[Name=_]: #OptionalService & {
+		name: Name
+	}
+}
+
+for svc in #OptionalServices {
+	for nsName, ns in svc.managedNamespaces {
+		if svc.enabled && list.Contains(ns.clusterNames, #ClusterName) {
+			#ManagedNamespaces: "\(nsName)": ns
+		}
+	}
+}

docs/examples/platforms/optional.site.cue

@@ -0,0 +1,56 @@
+package holos
+
+let CoreDomain = "core.\(#Platform.org.domain)"
+let TargetNamespace = "prod-core-vault"
+
+#OptionalServices: {
+	vault: {
+		enabled: true
+		clusters: core1: _
+		clusters: core2: _
+		managedNamespaces: "prod-core-vault": {
+			namespace: metadata: labels: "istio-injection": "enabled"
+		}
+		certs: "vault-core": #Certificate & {
+			metadata: name:      "vault-core"
+			metadata: namespace: "istio-ingress"
+			spec: {
+				commonName: "vault.\(CoreDomain)"
+				dnsNames: [commonName]
+				secretName: metadata.name
+				issuerRef: kind: "ClusterIssuer"
+				issuerRef: name: string | *"letsencrypt"
+			}
+		}
+		servers: "https-vault-core": {
+			hosts: ["\(TargetNamespace)/vault.\(CoreDomain)"]
+			tls: credentialName: certs."vault-core".spec.secretName
+		}
+		for k, v in clusters {
+			let obj = (Cert & {Name: "vault-core", Cluster: v.name}).APIObject
+			certs: "\(obj.metadata.name)": obj
+			servers: "https-\(obj.metadata.name)": {
+				hosts: [for host in obj.spec.dnsNames {"\(TargetNamespace)/\(host)"}]
+				tls: credentialName: obj.spec.secretName
+			}
+		}
+	}
+}
+
+// Cert provisions a cluster specific certificate.
+let Cert = {
+	Name:    string
+	Cluster: string
+
+	APIObject: #Certificate & {
+		metadata: name:      "\(Cluster)-\(Name)"
+		metadata: namespace: string | *"istio-ingress"
+		spec: {
+			commonName: string | *"vault.\(Cluster).\(CoreDomain)"
+			dnsNames: [commonName]
+			secretName: metadata.name
+			issuerRef: kind: "ClusterIssuer"
+			issuerRef: name: string | *"letsencrypt"
+		}
+	}
+}

docs/examples/platforms/reference/certificates.cue

@@ -0,0 +1,62 @@
+package holos
+
+#PlatformCerts: {
+	// Globally scoped platform services are defined here.
+	login: #PlatformCert & {
+		_name:        "login"
+		_wildcard:    true
+		_description: "Cert for Zitadel oidc identity provider for iam services"
+	}
+
+	// Cluster scoped services are defined here.
+	for cluster in #Platform.clusters {
+		"\(cluster.name)-httpbin": #ClusterCert & {
+			_name:        "httpbin"
+			_cluster:     cluster.name
+			_description: "Test endpoint to verify the service mesh ingress gateway"
+		}
+	}
+}
+
+// #PlatformCert provisions a cert in the provisioner cluster.
+// Workload clusters use ExternalSecret resources to fetch the Secret tls key and cert from the provisioner cluster.
+#PlatformCert: #Certificate & {
+	_name:     string
+	_wildcard: true | *false
+	metadata: name:      string | *_name
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}
+
+// #ClusterCert provisions a cluster specific certificate.
+#ClusterCert: #Certificate & {
+	_name:     string
+	_cluster:  string
+	_wildcard: true | *false
+	// Enforce this value
+	metadata: name:      "\(_cluster)-\(_name)"
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(_cluster).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}

docs/examples/platforms/reference/clusters/accounts/iam/iam.cue

@@ -0,0 +1,7 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/accounts/iam/readme.md

@@ -0,0 +1,17 @@
+# IAM
+
+The IAM service provides identity and access management for a holos managed platform.  Zitadel is the identity provider which integrates tightly with:
+
+ 1. AuthorizationPolicy at the level of the service mesh.
+ 2. Application level oidc login (ArgoCD, Grafana, etc...)
+ 3. Cloud provider IAM via oidc.
+
+## Preflight
+
+The zitadel master key needs to have a data key named `masterkey` with a Secret name of `zitadel-masterkey`.
+
+```bash
+holos create secret zitadel-masterkey --namespace prod-iam-zitadel --append-hash=false --data-stdin <<EOF
+{"masterkey":"$(tr -dc A-Za-z0-9 </dev/urandom | head -c 32)"}
+EOF
+```

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/postgres-certs/postgres-certs.cue

@@ -0,0 +1,39 @@
+package holos
+
+#InputKeys: component: "postgres-certs"
+
+let SecretNames = {
+	[Name=_]: {name: Name}
+	"\(_DBName)-primary-tls": _
+	"\(_DBName)-repl-tls":    _
+	"\(_DBName)-client-tls":  _
+	"\(_DBName)-root-ca":     _
+}
+
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#Kustomization: spec: healthChecks: [
+	for s in SecretNames {
+		apiVersion: "external-secrets.io/v1beta1"
+		kind:       "ExternalSecret"
+		name:       s.name
+		namespace:  #TargetNamespace
+	},
+]
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-iam-postgres-certs"
+
+		_dependsOn: "prod-secrets-stores": _
+
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		for s in SecretNames {
+			ExternalSecret: "\(s.name)": _
+		}
+	}
+}

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/postgres/postgres.cue

@@ -0,0 +1,199 @@
+package holos
+
+#InputKeys: component:        "postgres"
+#DependsOn: "postgres-certs": _
+
+let Cluster = #Platform.clusters[#ClusterName]
+let S3Secret = "pgo-s3-creds"
+let ZitadelUser = _DBName
+let ZitadelAdmin = "\(_DBName)-admin"
+
+// This must be an external storage bucket for our architecture.
+let BucketRepoName = "repo2"
+
+// Restore options.  Set the timestamp to a known good point in time.
+// time="2024-03-11T17:08:58Z" level=info msg="crunchy-pgbackrest ends"
+// let RestoreOptions = ["--type=time", "--target=\"2024-03-11 17:10:00+00\""]
+
+// Restore the most recent backup.
+let RestoreOptions = []
+
+#Kustomization: spec: healthChecks: [
+	{
+		apiVersion: "external-secrets.io/v1beta1"
+		kind:       "ExternalSecret"
+		name:       S3Secret
+		namespace:  #TargetNamespace
+	},
+	{
+		apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+		kind:       "PostgresCluster"
+		name:       _DBName
+		namespace:  #TargetNamespace
+	},
+]
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-iam-postgres"
+
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-iam-postgres-certs": _
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "\(S3Secret)": _
+		PostgresCluster: db: #PostgresCluster & HighlyAvailable & {
+			metadata: name:      _DBName
+			metadata: namespace: #TargetNamespace
+			spec: {
+				image:           "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.2-0"
+				postgresVersion: 16
+				// Custom certs are necessary for streaming standby replication which we use to replicate between two regions.
+				// Refer to https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/disaster-recovery#streaming-standby
+				customTLSSecret: name:            "\(_DBName)-primary-tls"
+				customReplicationTLSSecret: name: "\(_DBName)-repl-tls"
+				// Refer to https://access.crunchydata.com/documentation/postgres-operator/latest/references/crd/5.5.x/postgrescluster#postgresclusterspecusersindex
+				users: [
+					{name: ZitadelUser},
+					// NOTE: Users with SUPERUSER role cannot log in through pgbouncer.  Use options that allow zitadel admin to use pgbouncer.
+					// Refer to: https://github.com/CrunchyData/postgres-operator/issues/3095#issuecomment-1904712211
+					{name: ZitadelAdmin, options: "CREATEDB CREATEROLE", databases: [_DBName, "postgres"]},
+				]
+				users: [...{databases: [_DBName, ...]}]
+				instances: [{
+					replicas: 2
+					dataVolumeClaimSpec: {
+						accessModes: ["ReadWriteOnce"]
+						resources: requests: storage: "10Gi"
+					}
+				}]
+				standby: {
+					repoName: BucketRepoName
+					if Cluster.primary {
+						enabled: false
+					}
+					if !Cluster.primary {
+						enabled: true
+					}
+				}
+				// Restore from backup if and only if the cluster is primary
+				if Cluster.primary {
+					dataSource: pgbackrest: {
+						stanza:        "db"
+						configuration: backups.pgbackrest.configuration
+						// Restore from known good full backup taken
+						options: RestoreOptions
+						global: {
+							"\(BucketRepoName)-path":        "/pgbackrest/\(#TargetNamespace)/\(metadata.name)/\(BucketRepoName)"
+							"\(BucketRepoName)-cipher-type": "aes-256-cbc"
+						}
+						repo: {
+							name: BucketRepoName
+							s3:   backups.pgbackrest.repos[1].s3
+						}
+					}
+				}
+
+				// Refer to https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups
+				backups: pgbackrest: {
+					configuration: [{secret: name: S3Secret}]
+					// Defines details for manual pgBackRest backup Jobs
+					manual: {
+						// Note: the repoName value must match the config keys in the S3Secret.
+						// This must be an external repository for backup / restore / regional failovers.
+						repoName: BucketRepoName
+						options: ["--type=full", ...]
+					}
+					// Defines details for performing an in-place restore using pgBackRest
+					restore: {
+						// Enables triggering a restore by annotating the postgrescluster with postgres-operator.crunchydata.com/pgbackrest-restore="$(date)"
+						enabled:  true
+						repoName: BucketRepoName
+					}
+					global: {
+						// Store only one full backup in the PV because it's more expensive than object storage.
+						"\(repos[0].name)-retention-full": "1"
+						// Store 14 days of full backups in the bucket.
+						"\(BucketRepoName)-retention-full":      string | *"14"
+						"\(BucketRepoName)-retention-full-type": "count" | *"time" // time in days
+						// Refer to https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#encryption
+						"\(BucketRepoName)-cipher-type": "aes-256-cbc"
+						// "The convention we recommend for setting this variable is /pgbackrest/$NAMESPACE/$CLUSTER_NAME/repoN"
+						// Ref: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#understanding-backup-configuration-and-basic-operations
+						"\(BucketRepoName)-path": "/pgbackrest/\(#TargetNamespace)/\(metadata.name)/\(manual.repoName)"
+					}
+					repos: [
+						{
+							name: "repo1"
+							volume: volumeClaimSpec: {
+								accessModes: ["ReadWriteOnce"]
+								resources: requests: storage: string | *"4Gi"
+							}
+						},
+						{
+							name: BucketRepoName
+							// Full backup weekly on Sunday at 1am, differntial daily at 1am every day except Sunday.
+							schedules: full:         string | *"0 1 * * 0"
+							schedules: differential: string | *"0 1 * * 1-6"
+							s3: {
+								bucket:   string | *"\(#Platform.org.name)-zitadel-backups"
+								region:   string | *#Backups.s3.region
+								endpoint: string | *"s3.dualstack.\(region).amazonaws.com"
+							}
+						},
+					]
+				}
+			}
+		}
+	}
+}
+
+// Refer to https://github.com/holos-run/postgres-operator-examples/blob/main/kustomize/high-availability/ha-postgres.yaml
+let HighlyAvailable = {
+	apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+	kind:       "PostgresCluster"
+	metadata: name: string
+	spec: {
+		image:           "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.2-0"
+		postgresVersion: 16
+		instances: [{
+			name:     "pgha1"
+			replicas: 2
+			dataVolumeClaimSpec: {
+				accessModes: ["ReadWriteOnce"]
+				resources: requests: storage: string | *"10Gi"
+			}
+			affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: [{
+				weight: 1
+				podAffinityTerm: {
+					topologyKey: "kubernetes.io/hostname"
+					labelSelector: matchLabels: {
+						"postgres-operator.crunchydata.com/cluster":      metadata.name
+						"postgres-operator.crunchydata.com/instance-set": name
+					}
+				}
+			}]
+		}]
+		backups: pgbackrest: {
+			image: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.49-0"
+		}
+		proxy: pgBouncer: {
+			image:    "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.21-3"
+			replicas: 2
+			affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: [{
+				weight: 1
+				podAffinityTerm: {
+					topologyKey: "kubernetes.io/hostname"
+					labelSelector: matchLabels: {
+						"postgres-operator.crunchydata.com/cluster": metadata.name
+						"postgres-operator.crunchydata.com/role":    "pgbouncer"
+					}
+				}
+			}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel.cue

@@ -0,0 +1,11 @@
+package holos
+
+#InstancePrefix:  "prod-iam"
+#TargetNamespace: #InstancePrefix + "-zitadel"
+
+// _DBName is the database name used across multiple holos components in this project
+_DBName: "zitadel"
+
+// The canonical login domain for the entire platform.  Zitadel will be active
+// on a single cluster at a time, but always accessible from this domain.
+#ExternalDomain: "login.\(#Platform.org.domain)"

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel/values.cue

@@ -0,0 +1,251 @@
+package holos
+
+#Values: {
+
+	// Default values for zitadel.
+	zitadel: {
+		// The ZITADEL config under configmapConfig is written to a Kubernetes ConfigMap
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		configmapConfig: {
+			ExternalSecure: true
+			Machine: Identification: {
+				Hostname: Enabled: true
+				Webhook: Enabled:  false
+			}
+		}
+
+		// The ZITADEL config under secretConfig is written to a Kubernetes Secret
+		// See all defaults here:
+		// https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
+		secretConfig: null
+
+		// Annotations set on secretConfig secret
+		secretConfigAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// Reference the name of a secret that contains ZITADEL configuration.
+		configSecretName: null
+		// The key under which the ZITADEL configuration is located in the secret.
+		configSecretKey: "config-yaml"
+
+		// ZITADEL uses the masterkey for symmetric encryption.
+		// You can generate it for example with tr -dc A-Za-z0-9 </dev/urandom | head -c 32
+		masterkey: ""
+		// Reference the name of the secret that contains the masterkey. The key should be named "masterkey".
+		// Note: Either zitadel.masterkey or zitadel.masterkeySecretName must be set
+		masterkeySecretName: string | *""
+
+		// Annotations set on masterkey secret
+		masterkeyAnnotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+
+		// The CA Certificate needed for establishing secure database connections
+		dbSslCaCrt: ""
+
+		// The Secret containing the CA certificate at key ca.crt needed for establishing secure database connections
+		dbSslCaCrtSecret: string | *""
+
+		// The db admins secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslAdminCrtSecret: string | *""
+
+		// The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
+		dbSslUserCrtSecret: string | *""
+
+		// Generate a self-signed certificate using an init container
+		// This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
+		// E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt
+		// By default, the SAN DNS names include, localhost, the POD IP address and the POD name. You may include one more by using additionalDnsName like "my.zitadel.fqdn".
+		selfSignedCert: {
+			enabled:           false
+			additionalDnsName: null
+		}
+	}
+
+	replicaCount: 3
+
+	image: {
+		repository: "ghcr.io/zitadel/zitadel"
+		pullPolicy: "IfNotPresent"
+		// Overrides the image tag whose default is the chart appVersion.
+		tag: ""
+	}
+
+	chownImage: {
+		repository: "alpine"
+		pullPolicy: "IfNotPresent"
+		tag:        "3.19"
+	}
+
+	imagePullSecrets: []
+	nameOverride:     ""
+	fullnameOverride: ""
+
+	// Annotations to add to the deployment
+	annotations: {}
+
+	// Annotations to add to the configMap
+	configMap: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+	}
+
+	serviceAccount: {
+		// Specifies whether a service account should be created
+		create: true
+		// Annotations to add to the service account
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "0"
+		}
+		// The name of the service account to use.
+		// If not set and create is true, a name is generated using the fullname template
+		name: ""
+	}
+
+	podAnnotations: {}
+
+	podAdditionalLabels: {}
+
+	podSecurityContext: {
+		runAsNonRoot: true
+		runAsUser:    1000
+	}
+
+	securityContext: {}
+
+	// Additional environment variables
+	env: [...]
+	// - name: ZITADEL_DATABASE_POSTGRES_HOST
+	//   valueFrom:
+	//     secretKeyRef:
+	//       name: postgres-pguser-postgres
+	//       key: host
+
+	service: {
+		type: "ClusterIP"
+		// If service type is "ClusterIP", this can optionally be set to a fixed IP address.
+		clusterIP: ""
+		port:      8080
+		protocol:  "http2"
+		annotations: {}
+		scheme: "HTTP"
+	}
+
+	ingress: {
+		enabled:   false
+		className: ""
+		annotations: {}
+		hosts: [{
+			host: "localhost"
+			paths: [{
+				path:     "/"
+				pathType: "Prefix"
+			}]
+		}]
+		tls: []
+	}
+
+	resources: {}
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	affinity: {}
+
+	topologySpreadConstraints: []
+
+	initJob: {
+		// Once ZITADEL is installed, the initJob can be disabled.
+		enabled: true
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "1"
+		}
+		resources: {}
+		backoffLimit:          5
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		// Available init commands :
+		// "": initialize ZITADEL instance (without skip anything)
+		// database: initialize only the database
+		// grant: set ALL grant to user
+		// user: initialize only the database user
+		// zitadel: initialize ZITADEL internals (skip "create user" and "create database")
+		command: ""
+	}
+
+	setupJob: {
+		annotations: {
+			"helm.sh/hook":               "pre-install,pre-upgrade"
+			"helm.sh/hook-delete-policy": "before-hook-creation"
+			"helm.sh/hook-weight":        "2"
+		}
+		resources: {}
+		activeDeadlineSeconds: 300
+		extraContainers: []
+		podAnnotations: {}
+		additionalArgs: ["--init-projections=true"]
+		machinekeyWriter: {
+			image: {
+				repository: "bitnami/kubectl"
+				tag:        ""
+			}
+			resources: {}
+		}
+	}
+
+	readinessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	livenessProbe: {
+		enabled:             true
+		initialDelaySeconds: 0
+		periodSeconds:       5
+		failureThreshold:    3
+	}
+
+	startupProbe: {
+		enabled:          true
+		periodSeconds:    1
+		failureThreshold: 30
+	}
+
+	metrics: {
+		enabled: false
+		serviceMonitor: {
+			// If true, the chart creates a ServiceMonitor that is compatible with Prometheus Operator
+			// https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.ServiceMonitor.
+			// The Prometheus community Helm chart installs this operator
+			// https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#kube-prometheus-stack
+			enabled:         false
+			honorLabels:     false
+			honorTimestamps: true
+		}
+	}
+
+	pdb: {
+		enabled: false
+		// these values are used for the PDB and are mutally exclusive
+		minAvailable: 1
+		// maxUnavailable: 1
+		annotations: {}
+	}
+}

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel/values.holos.cue

@@ -0,0 +1,89 @@
+package holos
+
+#Values: {
+	// Database credentials
+	// Refer to https://access.crunchydata.com/documentation/postgres-operator/5.2.0/architecture/user-management/
+	// Refer to https://zitadel.com/docs/self-hosting/manage/database#postgres
+	env: [
+		// Connection
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_HOST"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)"
+			valueFrom: secretKeyRef: key:  "pgbouncer-host"
+		},
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_PORT"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)"
+			valueFrom: secretKeyRef: key:  "pgbouncer-port"
+		},
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_DATABASE"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)"
+			valueFrom: secretKeyRef: key:  "dbname"
+		},
+		// The <db>-pguser-<db> secret contains creds for the unpriviliged zitadel user
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_USER_USERNAME"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)"
+			valueFrom: secretKeyRef: key:  "user"
+		},
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_USER_PASSWORD"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)"
+			valueFrom: secretKeyRef: key:  "password"
+		},
+		// The postgres component configures privileged postgres user creds.
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)-admin"
+			valueFrom: secretKeyRef: key:  "user"
+		},
+		{
+			name: "ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD"
+			valueFrom: secretKeyRef: name: "\(_DBName)-pguser-\(_DBName)-admin"
+			valueFrom: secretKeyRef: key:  "password"
+		},
+		// CA Cert issued by PGO which issued the pgbouncer tls cert
+		{
+			name:  "ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT"
+			value: "/\(_PGBouncer)/ca.crt"
+		},
+		{
+			name:  "ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT"
+			value: "/\(_PGBouncer)/ca.crt"
+		},
+	]
+
+	// Refer to https://zitadel.com/docs/self-hosting/manage/database
+	zitadel: {
+		// Zitadel master key
+		masterkeySecretName: "zitadel-masterkey"
+		// dbSslCaCrtSecret: "pgo-root-cacert"
+
+		// All settings: https://zitadel.com/docs/self-hosting/manage/configure#runtime-configuration-file
+		// Helm interface: https://github.com/zitadel/zitadel-charts/blob/zitadel-7.4.0/charts/zitadel/values.yaml#L20-L21
+		configmapConfig: {
+			// NOTE: You can change the ExternalDomain, ExternalPort and ExternalSecure
+			// configuration options at any time. However, for ZITADEL to be able to
+			// pick up the changes, you need to rerun ZITADELs setup phase.  Do so with
+			// kubectl delete job zitadel-setup, then re-apply the new config.
+			//
+			// https://zitadel.com/docs/self-hosting/manage/custom-domain
+			ExternalSecure: true
+			ExternalDomain: #ExternalDomain
+			ExternalPort:   443
+			TLS: Enabled: false
+
+			// Database connection credentials are injected via environment variables from the db-pguser-db secret.
+			Database: postgres: {
+				MaxOpenConns:    25
+				MaxIdleConns:    10
+				MaxConnLifetime: "1h"
+				MaxConnIdleTime: "5m"
+				// verify-full verifies the host name matches cert dns names in addition to root ca signature
+				User: SSL: Mode:  "verify-full"
+				Admin: SSL: Mode: "verify-full"
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel/zitadel.cue

@@ -0,0 +1,173 @@
+package holos
+
+import "encoding/yaml"
+
+let Name = "zitadel"
+#InputKeys: component: Name
+
+spec: components: HelmChartList: [
+	#HelmChart & {
+		metadata: name: "\(#InstancePrefix)-zitadel"
+
+		_dependsOn: "prod-secrets-stores":         _
+		_dependsOn: "\(#InstancePrefix)-postgres": _
+
+		namespace:   #TargetNamespace
+		enableHooks: true
+		chart: {
+			name:    Name
+			version: "7.9.0"
+			repository: {
+				name: Name
+				url:  "https://charts.zitadel.com"
+			}
+		}
+		_values:      #Values
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "zitadel-masterkey": _
+		VirtualService: "\(Name)": {
+			metadata: name:      Name
+			metadata: namespace: #TargetNamespace
+			spec: hosts: ["login.\(#Platform.org.domain)"]
+			spec: gateways: ["istio-ingress/default"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}
+
+// TODO: Generalize this common pattern of injecting the istio sidecar into a Deployment
+let IstioInject = [{op: "add", path: "/spec/template/metadata/labels/sidecar.istio.io~1inject", value: "true"}]
+
+_PGBouncer: "pgbouncer"
+
+let DatabaseCACertPatch = [
+	{
+		op:   "add"
+		path: "/spec/template/spec/volumes/-"
+		value: {
+			name: _PGBouncer
+			secret: {
+				secretName: "\(_DBName)-pgbouncer"
+				items: [{key: "pgbouncer-frontend.ca-roots", path: "ca.crt"}]
+			}
+		}
+	},
+	{
+		op:   "add"
+		path: "/spec/template/spec/containers/0/volumeMounts/-"
+		value: {
+			name:      _PGBouncer
+			mountPath: "/" + _PGBouncer
+		}
+	},
+]
+
+let CAPatch = #Patch & {
+	target: {
+		group:   "apps" | "batch"
+		version: "v1"
+		kind:    "Job" | "Deployment"
+		name:    string
+	}
+	patch: yaml.Marshal(DatabaseCACertPatch)
+}
+
+#Kustomize: _patches: {
+	mesh: {
+		target: {
+			group:   "apps"
+			version: "v1"
+			kind:    "Deployment"
+			name:    Name
+		}
+		patch: yaml.Marshal(IstioInject)
+	}
+	deploymentCA: CAPatch & {
+		target: group: "apps"
+		target: kind:  "Deployment"
+		target: name:  Name
+	}
+	initJob: CAPatch & {
+		target: group: "batch"
+		target: kind:  "Job"
+		target: name:  "\(Name)-init"
+	}
+	setupJob: CAPatch & {
+		target: group: "batch"
+		target: kind:  "Job"
+		target: name:  "\(Name)-setup"
+	}
+	testDisable: {
+		target: {
+			version: "v1"
+			kind:    "Pod"
+			name:    "\(Name)-test-connection"
+		}
+		patch: yaml.Marshal(DisableFluxPatch)
+	}
+	if #IsPrimaryCluster == false {
+		fluxDisable: {
+			target: {
+				group:   "apps"
+				version: "v1"
+				kind:    "Deployment"
+				name:    Name
+			}
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+		initDisable: {
+			target: {
+				group:   "batch"
+				version: "v1"
+				kind:    "Job"
+				name:    "\(Name)-init"
+			}
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+		setupDisable: {
+			target: {
+				group:   "batch"
+				version: "v1"
+				kind:    "Job"
+				name:    "\(Name)-setup"
+			}
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+	}
+}
+
+let DisableFluxPatch = [{op: "replace", path: "/metadata/annotations/kustomize.toolkit.fluxcd.io~1reconcile", value: "disabled"}]
+
+// Upstream helm chart doesn't specify the namespace field for all resources.
+#Kustomization: spec: {
+	targetNamespace: #TargetNamespace
+	wait:            false
+}
+
+if #IsPrimaryCluster == true {
+	#Kustomization: spec: healthChecks: [
+		{
+			apiVersion: "apps/v1"
+			kind:       "Deployment"
+			name:       Name
+			namespace:  #TargetNamespace
+		},
+		{
+			apiVersion: "batch/v1"
+			kind:       "Job"
+			name:       "\(Name)-init"
+			namespace:  #TargetNamespace
+		},
+		{
+			apiVersion: "batch/v1"
+			kind:       "Job"
+			name:       "\(Name)-setup"
+			namespace:  #TargetNamespace
+		},
+	]
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,20 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		ExternalSecret: node: #ExternalSecret & {_name: "cockroachdb-node"}
+		ExternalSecret: root: #ExternalSecret & {_name: "cockroachdb-root"}
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.cue

@@ -0,0 +1,606 @@
+package holos
+
+#Values: {
+
+	// Generated file, DO NOT EDIT. Source: build/templates/values.yaml
+	// Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
+	nameOverride: ""
+
+	// Override the resource names created by this chart which originally is generated using release and chart name.
+	fullnameOverride: string | *""
+
+	image: {
+		repository: string | *"cockroachdb/cockroach"
+		tag:        "v23.1.13"
+		pullPolicy: "IfNotPresent"
+		credentials: {}
+	}
+	// registry: docker.io
+	// username: john_doe
+	// password: changeme
+	// Additional labels to apply to all Kubernetes resources created by this chart.
+	labels: {}
+	// app.kubernetes.io/part-of: my-app
+	// Cluster's default DNS domain.
+	// You should overwrite it if you're using a different one,
+	// otherwise CockroachDB nodes discovery won't work.
+	clusterDomain: "cluster.local"
+
+	conf: {
+		// An ordered list of CockroachDB node attributes.
+		// Attributes are arbitrary strings specifying machine capabilities.
+		// Machine capabilities might include specialized hardware or number of cores
+		// (e.g. "gpu", "x16c").
+		attrs: []
+		// - x16c
+		// - gpu
+		// Total size in bytes for caches, shared evenly if there are multiple
+		// storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
+		// A percentage of physical memory can also be specified (e.g. `.25`).
+		cache: "25%"
+
+		// Sets a name to verify the identity of a cluster.
+		// The value must match between all nodes specified via `conf.join`.
+		// This can be used as an additional verification when either the node or
+		// cluster, or both, have not yet been initialized and do not yet know their
+		// cluster ID.
+		// To introduce a cluster name into an already-initialized cluster, pair this
+		// option with `conf.disable-cluster-name-verification: yes`.
+		"cluster-name": ""
+
+		// Tell the server to ignore `conf.cluster-name` mismatches.
+		// This is meant for use when opting an existing cluster into starting to use
+		// cluster name verification, or when changing the cluster name.
+		// The cluster should be restarted once with `conf.cluster-name` and
+		// `conf.disable-cluster-name-verification: yes` combined, and once all nodes
+		// have been updated to know the new cluster name, the cluster can be restarted
+		// again with `conf.disable-cluster-name-verification: no`.
+		// This option has no effect if `conf.cluster-name` is not specified.
+		"disable-cluster-name-verification": false
+
+		// The addresses for connecting a CockroachDB nodes to an existing cluster.
+		// If you are deploying a second CockroachDB instance that should join a first
+		// one, use the below list to join to the existing instance.
+		// Each item in the array should be a FQDN (and port if needed) resolvable by
+		// new Pods.
+		join: []
+
+		// New logging configuration.
+		log: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/v21.1/configure-logs
+			config: {}
+		}
+		// file-defaults:
+		//   dir: /custom/dir/path/
+		// fluent-defaults:
+		//   format: json-fluent
+		// sinks:
+		//   stderr:
+		//     channels: [DEV]
+		// Logs at or above this threshold to STDERR. Ignored when "log" is enabled
+		logtostderr: "INFO"
+
+		// Maximum storage capacity available to store temporary disk-based data for
+		// SQL queries that exceed the memory budget (e.g. join, sorts, etc are
+		// sometimes able to spill intermediate results to disk).
+		// Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
+		// `32GiB`) or a percentage of disk size (e.g. `10%`).
+		// The location of the temporary files is within the first store dir.
+		// If expressed as a percentage, `max-disk-temp-storage` is interpreted
+		// relative to the size of the storage device on which the first store is
+		// placed. The temp space usage is never counted towards any store usage
+		// (although it does share the device with the first store) so, when
+		// configuring this, make sure that the size of this temp storage plus the size
+		// of the first store don't exceed the capacity of the storage device.
+		// If the first store is an in-memory one (i.e. `type=mem`), then this
+		// temporary "disk" data is also kept in-memory.
+		// A percentage value is interpreted as a percentage of the available internal
+		// memory.
+		// max-disk-temp-storage: 0GB
+		// Maximum allowed clock offset for the cluster. If observed clock offsets
+		// exceed this limit, servers will crash to minimize the likelihood of
+		// reading inconsistent data. Increasing this value will increase the time
+		// to recovery of failures as well as the frequency of uncertainty-based
+		// read restarts.
+		// Note, that this value must be the same on all nodes in the cluster.
+		// In order to change it, all nodes in the cluster must be stopped
+		// simultaneously and restarted with the new value.
+		// max-offset: 500ms
+		// Maximum memory capacity available to store temporary data for SQL clients,
+		// including prepared queries and intermediate data rows during query
+		// execution. Accepts numbers interpreted as bytes, size suffixes
+		// (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
+		"max-sql-memory": "25%"
+
+		// An ordered, comma-separated list of key-value pairs that describe the
+		// topography of the machine. Topography might include country, datacenter
+		// or rack designations. Data is automatically replicated to maximize
+		// diversities of each tier. The order of tiers is used to determine
+		// the priority of the diversity, so the more inclusive localities like
+		// country should come before less inclusive localities like datacenter.
+		// The tiers and order must be the same on all nodes. Including more tiers
+		// is better than including fewer. For example:
+		//   locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
+		//   locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
+		//   locality: planet=earth,province=manitoba,colo=secondary,power=3
+		locality: ""
+
+		// Run CockroachDB instances in standalone mode with replication disabled
+		// (replication factor = 1).
+		// Enabling this option makes the following values to be ignored:
+		// - `conf.cluster-name`
+		// - `conf.disable-cluster-name-verification`
+		// - `conf.join`
+		//
+		// WARNING: Enabling this option makes each deployed Pod as a STANDALONE
+		//          CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
+		//          Don't use this option for production deployments unless you clearly
+		//          understand what you're doing.
+		//          Usually, this option is intended to be used in conjunction with
+		//          `statefulset.replicas: 1` for temporary one-time deployments (like
+		//          running E2E tests, for example).
+		"single-node": false
+
+		// If non-empty, create a SQL audit log in the specified directory.
+		"sql-audit-dir": ""
+
+		// CockroachDB's port to listen to inter-communications and client connections.
+		port: 26257
+
+		// CockroachDB's port to listen to HTTP requests.
+		"http-port": 8080
+
+		// CockroachDB's data mount path.
+		path: "cockroach-data"
+
+		// CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
+		// Uses --store flag
+		store: {
+			enabled: false
+			// Should be empty or 'mem'
+			type: null
+			// Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
+			size: null
+			// Arbitrary strings, separated by colons, specifying disk type or capability
+			attrs: null
+		}
+	}
+
+	statefulset: {
+		replicas: 3
+		updateStrategy: type: "RollingUpdate"
+		podManagementPolicy: "Parallel"
+		budget: maxUnavailable: 1
+
+		// List of additional command-line arguments you want to pass to the
+		// `cockroach start` command.
+		args: []
+		// - --disable-cluster-name-verification
+		// List of extra environment variables to pass into container
+		env: []
+		// - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
+		//   value: "24h"
+		// List of Secrets names in the same Namespace as the CockroachDB cluster,
+		// which shall be mounted into `/etc/cockroach/secrets/` for every cluster
+		// member.
+		secretMounts: []
+
+		// Additional labels to apply to this StatefulSet and all its Pods.
+		labels: {
+			"app.kubernetes.io/component": "cockroachdb"
+		}
+
+		// Additional annotations to apply to the Pods of this StatefulSet.
+		annotations: {}
+
+		// Affinity rules for scheduling Pods of this StatefulSet on Nodes.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		nodeAffinity: {}
+		// Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		podAffinity: {}
+		// Anti-affinity rules for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+		// You may either toggle options below for default anti-affinity rules,
+		// or specify the whole set of anti-affinity rules instead of them.
+		podAntiAffinity: {
+			// The topologyKey to be used.
+			// Can be used to spread across different nodes, AZs, regions etc.
+			topologyKey: "kubernetes.io/hostname"
+			// Type of anti-affinity rules: either `soft`, `hard` or empty value (which
+			// disables anti-affinity rules).
+			type: "soft"
+			// Weight for `soft` anti-affinity rules.
+			// Does not apply for other anti-affinity types.
+			weight: 100
+		}
+
+		// Node selection constraints for scheduling Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// PriorityClassName given to Pods of this StatefulSet
+		// https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+		priorityClassName: ""
+
+		// Taints to be tolerated by Pods of this StatefulSet.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+		topologySpreadConstraints: {
+			maxSkew:           1
+			topologyKey:       "topology.kubernetes.io/zone"
+			whenUnsatisfiable: "ScheduleAnyway"
+		}
+
+		// Uncomment the following resources definitions or pass them from
+		// command line to control the CPU and memory resources allocated
+		// by Pods of this StatefulSet.
+		resources: {}
+		// limits:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// requests:
+		//   cpu: 100m
+		//   memory: 512Mi
+		// Custom Liveness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
+		customLivenessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+		// Custom Rediness probe
+		// https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
+		customReadinessProbe: {}
+		// httpGet:
+		//   path: /health
+		//   port: http
+		//   scheme: HTTPS
+		// initialDelaySeconds: 30
+		// periodSeconds: 5
+
+		securityContext: {
+			enabled: true
+		}
+
+		serviceAccount: {
+			// Specifies whether this ServiceAccount should be created.
+			create: true
+			// The name of this ServiceAccount to use.
+			// If not set and `create` is `true`, then service account is auto-generated.
+			// If not set and `create` is `false`, then it uses default service account.
+			name: ""
+			// Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
+			annotations: {}
+		}
+	}
+
+	service: {
+		ports: {
+			// You can set a different external and internal gRPC ports and their name.
+			grpc: {
+				external: {
+					port: 26257
+					name: "grpc"
+				}
+				// If the port number is different than `external.port`, then it will be
+				// named as `internal.name` in Service.
+				internal: {
+					port: 26257
+					// If using Istio set it to `cockroach`.
+					name: "grpc-internal"
+				}
+			}
+			http: {
+				port: 8080
+				name: "http"
+			}
+		}
+
+		// This Service is meant to be used by clients of the database.
+		// It exposes a ClusterIP that will automatically load balance connections
+		// to the different database Pods.
+		public: {
+			type: "ClusterIP"
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+
+		// This service only exists to create DNS entries for each pod in
+		// the StatefulSet such that they can resolve each other's IP addresses.
+		// It does not create a load-balanced ClusterIP and should not be used directly
+		// by clients in most circumstances.
+		discovery: {
+			// Additional labels to apply to this Service.
+			labels: {
+				"app.kubernetes.io/component": "cockroachdb"
+			}
+			// Additional annotations to apply to this Service.
+			annotations: {}
+		}
+	}
+
+	// CockroachDB's ingress for web ui.
+	ingress: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		//   kubernetes.io/ingress.class: nginx
+		//   cert-manager.io/cluster-issuer: letsencrypt
+		paths: ["/"]
+		hosts: []
+		// - cockroachlabs.com
+		tls: []
+	}
+	// - hosts: [cockroachlabs.com]
+	//   secretName: cockroachlabs-tls
+
+	prometheus: {
+		enabled: true
+	}
+
+	securityContext: enabled: true
+
+	// CockroachDB's Prometheus operator ServiceMonitor support
+	serviceMonitor: {
+		enabled: false
+		labels: {}
+		annotations: {}
+		interval: "10s"
+		// scrapeTimeout: 10s
+		// Limits the ServiceMonitor to the current namespace if set to `true`.
+		namespaced: false
+
+		// tlsConfig: TLS configuration to use when scraping the endpoint.
+		// Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
+		tlsConfig: {}
+	}
+
+	// CockroachDB's data persistence.
+	// If neither `persistentVolume` nor `hostPath` is used, then data will be
+	// persisted in ad-hoc `emptyDir`.
+	storage: {
+		// Absolute path on host to store CockroachDB's data.
+		// If not specified, then `emptyDir` will be used instead.
+		// If specified, but `persistentVolume.enabled` is `true`, then has no effect.
+		hostPath: ""
+
+		// If `enabled` is `true` then a PersistentVolumeClaim will be created and
+		// used to store CockroachDB's data, otherwise `hostPath` is used.
+		persistentVolume: {
+			enabled: true
+
+			size: string | *"100Gi"
+
+			// If defined, then `storageClassName: <storageClass>`.
+			// If set to "-", then `storageClassName: ""`, which disables dynamic
+			// provisioning.
+			// If undefined or empty (default), then no `storageClassName` spec is set,
+			// so the default provisioner will be chosen (gp2 on AWS, standard on
+			// GKE, AWS & OpenStack).
+			storageClass: ""
+
+			// Additional labels to apply to the created PersistentVolumeClaims.
+			labels: {}
+			// Additional annotations to apply to the created PersistentVolumeClaims.
+			annotations: {}
+		}
+	}
+
+	// Kubernetes Job which initializes multi-node CockroachDB cluster.
+	// It's not created if `statefulset.replicas` is `1`.
+	init: {
+		// Additional labels to apply to this Job and its Pod.
+		labels: {
+			"app.kubernetes.io/component": "init"
+		}
+
+		// Additional annotations to apply to this Job.
+		jobAnnotations: {}
+
+		// Additional annotations to apply to the Pod of this Job.
+		annotations: {}
+
+		// Affinity rules for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+		affinity: {}
+
+		// Node selection constraints for scheduling the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+		nodeSelector: {}
+
+		// Taints to be tolerated by the Pod of this Job.
+		// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+		tolerations: []
+
+		// The init Pod runs at cluster creation to initialize CockroachDB. It finishes
+		// quickly and doesn't continue to consume resources in the Kubernetes
+		// cluster. Normally, you should leave this section commented out, but if your
+		// Kubernetes cluster uses Resource Quotas and requires all pods to specify
+		// resource requests or limits, you can set those here.
+		resources: {}
+		// requests:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+		// limits:
+		//   cpu: "10m"
+		//   memory: "128Mi"
+
+		securityContext: {
+			enabled: true
+		}
+
+		provisioning: {
+			enabled: false
+			// https://www.cockroachlabs.com/docs/stable/cluster-settings.html
+			clusterSettings: null
+			// cluster.organization: "'FooCorp - Local Testing'"
+			// enterprise.license: "'xxxxx'"
+			users: []
+			// - name:
+			//   password:
+			//   # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
+			//   options: [LOGIN]
+			databases: []
+		}
+	}
+	// - name:
+	//   # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
+	//   options: [encoding='utf-8']
+	//   owners: []
+	//   # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
+	//   owners_with_grant_option: []
+	//   # Backup schedules are not idemponent for now and will fail on next run
+	//   # https://github.com/cockroachdb/cockroach/issues/57892
+	//   backup:
+	//     into: s3://
+	//     # Enterprise-only option (revision_history)
+	//     # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
+	//     options: [revision_history]
+	//     recurring: '@always'
+	//     # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
+	//     fullBackup: '@daily'
+	//     schedule:
+	//       # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
+	//       options: [first_run = 'now']
+	// Whether to run securely using TLS certificates.
+	tls: {
+		enabled: true
+		copyCerts: image: "busybox"
+		certs: {
+			// Bring your own certs scenario. If provided, tls.init section will be ignored.
+			provided: true | *false
+			// Secret name for the client root cert.
+			clientRootSecret: "cockroachdb-root"
+			// Secret name for node cert.
+			nodeSecret: "cockroachdb-node"
+			// Secret name for CA cert
+			caSecret: "cockroach-ca"
+			// Enable if the secret is a dedicated TLS.
+			// TLS secrets are created by cert-mananger, for example.
+			tlsSecret: true | *false
+			// Enable if the you want cockroach db to create its own certificates
+			selfSigner: {
+				// If set, the cockroach db will generate its own certificates
+				enabled: false | *true
+				// Run selfSigner as non-root
+				securityContext: {
+					enabled: true
+				}
+				// If set, the user should provide the CA certificate to sign other certificates.
+				caProvided: false
+				// It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
+				caSecret: ""
+				// Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
+				minimumCertDuration: "624h"
+				// Duration of CA certificates in hour
+				caCertDuration: "43800h"
+				// Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
+				caCertExpiryWindow: "648h"
+				// Duration of Client certificates in hour
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hour
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+				// If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
+				rotateCerts: true
+				// Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
+				readinessWait: "30s"
+				// Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
+				podUpdateTimeout: "2m"
+				// ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
+				svcAccountAnnotations: {}
+			}
+
+			// Use cert-manager to issue certificates for mTLS.
+			certManager: true | *false
+			// Specify an Issuer or a ClusterIssuer to use, when issuing
+			// node and client certificates. The values correspond to the
+			// issuerRef specified in the certificate.
+			certManagerIssuer: {
+				group: "cert-manager.io"
+				kind:  "Issuer"
+				name:  string | *"cockroachdb"
+				// Make it false when you are providing your own CA issuer
+				isSelfSignedIssuer: true
+				// Duration of Client certificates in hours
+				clientCertDuration: "672h"
+				// Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
+				clientCertExpiryWindow: "48h"
+				// Duration of node certificates in hours
+				nodeCertDuration: "8760h"
+				// Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
+				nodeCertExpiryWindow: "168h"
+			}
+		}
+
+		selfSigner: {
+			// Additional annotations to apply to the Pod of this Job.
+			annotations: {}
+
+			// Affinity rules for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
+			affinity: {}
+
+			// Node selection constraints for scheduling the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+			nodeSelector: {}
+
+			// Taints to be tolerated by the Pod of this Job.
+			// https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+			tolerations: []
+
+			// Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
+			image: {
+				repository: "cockroachlabs-helm-charts/cockroach-self-signer-cert"
+				tag:        "1.5"
+				pullPolicy: "IfNotPresent"
+				credentials: {}
+				registry: "gcr.io"
+			}
+		}
+	}
+	// username: john_doe
+	// password: changeme
+
+	networkPolicy: {
+		enabled: false
+
+		ingress: {
+			// List of sources which should be able to access the CockroachDB Pods via
+			// gRPC port. Items in this list are combined using a logical OR operation.
+			// Rules for allowing inter-communication are applied automatically.
+			// If empty, then connections from any Pod is allowed.
+			grpc: []
+			// - podSelector:
+			//     matchLabels:
+			//       app.kubernetes.io/name: my-app-django
+			//       app.kubernetes.io/instance: my-app
+			// List of sources which should be able to access the CockroachDB Pods via
+			// HTTP port. Items in this list are combined using a logical OR operation.
+			// If empty, then connections from any Pod is allowed.
+			http: []
+		}
+	}
+	// - namespaceSelector:
+	//     matchLabels:
+	//       project: my-project
+	// To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
+	// make sure to set ingress.paths: ['/*']
+	iap: {
+		enabled: false
+	}
+
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.holos.cue

@@ -0,0 +1,23 @@
+package holos
+
+#Values: {
+	image: repository: "quay.io/holos/cockroachdb/cockroach"
+
+	fullnameOverride: #ComponentName
+
+	tls: {
+		enabled: true
+		certs: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
+			selfSigner: enabled: false
+			certManager: false
+			provided:    true
+			tlsSecret:   true
+		}
+	}
+
+	storage: persistentVolume: {
+		enabled: true
+		size:    "1Gi"
+	}
+}

docs/examples/platforms/reference/clusters/foundation/cloud/github/arc/arc.cue

@@ -0,0 +1,9 @@
+package holos
+
+// GitHub Actions Runner Controller
+#InputKeys: project: "github"
+#DependsOn: Namespaces: name: "prod-secrets-namespaces"
+
+#ARCSystemNamespace: "arc-system"
+#HelmChart: namespace: #TargetNamespace
+#HelmChart: chart: version: "0.8.3"

docs/examples/platforms/reference/clusters/foundation/cloud/github/arc/runner/arc-runner.cue

@@ -0,0 +1,51 @@
+package holos
+
+#TargetNamespace: "arc-runner"
+#InputKeys: component: "arc-runner"
+#Kustomization: spec: targetNamespace: #TargetNamespace
+
+let GitHubConfigSecret = "controller-manager"
+
+// Just sync the external secret, don't configure the scale set
+// Work around https://github.com/actions/actions-runner-controller/issues/3351
+if #IsPrimaryCluster == false {
+	spec: components: KubernetesObjectsList: [
+		#KubernetesObjects & {
+			metadata: name:                        "prod-github-arc-runner"
+			_dependsOn: "prod-secrets-namespaces": _
+
+			apiObjectMap: (#APIObjects & {
+				apiObjects: ExternalSecret: "\(GitHubConfigSecret)": _
+			}).apiObjectMap
+		},
+	]
+}
+
+// Put the scale set on the primary cluster.
+if #IsPrimaryCluster == true {
+	spec: components: HelmChartList: [
+		#HelmChart & {
+			_dependsOn: "prod-secrets-namespaces": _
+			metadata: name:                        "prod-github-arc-runner"
+			_values: {
+				#Values
+				controllerServiceAccount: name:      "gha-rs-controller"
+				controllerServiceAccount: namespace: "arc-system"
+				githubConfigSecret: GitHubConfigSecret
+				githubConfigUrl:    "https://github.com/" + #Platform.org.github.orgs.primary.name
+			}
+			apiObjectMap: (#APIObjects & {apiObjects: ExternalSecret: "\(_values.githubConfigSecret)": _}).apiObjectMap
+			chart: {
+				// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+				// NOTE: Unfortunately the INSTALLATION_NAME is used as the helm release
+				// name and GitHub removed support for runner labels, so the only way to
+				// specify which runner a workflow runs on is using this helm release name.
+				// The quote is "Update the INSTALLATION_NAME value carefully. You will use
+				// the installation name as the value of runs-on in your workflows."  Refer to
+				// https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
+				release: "gha-rs"
+				name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+			}
+		},
+	]
+}