(#42) Fix incorrect ceph pool for core2 cluster

The core2 cluster cannot provision pvcs because it's using the k8s-dev
pool when it has credentials valid only for the k8s-prod pool.

This patch adds an entry to the platform cluster map to configure the
pool for each cluster, with a default of k8s-dev.

.github/workflows/lint.yaml

@@ -1,6 +1,7 @@
+---
 # https://github.com/golangci/golangci-lint-action?tab=readme-ov-file#how-to-use
 name: Lint
-on:
+"on":
   push:
     branches:
       - main
@@ -14,7 +15,7 @@ permissions:
 jobs:
   golangci:
     name: lint
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
@@ -22,6 +23,6 @@ jobs:
           go-version: stable
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
         with:
           version: latest

.github/workflows/release.yaml

@@ -2,17 +2,20 @@ name: Release
 
 on:
   push:
-    # Run only against tags
     tags:
       - '*'
+    branches:
+      - release
 
 permissions:
   contents: write
 
 jobs:
   goreleaser:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
+      - name: Provide GPG and Git
+        run: sudo apt update && sudo apt -qq -y install gnupg git
       - name: Checkout
         uses: actions/checkout@v4
         with:

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   test:
-    runs-on: [self-hosted, k8s]
+    runs-on: gha-rs
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -23,10 +23,14 @@ jobs:
         with:
           go-version: stable
 
+      - name: Provide unzip for Helm
+        run: sudo apt update && sudo apt -qq -y install curl zip unzip tar bzip2
+
       - name: Set up Helm
-        uses: azure/setup-helm@v4.1.0
-        with:
-          version: 'latest'
+        uses: azure/setup-helm@v4
+
+      - name: Set up Kubectl
+        uses: azure/setup-kubectl@v3
 
       - name: Test
         run: ./scripts/test

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -16,6 +16,7 @@ namespace: "zitadel"
 chart: {
 	name:    "zitadel"
 	version: "7.9.0"
+	release: name
 	repository: {
 		name: "zitadel"
 		url:  "https://charts.zitadel.com"

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -0,0 +1,33 @@
+# Kustomize is a supported holos component kind
+exec holos render --cluster-name=mycluster . --log-level=debug
+
+# Want generated output
+cmp want.yaml deploy/clusters/mycluster/components/kstest/kstest.gen.yaml
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+
+cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "KustomizeBuild"
+metadata: name: "kstest"
+-- kustomization.yaml --
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mynamespace
+resources:
+- serviceaccount.yaml
+-- serviceaccount.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+-- want.yaml --
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: test
+  namespace: mynamespace

docs/examples/platforms/reference/certificates.cue

@@ -0,0 +1,61 @@
+package holos
+
+#PlatformCerts: {
+	// Globally scoped platform services are defined here.
+	login: #PlatformCert & {
+		_name:        "login"
+		_wildcard:    true
+		_description: "Cert for Zitadel oidc identity provider for iam services"
+	}
+
+	// Cluster scoped services are defined here.
+	for cluster in #Platform.clusters {
+		"\(cluster.name)-httpbin": #ClusterCert & {
+			_name:        "httpbin"
+			_cluster:     cluster.name
+			_description: "Test endpoint to verify the service mesh ingress gateway"
+		}
+	}
+}
+
+// #PlatformCert provisions a cert in the provisioner cluster.
+// Workload clusters use ExternalSecret resources to fetch the Secret tls key and cert from the provisioner cluster.
+#PlatformCert: #Certificate & {
+	_name:     string
+	_wildcard: true | *false
+	metadata: name:      string | *_name
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}
+
+// #ClusterCert provisions a cluster specific certificate.
+#ClusterCert: #Certificate & {
+	_name:     string
+	_cluster:  string
+	_wildcard: true | *false
+	metadata: name:      string | *"\(_cluster)-\(_name)"
+	metadata: namespace: string | *"istio-ingress"
+	spec: {
+		commonName: string | *"\(_name).\(_cluster).\(#Platform.org.domain)"
+		if _wildcard {
+			dnsNames: [commonName, "*.\(commonName)"]
+		}
+		if !_wildcard {
+			dnsNames: [commonName]
+		}
+		secretName: metadata.name
+		issuerRef: kind: "ClusterIssuer"
+		issuerRef: name: string | *"letsencrypt"
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/cockroachdb.cue

@@ -0,0 +1,20 @@
+package holos
+
+#InputKeys: component: "crdb"
+
+#HelmChart & {
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cockroachdb"
+		version: "11.2.3"
+		repository: {
+			name: "cockroachdb"
+			url:  "https://charts.cockroachdb.com/"
+		}
+	}
+	values: #Values
+	apiObjects: {
+		ExternalSecret: node: #ExternalSecret & {_name: "cockroachdb-node"}
+		ExternalSecret: root: #ExternalSecret & {_name: "cockroachdb-root"}
+	}
+}

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.cue

@@ -478,7 +478,7 @@ package holos
 		copyCerts: image: "busybox"
 		certs: {
 			// Bring your own certs scenario. If provided, tls.init section will be ignored.
-			provided: false
+			provided: true | *false
 			// Secret name for the client root cert.
 			clientRootSecret: "cockroachdb-root"
 			// Secret name for node cert.
@@ -487,7 +487,7 @@ package holos
 			caSecret: "cockroach-ca"
 			// Enable if the secret is a dedicated TLS.
 			// TLS secrets are created by cert-mananger, for example.
-			tlsSecret: false
+			tlsSecret: true | *false
 			// Enable if the you want cockroach db to create its own certificates
 			selfSigner: {
 				// If set, the cockroach db will generate its own certificates

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/crdb/values.holos.cue

@@ -10,11 +10,9 @@ package holos
 		certs: {
 			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L204-L215
 			selfSigner: enabled: false
-			certManager: true
-			certManagerIssuer: {
-				kind: "Issuer"
-				name: #ComponentName
-			}
+			certManager: false
+			provided:    true
+			tlsSecret:   true
 		}
 	}
 

docs/examples/platforms/reference/clusters/disabled/iam/zitadel/zitadel/zitadel.cue

@@ -24,23 +24,8 @@ let Name = "zitadel"
 		ExternalSecret: masterkey: #ExternalSecret & {
 			_name: "zitadel-masterkey"
 		}
-		Certificate: zitadel: #Certificate & {
-			metadata: name:      "crdb-zitadel-client"
-			metadata: namespace: #TargetNamespace
-			spec: {
-				commonName: "zitadel"
-				issuerRef: {
-					group: "cert-manager.io"
-					kind:  "Issuer"
-					name:  "crdb-ca-issuer"
-				}
-				privateKey: algorithm: "RSA"
-				privateKey: size:      2048
-				renewBefore: "48h0m0s"
-				secretName:  "cockroachdb-zitadel"
-				subject: organizations: ["Cockroach"]
-				usages: ["digital signature", "key encipherment", "client auth"]
-			}
+		ExternalSecret: zitadel: #ExternalSecret & {
+			_name: "cockroachdb-zitadel"
 		}
 		VirtualService: zitadel: #VirtualService & {
 			metadata: name:      Name

docs/examples/platforms/reference/clusters/provisioner/iam/iam.cue

@@ -0,0 +1,10 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "iam"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/crdb/crdbissuer.cue

@@ -0,0 +1,108 @@
+package holos
+
+// Manage an Issuer for cockroachdb for zitadel.
+// For the iam login service, zitadel connects to cockroach db using tls certs for authz.
+// Upstream: "The recommended approach is to use cert-manager for certificate management. For details, refer to Deploy cert-manager for mTLS."
+// Refer to https://www.cockroachlabs.com/docs/stable/secure-cockroachdb-kubernetes#deploy-cert-manager-for-mtls
+
+#InputKeys: component: "crdb"
+
+#KubernetesObjects & {
+	apiObjects: {
+		Issuer: {
+			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
+			crdb: #Issuer & {
+				_description: "Issues the self signed root ca cert for cockroach db"
+				metadata: name:      #ComponentName
+				metadata: namespace: #TargetNamespace
+				spec: selfSigned: {}
+			}
+			"crdb-ca-issuer": #Issuer & {
+				_description: "Issues mtls certs for cockroach db"
+				metadata: name:      "crdb-ca-issuer"
+				metadata: namespace: #TargetNamespace
+				spec: ca: secretName: "cockroach-ca"
+			}
+		}
+		Certificate: {
+			"crdb-ca-cert": #Certificate & {
+				_description: "Root CA cert for cockroach db"
+				metadata: name:      "crdb-ca-cert"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "root"
+					isCA:       true
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb"
+					privateKey: algorithm: "ECDSA"
+					privateKey: size:      256
+					secretName: "cockroach-ca"
+					subject: organizations: ["Cockroach"]
+				}
+			}
+			"crdb-node": #Certificate & {
+				metadata: name:      "crdb-node"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "node"
+					dnsNames: [
+						"localhost",
+						"127.0.0.1",
+						"crdb-public",
+						"crdb-public.\(#TargetNamespace)",
+						"crdb-public.\(#TargetNamespace).svc.cluster.local",
+						"*.crdb",
+						"*.crdb.\(#TargetNamespace)",
+						"*.crdb.\(#TargetNamespace).svc.cluster.local",
+					]
+					duration: "876h"
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb-ca-issuer"
+					privateKey: algorithm: "RSA"
+					privateKey: size:      2048
+					renewBefore: "168h"
+					secretName:  "cockroachdb-node"
+					subject: organizations: ["Cockroach"]
+					usages: ["digital signature", "key encipherment", "server auth", "client auth"]
+				}
+			}
+			"crdb-root-client": #Certificate & {
+				metadata: name:      "crdb-root-client"
+				metadata: namespace: #TargetNamespace
+				spec: {
+					commonName: "root"
+					duration:   "672h"
+					issuerRef: group:      "cert-manager.io"
+					issuerRef: kind:       "Issuer"
+					issuerRef: name:       "crdb-ca-issuer"
+					privateKey: algorithm: "RSA"
+					privateKey: size:      2048
+					renewBefore: "48h"
+					secretName:  "cockroachdb-root"
+					subject: organizations: ["Cockroach"]
+					usages: ["digital signature", "key encipherment", "client auth"]
+				}
+			}
+		}
+		Certificate: zitadel: #Certificate & {
+			metadata: name:      "crdb-zitadel-client"
+			metadata: namespace: #TargetNamespace
+			spec: {
+				commonName: "zitadel"
+				issuerRef: {
+					group: "cert-manager.io"
+					kind:  "Issuer"
+					name:  "crdb-ca-issuer"
+				}
+				privateKey: algorithm: "RSA"
+				privateKey: size:      2048
+				renewBefore: "48h0m0s"
+				secretName:  "cockroachdb-zitadel"
+				subject: organizations: ["Cockroach"]
+				usages: ["digital signature", "key encipherment", "client auth"]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/zitadel.cue

@@ -0,0 +1,7 @@
+package holos
+
+#TargetNamespace: #InstancePrefix + "-zitadel"
+
+#DB: {
+	Host: "crdb-public"
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/certificates/certs.cue

@@ -0,0 +1,20 @@
+package holos
+
+// Provision all platform certificates.
+#InputKeys: component: "certificates"
+
+// Certificates usually go into the istio-system namespace, but they may go anywhere.
+#TargetNamespace: "default"
+
+// Depends on issuers
+#DependsOn: _LetsEncrypt
+
+#KubernetesObjects & {
+	apiObjects: {
+		for k, obj in #PlatformCerts {
+			"\(obj.kind)": {
+				"\(obj.metadata.namespace)/\(obj.metadata.name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/certmanager.cue

@@ -0,0 +1,43 @@
+package holos
+
+// https://cert-manager.io/docs/
+
+#TargetNamespace: "cert-manager"
+
+#InputKeys: {
+	component: "certmanager"
+	service:   "cert-manager"
+}
+
+#HelmChart & {
+	values: #Values & {
+		installCRDs: true
+		startupapicheck: enabled: false
+		// Must not use kube-system on gke autopilot.  GKE Warden authz blocks access.
+		global: leaderElection: namespace: #TargetNamespace
+	}
+	namespace: #TargetNamespace
+	chart: {
+		name:    "cert-manager"
+		version: "1.14.3"
+		repository: {
+			name: "jetstack"
+			url:  "https://charts.jetstack.io"
+		}
+	}
+}
+
+// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
+#PodResources: {
+	requests: {
+		cpu:                 string | *"250m"
+		memory:              string | *"512Mi"
+		"ephemeral-storage": string | *"100Mi"
+	}
+}
+
+// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
+#NodeSelector: {
+	"kubernetes.io/os":          "linux"
+	"cloud.google.com/gke-spot": "true"
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/values.cue

@@ -1,6 +1,6 @@
 package holos
 
-#UpstreamValues: {
+#Values: {
 
 	// +docs:section=Global
 	// Default values for cert-manager.
@@ -51,7 +51,7 @@ package holos
 
 		leaderElection: {
 			// Override the namespace used for the leader election lease
-			namespace: "kube-system"
+			namespace: string | *"kube-system"
 		}
 	}
 
@@ -246,7 +246,7 @@ package holos
 	//    memory: 32Mi
 	//
 	// ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-	resources: {}
+	resources: #PodResources
 
 	// Pod Security Context
 	// ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
@@ -310,9 +310,7 @@ package holos
 	// This default ensures that Pods are only scheduled to Linux nodes.
 	// It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 	// +docs:property
-	nodeSelector: {
-		"kubernetes.io/os": "linux"
-	}
+	nodeSelector: #NodeSelector
 
 	// +docs:ignore
 	ingressShim: {}
@@ -408,7 +406,7 @@ package holos
 		enabled: true
 		servicemonitor: {
 			// Create a ServiceMonitor to add cert-manager to Prometheus
-			enabled: false
+			enabled: true | *false
 
 			// Specifies the `prometheus` label on the created ServiceMonitor, this is
 			// used when different Prometheus instances have label selectors matching
@@ -652,7 +650,7 @@ package holos
 		//    memory: 32Mi
 		//
 		// ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-		resources: {}
+		resources: #PodResources
 
 		// Liveness probe values
 		// ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
@@ -685,9 +683,7 @@ package holos
 		// This default ensures that Pods are only scheduled to Linux nodes.
 		// It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 		// +docs:property
-		nodeSelector: {
-			"kubernetes.io/os": "linux"
-		}
+		nodeSelector: #NodeSelector
 
 		// A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
 		//
@@ -959,7 +955,7 @@ package holos
 		//    memory: 32Mi
 		//
 		// ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-		resources: {}
+		resources: #PodResources
 
 		// The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
 		// matching labels.
@@ -968,9 +964,7 @@ package holos
 		// This default ensures that Pods are only scheduled to Linux nodes.
 		// It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 		// +docs:property
-		nodeSelector: {
-			"kubernetes.io/os": "linux"
-		}
+		nodeSelector: #NodeSelector
 
 		// A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
 		//
@@ -1098,7 +1092,7 @@ package holos
 
 	startupapicheck: {
 		// Enables the startup api check
-		enabled: true
+		enabled: *true | false
 
 		// Pod Security Context to be set on the startupapicheck component Pod
 		// ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
@@ -1151,7 +1145,7 @@ package holos
 		//    memory: 32Mi
 		//
 		// ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-		resources: {}
+		resources: #PodResources
 
 		// The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
 		// matching labels.
@@ -1160,9 +1154,7 @@ package holos
 		// This default ensures that Pods are only scheduled to Linux nodes.
 		// It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
 		// +docs:property
-		nodeSelector: {
-			"kubernetes.io/os": "linux"
-		}
+		nodeSelector: #NodeSelector
 
 		// A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
 		//

docs/examples/platforms/reference/clusters/provisioner/mesh/letsencrypt/issuers.cue

@@ -0,0 +1,78 @@
+package holos
+
+// Lets Encrypt certificate issuers for public tls certs
+#InputKeys: component: "letsencrypt"
+#TargetNamespace: "cert-manager"
+
+let Name = "letsencrypt"
+
+// The cloudflare api token is platform scoped, not cluster scoped.
+#SecretName: "cloudflare-api-token-secret"
+
+// Depends on cert manager
+#DependsOn: _CertManager
+
+#KubernetesObjects & {
+	apiObjects: {
+		ClusterIssuer: {
+			letsencrypt: #ClusterIssuer & {
+				metadata: name: Name
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+			letsencryptStaging: #ClusterIssuer & {
+				metadata: name: Name + "-staging"
+				spec: {
+					acme: {
+						email:  #Platform.org.contact.email
+						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+						privateKeySecretRef: name: Name + "-staging"
+						solvers: [{
+							dns01: cloudflare: {
+								email: #Platform.org.cloudflare.email
+								apiTokenSecretRef: name: #SecretName
+								apiTokenSecretRef: key:  "api_token"
+							}}]
+					}
+				}
+			}
+		}
+	}
+}
+
+// _HTTPSolvers are disabled in the provisioner cluster, dns is the method supported by holos.
+_HTTPSolvers: {
+	letsencryptHTTP: #ClusterIssuer & {
+		metadata: name: Name + "-http"
+		spec: {
+			acme: {
+				email:  #Platform.org.contact.email
+				server: "https://acme-v02.api.letsencrypt.org/directory"
+				privateKeySecretRef: name: Name
+				solvers: [{http01: ingress: class: "istio"}]
+			}
+		}
+	}
+	letsencryptHTTPStaging: #ClusterIssuer & {
+		metadata: name: Name + "-http-staging"
+		spec: {
+			acme: {
+				email:  #Platform.org.contact.email
+				server: "https://acme-staging-v02.api.letsencrypt.org/directory"
+				privateKeySecretRef: name: Name + "-staging"
+				solvers: [{http01: ingress: class: "istio"}]
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/mesh/mesh.cue

@@ -0,0 +1,13 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "mesh"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name:     "\(#StageName)-secrets-namespaces"
+_CertManager: CertManager: name:   "\(#InstancePrefix)-certmanager"
+_LetsEncrypt: LetsEncrypt: name:   "\(#InstancePrefix)-letsencrypt"
+_Certificates: Certificates: name: "\(#InstancePrefix)-certificates"

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/arc.cue

@@ -0,0 +1,9 @@
+package holos
+
+// GitHub Actions Runner Controller
+#InputKeys: project: "github"
+#DependsOn: Namespaces: name: "prod-secrets-namespaces"
+
+#TargetNamespace: #InputKeys.component
+#HelmChart: namespace: #TargetNamespace
+#HelmChart: chart: version: "0.8.3"

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/runner/arc-runner.cue

@@ -0,0 +1,30 @@
+package holos
+
+#InputKeys: component: "arc-runner"
+#Kustomization: spec: targetNamespace: #TargetNamespace
+
+#HelmChart & {
+	values: {
+		#Values
+		controllerServiceAccount: name:      "gha-rs-controller"
+		controllerServiceAccount: namespace: "arc-system"
+		githubConfigSecret: "controller-manager"
+		githubConfigUrl:    "https://github.com/" + #Platform.org.github.orgs.primary.name
+	}
+	apiObjects: {
+		ExternalSecret: controller: #ExternalSecret & {
+			_name: values.githubConfigSecret
+		}
+	}
+	chart: {
+		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+		// NOTE: Unfortunately the INSTALLATION_NAME is used as the helm release
+		// name and GitHub removed support for runner labels, so the only way to
+		// specify which runner a workflow runs on is using this helm release name.
+		// The quote is "Update the INSTALLATION_NAME value carefully. You will use
+		// the installation name as the value of runs-on in your workflows."  Refer to
+		// https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
+		release: "gha-rs"
+		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/runner/values.cue

@@ -0,0 +1,192 @@
+package holos
+
+#Values: {
+	//# githubConfigUrl is the GitHub url for where you want to configure runners
+	//# ex: https://github.com/myorg/myrepo or https://github.com/myorg
+	githubConfigUrl: string | *""
+
+	//# githubConfigSecret is the k8s secrets to use when auth with GitHub API.
+	//# You can choose to use GitHub App or a PAT token
+	githubConfigSecret: string | {
+		//## GitHub Apps Configuration
+		//# NOTE: IDs MUST be strings, use quotes
+		//github_app_id: ""
+		//github_app_installation_id: ""
+		//github_app_private_key: |
+		//## GitHub PAT Configuration
+		github_token: ""
+	}
+	//# If you have a pre-define Kubernetes secret in the same namespace the gha-runner-scale-set is going to deploy,
+	//# you can also reference it via `githubConfigSecret: pre-defined-secret`.
+	//# You need to make sure your predefined secret has all the required secret data set properly.
+	//#   For a pre-defined secret using GitHub PAT, the secret needs to be created like this:
+	//#   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_token='ghp_your_pat'
+	//#   For a pre-defined secret using GitHub App, the secret needs to be created like this:
+	//#   > kubectl create secret generic pre-defined-secret --namespace=my_namespace --from-literal=github_app_id=123456 --from-literal=github_app_installation_id=654321 --from-literal=github_app_private_key='-----BEGIN CERTIFICATE-----*******'
+	// githubConfigSecret: pre-defined-secret
+	//# proxy can be used to define proxy settings that will be used by the
+	//# controller, the listener and the runner of this scale set.
+	//
+	// proxy:
+	//   http:
+	//     url: http://proxy.com:1234
+	//     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+	//   https:
+	//     url: http://proxy.com:1234
+	//     credentialSecretRef: proxy-auth # a secret with `username` and `password` keys
+	//   noProxy:
+	//     - example.com
+	//     - example.org
+	//# maxRunners is the max number of runners the autoscaling runner set will scale up to.
+	// maxRunners: 5
+	//# minRunners is the min number of idle runners. The target number of runners created will be
+	//# calculated as a sum of minRunners and the number of jobs assigned to the scale set.
+	// minRunners: 0
+	// runnerGroup: "default"
+	//# name of the runner scale set to create.  Defaults to the helm release name
+	// runnerScaleSetName: ""
+	//# A self-signed CA certificate for communication with the GitHub server can be
+	//# provided using a config map key selector. If `runnerMountPath` is set, for
+	//# each runner pod ARC will:
+	//# - create a `github-server-tls-cert` volume containing the certificate
+	//#   specified in `certificateFrom`
+	//# - mount that volume on path `runnerMountPath`/{certificate name}
+	//# - set NODE_EXTRA_CA_CERTS environment variable to that same path
+	//# - set RUNNER_UPDATE_CA_CERTS environment variable to "1" (as of version
+	//#   2.303.0 this will instruct the runner to reload certificates on the host)
+	//#
+	//# If any of the above had already been set by the user in the runner pod
+	//# template, ARC will observe those and not overwrite them.
+	//# Example configuration:
+	//
+	// githubServerTLS:
+	//   certificateFrom:
+	//     configMapKeyRef:
+	//       name: config-map-name
+	//       key: ca.crt
+	//   runnerMountPath: /usr/local/share/ca-certificates/
+	//# Container mode is an object that provides out-of-box configuration
+	//# for dind and kubernetes mode. Template will be modified as documented under the
+	//# template object.
+	//#
+	//# If any customization is required for dind or kubernetes mode, containerMode should remain
+	//# empty, and configuration should be applied to the template.
+	// containerMode:
+	//   type: "dind"  ## type can be set to dind or kubernetes
+	//   ## the following is required when containerMode.type=kubernetes
+	//   kubernetesModeWorkVolumeClaim:
+	//     accessModes: ["ReadWriteOnce"]
+	//     # For local testing, use https://github.com/openebs/dynamic-localpv-provisioner/blob/develop/docs/quickstart.md to provide dynamic provision volume with storageClassName: openebs-hostpath
+	//     storageClassName: "dynamic-blob-storage"
+	//     resources:
+	//       requests:
+	//         storage: 1Gi
+	//   kubernetesModeServiceAccount:
+	//     annotations:
+	//# template is the PodSpec for each listener Pod
+	//# For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+	// listenerTemplate:
+	//   spec:
+	//     containers:
+	//     # Use this section to append additional configuration to the listener container.
+	//     # If you change the name of the container, the configuration will not be applied to the listener,
+	//     # and it will be treated as a side-car container.
+	//     - name: listener
+	//       securityContext:
+	//         runAsUser: 1000
+	//     # Use this section to add the configuration of a side-car container.
+	//     # Comment it out or remove it if you don't need it.
+	//     # Spec for this container will be applied as is without any modifications.
+	//     - name: side-car
+	//       image: example-sidecar
+	//# template is the PodSpec for each runner Pod
+	//# For reference: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec
+	template: {
+		//# template.spec will be modified if you change the container mode
+		//# with containerMode.type=dind, we will populate the template.spec with following pod spec
+		//# template:
+		//#   spec:
+		//#     initContainers:
+		//#     - name: init-dind-externals
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["cp", "-r", "-v", "/home/runner/externals/.", "/home/runner/tmpDir/"]
+		//#       volumeMounts:
+		//#         - name: dind-externals
+		//#           mountPath: /home/runner/tmpDir
+		//#     containers:
+		//#     - name: runner
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["/home/runner/run.sh"]
+		//#       env:
+		//#         - name: DOCKER_HOST
+		//#           value: unix:///run/docker/docker.sock
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#         - name: dind-sock
+		//#           mountPath: /run/docker
+		//#           readOnly: true
+		//#     - name: dind
+		//#       image: docker:dind
+		//#       args:
+		//#         - dockerd
+		//#         - --host=unix:///run/docker/docker.sock
+		//#         - --group=$(DOCKER_GROUP_GID)
+		//#       env:
+		//#         - name: DOCKER_GROUP_GID
+		//#           value: "123"
+		//#       securityContext:
+		//#         privileged: true
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#         - name: dind-sock
+		//#           mountPath: /run/docker
+		//#         - name: dind-externals
+		//#           mountPath: /home/runner/externals
+		//#     volumes:
+		//#     - name: work
+		//#       emptyDir: {}
+		//#     - name: dind-sock
+		//#       emptyDir: {}
+		//#     - name: dind-externals
+		//#       emptyDir: {}
+		//#####################################################################################################
+		//# with containerMode.type=kubernetes, we will populate the template.spec with following pod spec
+		//# template:
+		//#   spec:
+		//#     containers:
+		//#     - name: runner
+		//#       image: ghcr.io/actions/actions-runner:latest
+		//#       command: ["/home/runner/run.sh"]
+		//#       env:
+		//#         - name: ACTIONS_RUNNER_CONTAINER_HOOKS
+		//#           value: /home/runner/k8s/index.js
+		//#         - name: ACTIONS_RUNNER_POD_NAME
+		//#           valueFrom:
+		//#             fieldRef:
+		//#               fieldPath: metadata.name
+		//#         - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
+		//#           value: "true"
+		//#       volumeMounts:
+		//#         - name: work
+		//#           mountPath: /home/runner/_work
+		//#     volumes:
+		//#       - name: work
+		//#         ephemeral:
+		//#           volumeClaimTemplate:
+		//#             spec:
+		//#               accessModes: [ "ReadWriteOnce" ]
+		//#               storageClassName: "local-path"
+		//#               resources:
+		//#                 requests:
+		//#                   storage: 1Gi
+		spec: {
+			containers: [{
+				name:  "runner"
+				image: "ghcr.io/actions/actions-runner:latest"
+				command: ["/home/runner/run.sh"]
+			}]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/system/arc-system.cue

@@ -0,0 +1,15 @@
+package holos
+
+#TargetNamespace: "arc-system"
+#InputKeys: component: "arc-system"
+
+#HelmChart & {
+	values:    #Values & #DefaultSecurityContext
+	namespace: #TargetNamespace
+	chart: {
+		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+		release: "gha-rs-controller"
+		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
+		version: "0.8.3"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/github/arc/system/values.cue

@@ -0,0 +1,127 @@
+package holos
+
+#Values: {
+	// Default values for gha-runner-scale-set-controller.
+	// This is a YAML-formatted file.
+	// Declare variables to be passed into your templates.
+	labels: {}
+
+	// leaderElection will be enabled when replicaCount>1,
+	// So, only one replica will in charge of reconciliation at a given time
+	// leaderElectionId will be set to {{ define gha-runner-scale-set-controller.fullname }}.
+	replicaCount: 1
+
+	image: {
+		repository: "ghcr.io/actions/gha-runner-scale-set-controller"
+		pullPolicy: "IfNotPresent"
+		// Overrides the image tag whose default is the chart appVersion.
+		tag: ""
+	}
+
+	imagePullSecrets: []
+	nameOverride:     ""
+	fullnameOverride: ""
+
+	env: null
+	//# Define environment variables for the controller pod
+	//  - name: "ENV_VAR_NAME_1"
+	//    value: "ENV_VAR_VALUE_1"
+	//  - name: "ENV_VAR_NAME_2"
+	//    valueFrom:
+	//      secretKeyRef:
+	//        key: ENV_VAR_NAME_2
+	//        name: secret-name
+	//        optional: true
+
+	serviceAccount: {
+		// Specifies whether a service account should be created for running the controller pod
+		create: true
+		// Annotations to add to the service account
+		annotations: {}
+		// The name of the service account to use.
+		// If not set and create is true, a name is generated using the fullname template
+		// You can not use the default service account for this.
+		name: ""
+	}
+
+	podAnnotations: {}
+
+	podLabels: {}
+
+	podSecurityContext: {}
+	// fsGroup: 2000
+
+	securityContext: {...}
+	// capabilities:
+	//   drop:
+	//   - ALL
+	// readOnlyRootFilesystem: true
+	// runAsNonRoot: true
+	// runAsUser: 1000
+
+	resources: {}
+	//# We usually recommend not to specify default resources and to leave this as a conscious
+	//# choice for the user. This also increases chances charts run on environments with little
+	//# resources, such as Minikube. If you do want to specify resources, uncomment the following
+	//# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+	// limits:
+	//   cpu: 100m
+	//   memory: 128Mi
+	// requests:
+	//   cpu: 100m
+	//   memory: 128Mi
+
+	nodeSelector: {}
+
+	tolerations: []
+
+	affinity: {}
+
+	// Mount volumes in the container.
+	volumes: []
+	volumeMounts: []
+
+	// Leverage a PriorityClass to ensure your pods survive resource shortages
+	// ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+	// PriorityClass: system-cluster-critical
+	priorityClassName: ""
+
+	//# If `metrics:` object is not provided, or commented out, the following flags
+	//# will be applied the controller-manager and listener pods with empty values:
+	//# `--metrics-addr`, `--listener-metrics-addr`, `--listener-metrics-endpoint`.
+	//# This will disable metrics.
+	//#
+	//# To enable metrics, uncomment the following lines.
+	// metrics:
+	//   controllerManagerAddr: ":8080"
+	//   listenerAddr: ":8080"
+	//   listenerEndpoint: "/metrics"
+
+	flags: {
+		//# Log level can be set here with one of the following values: "debug", "info", "warn", "error".
+		//# Defaults to "debug".
+		logLevel: "debug"
+		//# Log format can be set with one of the following values: "text", "json"
+		//# Defaults to "text"
+		logFormat: "text"
+
+		//# Restricts the controller to only watch resources in the desired namespace.
+		//# Defaults to watch all namespaces when unset.
+		// watchSingleNamespace: ""
+		//# Defines how the controller should handle upgrades while having running jobs.
+		//#
+		//# The strategies available are:
+		//# - "immediate": (default) The controller will immediately apply the change causing the
+		//#   recreation of the listener and ephemeral runner set. This can lead to an
+		//#   overprovisioning of runners, if there are pending / running jobs. This should not
+		//#   be a problem at a small scale, but it could lead to a significant increase of
+		//#   resources if you have a lot of jobs running concurrently.
+		//#
+		//# - "eventual": The controller will remove the listener and ephemeral runner set
+		//#   immediately, but will not recreate them (to apply changes) until all
+		//#   pending / running jobs have completed.
+		//#   This can lead to a longer time to apply the change but it will ensure
+		//#   that you don't have any overprovisioning of runners.
+		updateStrategy: "immediate"
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/iam/zitadel/crdb/cockroachdb.cue

@@ -1,26 +0,0 @@
-package holos
-
-#InputKeys: component: "crdb"
-
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: {
-		name:    "cockroachdb"
-		version: "11.2.3"
-		repository: {
-			name: "cockroachdb"
-			url:  "https://charts.cockroachdb.com/"
-		}
-	}
-	values: #Values
-	apiObjects: {
-		Issuer: {
-			// https://github.com/cockroachdb/helm-charts/blob/3dcf96726ebcfe3784afb526ddcf4095a1684aea/README.md?plain=1#L196-L201
-			cockroachdb: #Issuer & {
-				metadata: name:      #ComponentName
-				metadata: namespace: #TargetNamespace
-				spec: selfSigned: {}
-			}
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/init/namespaces/component.cue

@@ -15,9 +15,6 @@ package holos
 		#Namespace & {
 			metadata: _ns
 		},
-		#SecretStore & {
-			_namespace: _ns.name
-		},
 	]
 }
 

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue

@@ -1,61 +0,0 @@
-package holos
-
-// Lets Encrypt certificate issuers for public tls certs
-#InputKeys: component: "certissuers"
-#TargetNamespace: "cert-manager"
-
-let Name = "letsencrypt"
-
-// The cloudflare api token is platform scoped, not cluster scoped.
-#SecretName: "cloudflare-api-token-secret"
-
-// Depends on cert manager
-#DependsOn: _CertManager
-
-#KubernetesObjects & {
-	apiObjects: {
-		ClusterIssuer: {
-			letsencrypt: #ClusterIssuer & {
-				metadata: name: Name
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-istio"
-						solvers: [{http01: ingress: class: "istio"}]
-					}
-				}
-			}
-			letsencryptStaging: #ClusterIssuer & {
-				metadata: name: Name + "-staging"
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-staging-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-staging-istio"
-						solvers: [{http01: ingress: class: "istio"}]
-					}
-				}
-			}
-			letsencryptDns: #ClusterIssuer & {
-				metadata: name: Name + "-dns"
-				spec: {
-					acme: {
-						email:  #Platform.org.contact.email
-						server: "https://acme-v02.api.letsencrypt.org/directory"
-						privateKeySecretRef: name: Name + "-istio"
-						solvers: [{
-							dns01: cloudflare: {
-								email: #Platform.org.cloudflare.email
-								apiTokenSecretRef: name: #SecretName
-								apiTokenSecretRef: key:  "api_token"
-							}}]
-					}
-				}
-			}
-		}
-		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
-			_name: #SecretName
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue

@@ -1,25 +0,0 @@
-package holos
-
-// https://cert-manager.io/docs/
-
-#TargetNamespace: "cert-manager"
-
-#InputKeys: {
-	component: "certmanager"
-	service:   "cert-manager"
-}
-
-#HelmChart & {
-	values: #UpstreamValues & {
-		installCRDs: true
-	}
-	namespace: #TargetNamespace
-	chart: {
-		name:    "cert-manager"
-		version: "1.14.3"
-		repository: {
-			name: "jetstack"
-			url:  "https://charts.jetstack.io"
-		}
-	}
-}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/gateway/gateway.cue

@@ -9,32 +9,21 @@ let Name = "gateway"
 #TargetNamespace: "istio-ingress"
 #DependsOn:       _IngressGateway
 
-// TODO: We need to generalize this for multiple services hanging off the default gateway.
-let LoginCert = #Certificate & {
-	metadata: {
-		name:      "login"
-		namespace: #TargetNamespace
-	}
-	spec: {
-		commonName: "login.\(#Platform.org.domain)"
-		dnsNames: [commonName]
-		secretName: metadata.name
-		issuerRef: kind: "ClusterIssuer"
-		issuerRef: name: "letsencrypt"
-	}
-}
+let LoginCert = #PlatformCerts.login
 
 #KubernetesObjects & {
 	apiObjects: {
-		Certificate: login: LoginCert
+		ExternalSecret: login: #ExternalSecret & {
+			_name: "login"
+		}
 		Gateway: default: #Gateway & {
 			metadata: name:      "default"
 			metadata: namespace: #TargetNamespace
 			spec: selector: istio: "ingressgateway"
 			spec: servers: [
 				{
-					hosts: ["prod-iam-zitadel/\(LoginCert.spec.commonName)"]
-					port: name:          "https-prod-iam-zitadel"
+					hosts: [for dnsName in LoginCert.spec.dnsNames {"prod-iam-zitadel/\(dnsName)"}]
+					port: name:          "https-prod-iam-login"
 					port: number:        443
 					port: protocol:      "HTTPS"
 					tls: credentialName: LoginCert.spec.secretName

docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/httpbin/httpbin.cue

@@ -14,14 +14,13 @@ let Metadata = {
 #TargetNamespace: "istio-ingress"
 #DependsOn:       _IngressGateway
 
-let Cert = #HTTP01Cert & {
-	_name:   Name
-	_secret: SecretName
-}
+let Cert = #PlatformCerts[SecretName]
 
 #KubernetesObjects & {
 	apiObjects: {
-		Certificate: httpbin: Cert.object
+		ExternalSecret: httpbin: #ExternalSecret & {
+			_name: Cert.spec.secretName
+		}
 		Deployment: httpbin: #Deployment & {
 			metadata: Metadata
 			spec: selector: matchLabels: MatchLabels
@@ -56,18 +55,18 @@ let Cert = #HTTP01Cert & {
 			spec: selector: istio: "ingressgateway"
 			spec: servers: [
 				{
-					hosts: ["\(#TargetNamespace)/\(Cert.Host)"]
+					hosts: [for host in Cert.spec.dnsNames {"\(#TargetNamespace)/\(host)"}]
 					port: name:          "https-\(#InstanceName)"
 					port: number:        443
 					port: protocol:      "HTTPS"
-					tls: credentialName: Cert.SecretName
+					tls: credentialName: Cert.spec.secretName
 					tls: mode:           "SIMPLE"
 				},
 			]
 		}
 		VirtualService: httpbin: #VirtualService & {
 			metadata: Metadata
-			spec: hosts: [Cert.Host]
+			spec: hosts: [for host in Cert.spec.dnsNames {host}]
 			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
 			spec: http: [{route: [{destination: host: Name}]}]
 		}

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.cue

@@ -526,7 +526,7 @@ package holos
 
 	base: {
 		// For istioctl usage to disable istio config crds in base
-		enableIstioConfigCRDs: true
+		enableIstioConfigCRDs: *true | false
 
 		// If enabled, gateway-api types will be validated using the standard upstream validation logic.
 		// This is an alternative to deploying the standalone validation server the project provides.

docs/examples/platforms/reference/clusters/workload/cloud/mesh/values.holos.cue

@@ -16,8 +16,8 @@ package holos
 		remotePilotAddress: ""
 	}
 	base: {
-		// Include the CRDs in the helm template output
-		enableCRDTemplates: true
+		// holos includes crd templates with the --include-crds helm flag.
+		enableCRDTemplates: false
 		// Validation webhook configuration url
 		// For example: https://$remotePilotAddress:15017/validate
 		validationURL: ""

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/controller.cue

@@ -0,0 +1,6 @@
+package holos
+
+#DependsOn: Namespaces: name: "prod-secrets-namespaces"
+#DependsOn: CRDS: name:       "\(#InstancePrefix)-crds"
+#InputKeys: component: "controller"
+{} & #KustomizeBuild

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: postgres-operator
+
+labels:
+- includeTemplates: true
+  pairs:
+    app.kubernetes.io/name: pgo
+    # The version below should match the version on the PostgresCluster CRD
+    app.kubernetes.io/version: 5.5.1
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+
+resources:
+- ./rbac/cluster
+- ./manager
+
+images:
+- name: postgres-operator
+  newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
+  newTag: ubi8-5.5.1-0 

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- manager.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/manager/manager.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+spec:
+  replicas: 1
+  strategy: { type: Recreate }
+  selector:
+    matchLabels:
+      postgres-operator.crunchydata.com/control-plane: postgres-operator
+  template:
+    metadata:
+      labels:
+        postgres-operator.crunchydata.com/control-plane: postgres-operator
+    spec:
+      containers:
+      - name: operator
+        image: postgres-operator
+        env:
+        - name: PGO_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CRUNCHY_DEBUG
+          value: "true"
+        - name: RELATED_IMAGE_POSTGRES_15
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.6-0"
+        - name: RELATED_IMAGE_POSTGRES_15_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.6-3.3-0"
+        - name: RELATED_IMAGE_POSTGRES_16
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.2-0"
+        - name: RELATED_IMAGE_POSTGRES_16_GIS_3.3
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.2-3.3-0"
+        - name: RELATED_IMAGE_POSTGRES_16_GIS_3.4
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.2-3.4-0"
+        - name: RELATED_IMAGE_PGADMIN
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-22"
+        - name: RELATED_IMAGE_PGBACKREST
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.49-0"
+        - name: RELATED_IMAGE_PGBOUNCER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.21-3"
+        - name: RELATED_IMAGE_PGEXPORTER
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-0.15.0-3"
+        - name: RELATED_IMAGE_PGUPGRADE
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.5.1-0"
+        - name: RELATED_IMAGE_STANDALONE_PGADMIN
+          value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-7.8-3"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities: { drop: [ALL] }
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+      serviceAccountName: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/role.yaml

@@ -0,0 +1,146 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/finalizers
+  - pgupgrades/finalizers
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/status
+  - pgupgrades/status
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/cluster/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service_account.yaml
+- role.yaml
+- role_binding.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/role.yaml

@@ -0,0 +1,146 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: postgres-operator
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - secrets
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - endpoints/restricted
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins
+  - pgupgrades
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/finalizers
+  - pgupgrades/finalizers
+  - postgresclusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - pgadmins/status
+  - pgupgrades/status
+  - postgresclusters/status
+  verbs:
+  - patch
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/role_binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: postgres-operator
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: postgres-operator
+subjects:
+- kind: ServiceAccount
+  name: pgo

docs/examples/platforms/reference/clusters/workload/cloud/pgo/controller/rbac/namespace/service_account.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pgo
+  labels:
+    postgres-operator.crunchydata.com/control-plane: postgres-operator

docs/examples/platforms/reference/clusters/workload/cloud/pgo/crds/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- bases/postgres-operator.crunchydata.com_postgresclusters.yaml
+- bases/postgres-operator.crunchydata.com_pgupgrades.yaml
+- bases/postgres-operator.crunchydata.com_pgadmins.yaml

docs/examples/platforms/reference/clusters/workload/cloud/pgo/crds/pgocrds.cue

@@ -0,0 +1,6 @@
+package holos
+
+// Refer to https://github.com/CrunchyData/postgres-operator-examples/tree/main/kustomize/install/crd
+
+#InputKeys: component: "crds"
+{} & #KustomizeBuild

docs/examples/platforms/reference/clusters/workload/cloud/pgo/pgo.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Crunchy Postgres Operator
+#InputKeys: project: "pgo"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/eso-creds-refresher/component.cue

@@ -2,6 +2,15 @@ package holos
 
 import "encoding/json"
 
+#DependsOn: _ESO
+
+#InputKeys: {
+	project:   "secrets"
+	component: "eso-creds-refresher"
+}
+
+#TargetNamespace: #CredsRefresher.namespace
+
 // output kubernetes api objects for holos
 #KubernetesObjects & {
 	apiObjects: {
@@ -13,15 +22,6 @@ import "encoding/json"
 	}
 }
 
-#InputKeys: {
-	project:   "secrets"
-	component: "eso-creds-refresher"
-}
-
-#TargetNamespace: #CredsRefresher.namespace
-
-#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
-
 let NAME = #CredsRefresher.name
 let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"
 let MOUNT = "/var/run/service-account"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/secrets.cue

@@ -0,0 +1,12 @@
+package holos
+
+// Components under this directory are part of this collection
+#InputKeys: project: "secrets"
+
+// Shared dependencies for all components in this collection.
+#DependsOn: _Namespaces
+
+// Common Dependencies
+_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"
+_ESO: ESO: name:               "\(#InstancePrefix)-eso"
+_ESOCreds: ESOCreds: name:     "\(#InstancePrefix)-eso-creds-refresher"

docs/examples/platforms/reference/clusters/workload/cloud/secrets/secretstores/secretstores.cue

@@ -0,0 +1,34 @@
+package holos
+
+#DependsOn: _ESOCreds
+
+#TargetNamespace: "default"
+
+#InputKeys: {
+	project:   "secrets"
+	component: "stores"
+}
+
+// #PlatformNamespaceObjects defines the api objects necessary for eso SecretStores in external clusters to access secrets in a given namespace in the provisioner cluster.
+#PlatformNamespaceObjects: {
+	_ns: #PlatformNamespace
+
+	objects: [
+		#SecretStore & {
+			_namespace: _ns.name
+		},
+	]
+}
+
+#KubernetesObjects & {
+	apiObjects: {
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let NS = ns.name
+				let Name = obj.metadata.name
+				"\(Kind)": "\(NS)/\(Name)": obj
+			}
+		}
+	}
+}

docs/examples/platforms/reference/clusters/workload/cloud/secrets/validate/component.cue

@@ -9,7 +9,7 @@ package holos
 	component: "validate"
 }
 
-#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
+#DependsOn: _ESO
 
 #KubernetesObjects & {
 	apiObjects: {

docs/examples/platforms/reference/clusters/workload/metal/ceph/values.holos.cue

@@ -48,7 +48,7 @@ package holos
 
 		// (required) Ceph pool into which the RBD image shall be created
 		// eg: pool: replicapool
-		pool: "k8s-dev"
+		pool: #Platform.clusters[#ClusterName].pool
 
 		// (optional) RBD image features, CSI creates image with image-format 2 CSI
 		// RBD currently supports `layering`, `journaling`, `exclusive-lock`,

docs/examples/platforms/reference/namespaces.cue

@@ -12,6 +12,7 @@ let Privileged = {
 
 // #PlatformNamespaces is the union of all namespaces across all cluster types.  Namespaces are created in all clusters regardless of if they're
 // used within the cluster or not.  The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
+// Holos adopts the namespace sameness position of SIG Multicluster, refer to https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md
 #PlatformNamespaces: [
 	{name: "external-secrets"},
 	{name: "holos-system"},
@@ -22,4 +23,8 @@ let Privileged = {
 	{name: "cert-manager"},
 	{name: "argocd"},
 	{name: "prod-iam-zitadel"},
+	{name: "arc-system"},
+	{name: "arc-runner"},
+	// https://github.com/CrunchyData/postgres-operator-examples/blob/main/kustomize/install/namespace/namespace.yaml
+	{name: "postgres-operator"},
 ]

docs/examples/schema.cue

@@ -227,6 +227,16 @@ _apiVersion: "holos.run/v1alpha1"
 	provisionerURL: string @tag(provisionerURL, type=string)
 }
 
+// #ClusterSpec is the specification of a holos platform cluster member.
+#ClusterSpec: {
+	// name is the cluster name.
+	name: string
+	// pool is the optional ceph pool of the cluster.
+	pool?: string
+	// region is the geographic region of the cluster.
+	region?: string
+}
+
 // #Platform defines the primary lookup table for the platform.  Lookup keys should be limited to those defined in #KeyTags.
 #Platform: {
 	// org holds user defined values scoped organization wide.  A platform has one and only one organization.
@@ -236,9 +246,8 @@ _apiVersion: "holos.run/v1alpha1"
 		contact: email:    string
 		cloudflare: email: string
 	}
-	clusters: [ID=_]: {
-		name:    string & ID
-		region?: string
+	clusters: [ID=_]: #ClusterSpec & {
+		name: string & ID
 	}
 	stages: [ID=_]: {
 		name: string & ID
@@ -312,9 +321,10 @@ _apiVersion: "holos.run/v1alpha1"
 #Chart: {
 	name:    string
 	version: string
+	release: string | *name
 	repository: {
-		name: string
-		url:  string
+		name?: string
+		url?:  string
 	}
 }
 
@@ -349,6 +359,21 @@ _apiVersion: "holos.run/v1alpha1"
 	kustomizeFiles: #KustomizeFiles.Files
 }
 
+// #KustomizeBuild is a holos component that uses plain yaml files as the source of api objects for a holos component.
+// Intended for upstream components like the CrunchyData Postgres Operator.  The holos cli is expected to execute kustomize build on the component directory to produce the rendered output.
+#KustomizeBuild: {
+	#OutputTypeMeta
+	#APIObjects
+	kind: "KustomizeBuild"
+	metadata: name: #InstanceName
+	// ksObjects holds the flux Kustomization objects for gitops.
+	ksObjects: [...#Kustomization] | *[#Kustomization]
+	// ksContent is the yaml representation of kustomization.
+	ksContent: yaml.MarshalStream(ksObjects)
+	// namespace defines the value passed to the helm --namespace flag
+	namespace: #TargetNamespace
+}
+
 // #PlatformSpec is the output schema of a platform specification.
 #PlatformSpec: {
 	#OutputTypeMeta
@@ -389,6 +414,18 @@ _apiVersion: "holos.run/v1alpha1"
 	...
 }
 
+// #DefaultSecurityContext is the holos default security context to comply with the restricted namespace policy.
+// Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+#DefaultSecurityContext: {
+	securityContext: {
+		allowPrivilegeEscalation: false
+		runAsNonRoot:             true
+		capabilities: drop: ["ALL"]
+		seccompProfile: type: "RuntimeDefault"
+	}
+	...
+}
+
 // By default, render kind: Skipped so holos knows to skip over intermediate cue files.
 // This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
 // Holos skips over these intermediary cue instances.

docs/provisioner/readme.md

@@ -133,9 +133,12 @@ This section configured:
 
 1. Provisioner Cluster to provide secrets to workload clusters.
 2. IAM service account `eso-creds-refresher` to identify the credential refresher job.
-3. Workload identity pool to authenticate the `eso-creds-refresher` Kubernetes service account in an external cluster.
-4. IAM policy to allow `eso-creds-refresher` to authenticate to the Provisioner Cluster.
-5. RoleBinding to allow `eso-creds-refresher` to create kubernetes service account tokens representing the credentials for use by SecretStore resources in workload clusters.
+3. Workload identity pool to authenticate the `system:serviceaccount:holos-system:eso-creds-refresher` Kubernetes service account in all clusters that share the workload identity pool.
+4. IAM policy to allow the `eso-creds-refresher` IAM service account to authenticate to the Provisioner Cluster.
+5. RoleBinding to allow the `eso-creds-refresher` IAM service account to create kubernetes service account tokens representing the credentials for use by SecretStore resources in workload clusters.
+
+> [!NOTE]
+> Any cluster in the workload identity pool can impersonate the eso-creds-refresher IAM service account.
 
 ## Cluster Setup
 
@@ -150,6 +153,12 @@ HOLOS_CLUSTER_NAME=west1
 ISSUER_URL="https://example.com/clusters/${HOLOS_CLUSTER_NAME}"
 ```
 
+Alternatively:
+
+```shell
+ISSUER_URL="$(kubectl get --raw='/.well-known/openid-configuration' | jq -r .issuer)"
+```
+
 ```shell
 gcloud iam workload-identity-pools providers create-oidc \
   k8s-$HOLOS_CLUSTER_NAME \

pkg/cli/preflight/gh.go

@@ -0,0 +1,129 @@
+package preflight
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+type ghAuthStatusResponse string
+
+// RunGhChecks runs all the preflight checks related to GitHub.
+func RunGhChecks(ctx context.Context, cfg *config) error {
+	if err := cliIsInstalled(ctx); err != nil {
+		return err
+	}
+
+	if err := cliIsAuthed(ctx, cfg); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// cliIsInstalled checks if the GitHub CLI is installed.
+func cliIsInstalled(ctx context.Context) error {
+	log := logger.FromContext(ctx)
+
+	version, err := getGhVersion(ctx)
+	if err != nil {
+		log.WarnContext(ctx, "GitHub CLI (gh) not installed or not in PATH.")
+		return guideToInstallGh(ctx)
+	}
+
+	log.InfoContext(ctx, "GitHub CLI found", "gh_version", version)
+	return nil
+}
+
+// cliIsAuthed checks if 'gh' is authenticated. If not, 'gh auth login' is run then cliIsAuthed is called again.
+func cliIsAuthed(ctx context.Context, cfg *config) error {
+	log := logger.FromContext(ctx)
+
+	status, err := ghAuthStatus(ctx, cfg)
+
+	if err != nil || !ghIsAuthenticated(status, cfg) {
+		log.WarnContext(ctx, "GitHub CLI not authenticated to "+*cfg.githubInstance)
+		if err := authenticateGh(ctx, cfg); err != nil {
+			return wrapper.Wrap(fmt.Errorf("failed to authenticate the GitHub CLI to %v: %w", cfg.githubInstance, err))
+		}
+
+		// Re-run this check now that gh should be authenticated.
+		err := cliIsAuthed(ctx, cfg)
+		return err
+	}
+
+	log.InfoContext(ctx, "GitHub CLI is authenticated to "+*cfg.githubInstance)
+
+	if !ghTokenAllowsRepoCreation(status) {
+		return wrapper.Wrap(fmt.Errorf("GitHub token does not have the necessary scopes to create a repository"))
+	}
+
+	log.InfoContext(ctx, "GitHub token is able to create a repository")
+	return nil
+}
+
+// ghAuthStatus runs 'gh auth status' and returns the result.
+func ghAuthStatus(ctx context.Context, cfg *config) (ghAuthStatusResponse, error) {
+	log := logger.FromContext(ctx)
+	out, err := util.RunCmd(ctx, "gh", "auth", "status", "--hostname="+*cfg.githubInstance)
+
+	var status ghAuthStatusResponse
+	if err != nil {
+		status = ghAuthStatusResponse(out.Stderr.String())
+	} else {
+		status = ghAuthStatusResponse(out.Stdout.String())
+	}
+	log.DebugContext(ctx, "gh auth status", "gh_auth_status", status)
+
+	return status, err
+}
+
+// getGhVersion retrieves the version of 'gh'.
+func getGhVersion(ctx context.Context) (string, error) {
+	out, err := util.RunCmd(ctx, "gh", "--version")
+	if err != nil {
+		return "", err
+	}
+	return strings.Split(out.Stdout.String(), "\n")[0], nil
+}
+
+// guideToInstallGh guides the user towards installing the GitHub CLI.
+func guideToInstallGh(ctx context.Context) error {
+	log := logger.FromContext(ctx)
+	log.WarnContext(ctx, "The GitHub CLI is required to set up Holos. To install it, follow the instructions at: https://github.com/cli/cli#installation")
+	return wrapper.Wrap(fmt.Errorf("GitHub CLI is not installed"))
+}
+
+// authenticateGh runs 'gh auth login' to authenticate the GitHub CLI.
+func authenticateGh(ctx context.Context, cfg *config) error {
+	log := logger.FromContext(ctx)
+	log.InfoContext(ctx, "Authenticating GitHub CLI with 'gh auth login --hostname="+*cfg.githubInstance+"'. Please follow the prompts.")
+
+	err := util.RunInteractiveCmd(ctx, "gh", "auth", "login", "--hostname="+*cfg.githubInstance)
+	if err != nil {
+		log.ErrorContext(ctx, "Failed to authenticate GitHub CLI")
+		return wrapper.Wrap(fmt.Errorf("failed to authenticate GitHub CLI: %w", err))
+	}
+
+	log.InfoContext(ctx, "GitHub CLI has been authenticated.")
+	return nil
+}
+
+// ghIsAuthenticated checks if the GitHub CLI is authenticated and logged in to githubInstance.
+func ghIsAuthenticated(status ghAuthStatusResponse, cfg *config) bool {
+	return strings.Contains(string(status), "Logged in to "+*cfg.githubInstance)
+}
+
+// ghTokenAllowsRepoCreation validates that the GitHub CLI is authenticated
+// with a token that allows repository creation. This is a naive implementation
+// that just checks the output of 'gh auth status' for the presence of the
+// 'repo' scope. Note that the 'repo' scope is sufficient to create a secret in
+// a repository, so this check also covers that.
+// Example token scope line: "- Token scopes: 'admin:public_key', 'gist', 'read:org', 'repo'"
+func ghTokenAllowsRepoCreation(status ghAuthStatusResponse) bool {
+	return strings.Contains(string(status), "'repo'")
+}

pkg/cli/preflight/gh_test.go

@@ -0,0 +1,36 @@
+package preflight
+
+import "testing"
+
+func TestGhTokenAllowsRepoCreation(t *testing.T) {
+	testCases := []struct {
+		name     string
+		status   ghAuthStatusResponse
+		expected bool
+	}{
+		{
+			name:     "token has necessary scopes",
+			status:   "- Token: gho_************************************\n- Token scopes: 'gist', 'read:org', 'repo'",
+			expected: true,
+		},
+		{
+			name:     "token has necessary scopes",
+			status:   "  - Token scopes: 'gist', 'read:org', 'repo'",
+			expected: true,
+		},
+		{
+			name:     "token does not have necessary scopes",
+			status:   "- Token: gho_************************************\n- Token scopes: 'gist', 'read:org'",
+			expected: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := ghTokenAllowsRepoCreation(tc.status)
+			if result != tc.expected {
+				t.Errorf("expected %v, got %v", tc.expected, result)
+			}
+		})
+	}
+}

pkg/cli/preflight/preflight.go

@@ -0,0 +1,55 @@
+package preflight
+
+import (
+	"flag"
+
+	"github.com/spf13/cobra"
+
+	"github.com/holos-run/holos/pkg/cli/command"
+	"github.com/holos-run/holos/pkg/holos"
+	"github.com/holos-run/holos/pkg/logger"
+)
+
+// Config holds configuration parameters for preflight checks.
+type config struct {
+	githubInstance *string
+}
+
+// Build the shared configuration and flagset for the preflight command.
+func newConfig() (*config, *flag.FlagSet) {
+	cfg := &config{}
+	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
+	cfg.githubInstance = flagSet.String("github-instance", "github.com", "Address of the GitHub instance you want to use")
+
+	return cfg, flagSet
+}
+
+// New returns the preflight command for the root command.
+func New(hc *holos.Config) *cobra.Command {
+	cfg, flagSet := newConfig()
+
+	cmd := command.New("preflight")
+	cmd.Short = "Run preflight checks to ensure you're ready to use Holos"
+	cmd.Flags().AddGoFlagSet(flagSet)
+	cmd.RunE = makePreflightRunFunc(hc, cfg)
+
+	return cmd
+}
+
+// makePreflightRunFunc returns the internal implementation of the preflight cli command.
+func makePreflightRunFunc(_ *holos.Config, cfg *config) command.RunFunc {
+	return func(cmd *cobra.Command, _ []string) error {
+		ctx := cmd.Context()
+		log := logger.FromContext(ctx)
+		log.Info("Starting preflight checks")
+
+		// GitHub checks
+		if err := RunGhChecks(ctx, cfg); err != nil {
+			return err
+		}
+		// Other checks can be added here
+
+		log.Info("Preflight checks complete. Ready to use Holos 🚀")
+		return nil
+	}
+}

pkg/cli/root.go

@@ -1,17 +1,20 @@
 package cli
 
 import (
+	"log/slog"
+
+	"github.com/spf13/cobra"
+
 	"github.com/holos-run/holos/pkg/cli/build"
 	"github.com/holos-run/holos/pkg/cli/create"
 	"github.com/holos-run/holos/pkg/cli/get"
 	"github.com/holos-run/holos/pkg/cli/kv"
+	"github.com/holos-run/holos/pkg/cli/preflight"
 	"github.com/holos-run/holos/pkg/cli/render"
 	"github.com/holos-run/holos/pkg/cli/txtar"
 	"github.com/holos-run/holos/pkg/holos"
 	"github.com/holos-run/holos/pkg/logger"
 	"github.com/holos-run/holos/pkg/version"
-	"github.com/spf13/cobra"
-	"log/slog"
 )
 
 // New returns a new root *cobra.Command for command line execution.
@@ -51,6 +54,7 @@ func New(cfg *holos.Config) *cobra.Command {
 	rootCmd.AddCommand(render.New(cfg))
 	rootCmd.AddCommand(get.New(cfg))
 	rootCmd.AddCommand(create.New(cfg))
+	rootCmd.AddCommand(preflight.New(cfg))
 
 	// Maybe not needed?
 	rootCmd.AddCommand(txtar.New(cfg))

pkg/cli/secret/create.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"bytes"
 	"fmt"
 	"github.com/holos-run/holos/pkg/cli/command"
 	"github.com/holos-run/holos/pkg/holos"
@@ -29,6 +30,7 @@ func NewCreateCmd(hc *holos.Config) *cobra.Command {
 	cfg.dryRun = flagSet.Bool("dry-run", false, "dry run")
 	cfg.appendHash = flagSet.Bool("append-hash", true, "append hash to kubernetes secret name")
 	cfg.dataStdin = flagSet.Bool("data-stdin", false, "read data field as json from stdin if")
+	cfg.trimTrailingNewlines = flagSet.Bool("trim-trailing-newlines", true, "trim trailing newlines if true")
 
 	cmd.Flags().SortFlags = false
 	cmd.Flags().AddGoFlagSet(flagSet)
@@ -80,7 +82,7 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 		}
 
 		for _, file := range cfg.files {
-			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file)); err != nil {
+			if err := filepath.WalkDir(file, makeWalkFunc(secret.Data, file, *cfg.trimTrailingNewlines)); err != nil {
 				return wrapper.Wrap(err)
 			}
 		}
@@ -125,7 +127,7 @@ func makeCreateRunFunc(hc *holos.Config, cfg *config) command.RunFunc {
 	}
 }
 
-func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
+func makeWalkFunc(data secretData, root string, trimNewlines bool) fs.WalkDirFunc {
 	return func(path string, d os.DirEntry, err error) error {
 		if err != nil {
 			return err
@@ -143,6 +145,9 @@ func makeWalkFunc(data secretData, root string) fs.WalkDirFunc {
 			if data[key], err = os.ReadFile(path); err != nil {
 				return wrapper.Wrap(err)
 			}
+			if trimNewlines {
+				data[key] = bytes.TrimRight(data[key], "\r\n")
+			}
 		}
 
 		return nil

pkg/cli/secret/secret.go

@@ -12,15 +12,16 @@ const ClusterLabel = "holos.run/cluster.name"
 type secretData map[string][]byte
 
 type config struct {
-	files      holos.StringSlice
-	printFile  *string
-	extract    *bool
-	dryRun     *bool
-	appendHash *bool
-	dataStdin  *bool
-	cluster    *string
-	namespace  *string
-	extractTo  *string
+	files                holos.StringSlice
+	printFile            *string
+	extract              *bool
+	dryRun               *bool
+	appendHash           *bool
+	dataStdin            *bool
+	trimTrailingNewlines *bool
+	cluster              *string
+	namespace            *string
+	extractTo            *string
 }
 
 func newConfig() (*config, *flag.FlagSet) {

pkg/cli/secret/testdata/create_secret_dry_run.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/fixture --dry-run
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/fixture --dry-run
 
 # Want no warnings.
 ! stderr 'WRN'

pkg/cli/secret/testdata/create_secret_from_dir.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/want
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/want
 stderr 'created: directory-..........'
 stderr 'secret=directory-..........'
 stderr 'name=directory'

pkg/cli/secret/testdata/create_secret_from_dir_strip_newlines.txt

@@ -0,0 +1,17 @@
+# Create a secret from files with trailing newlines
+holos create secret smtp --from-file=$WORK/smtp
+
+# Get the secret back expecting no trailing newlines
+mkdir have
+holos get secret smtp
+stdout '"username": "holos.run@gmail.com"'
+stdout '"password": "secret"'
+
+-- smtp/username --
+holos.run@gmail.com
+-- smtp/password --
+secret
+-- smtp/host --
+smtp.gmail.com
+-- smtp/port --
+587

pkg/cli/secret/testdata/create_secret_no_depth.txt

@@ -1,5 +1,5 @@
 # Create the secret
-holos create secret directory --from-file=$WORK/want
+holos create secret directory --trim-trailing-newlines=false --from-file=$WORK/want
 
 # Get the secret back
 mkdir have

pkg/cli/secret/testdata/issue34_print_data.txt

@@ -0,0 +1,7 @@
+# Print the data key by default
+holos get secret zitadel-admin
+stdout '^{$'
+stdout '^  "url": "https://login.example.com"'
+stdout '^  "username": "zitadel-admin@zitadel.login.example.com"'
+stdout '^  "password": "Password1!"'
+stdout '^}$'

pkg/internal/builder/builder.go

@@ -4,23 +4,22 @@
 package builder
 
 import (
-	"bytes"
 	"context"
-	"cuelang.org/go/cue/build"
 	"fmt"
-	"github.com/holos-run/holos"
-	"github.com/holos-run/holos/pkg/logger"
-	"github.com/holos-run/holos/pkg/util"
-	"github.com/holos-run/holos/pkg/wrapper"
 	"log/slog"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"slices"
 	"strings"
 
+	"cuelang.org/go/cue/build"
 	"cuelang.org/go/cue/cuecontext"
 	"cuelang.org/go/cue/load"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
 )
 
 const (
@@ -34,6 +33,8 @@ const (
 	Skip = "Skip"
 	// ChartDir is the chart cache directory name.
 	ChartDir = "vendor"
+	// KustomizeBuild is the value of the kind field of cue output indicating holos should process the component using kustomize build to render output.
+	KustomizeBuild = "KustomizeBuild"
 )
 
 // An Option configures a Builder
@@ -107,6 +108,7 @@ type Repository struct {
 type Chart struct {
 	Name       string     `json:"name"`
 	Version    string     `json:"version"`
+	Release    string     `json:"release"`
 	Repository Repository `json:"repository"`
 }
 
@@ -214,13 +216,13 @@ func (r *Result) kustomize(ctx context.Context) error {
 	}
 
 	// Run kustomize.
-	kOut, err := runCmd(ctx, "kubectl", "kustomize", tempDir)
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
 	if err != nil {
-		log.ErrorContext(ctx, kOut.stderr.String())
+		log.ErrorContext(ctx, kOut.Stderr.String())
 		return wrapper.Wrap(err)
 	}
 	// Replace the accumulated output
-	r.accumulatedOutput = kOut.stdout.String()
+	r.accumulatedOutput = kOut.Stdout.String()
 	return nil
 }
 
@@ -341,6 +343,20 @@ func (b *Builder) Run(ctx context.Context) (results []*Result, err error) {
 			if err := result.kustomize(ctx); err != nil {
 				return nil, wrapper.Wrap(fmt.Errorf("could not kustomize: %w", err))
 			}
+		case KustomizeBuild:
+			// CUE directly provides the kubernetes api objects in result.Content
+			if err := value.Decode(&result); err != nil {
+				return nil, wrapper.Wrap(fmt.Errorf("could not decode: %w", err))
+			}
+			// Run kustomize.
+			kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", instance.Dir)
+			if err != nil {
+				log.ErrorContext(ctx, kOut.Stderr.String())
+				return nil, wrapper.Wrap(err)
+			}
+			// Replace the accumulated output
+			result.accumulatedOutput = kOut.Stdout.String()
+			result.addOverlayObjects(log)
 		default:
 			return nil, wrapper.Wrap(fmt.Errorf("build kind not implemented: %v", kind))
 		}
@@ -379,25 +395,6 @@ func (b *Builder) findCueMod() (dir holos.PathCueMod, err error) {
 	return dir, nil
 }
 
-type runResult struct {
-	stdout *bytes.Buffer
-	stderr *bytes.Buffer
-}
-
-func runCmd(ctx context.Context, name string, args ...string) (result runResult, err error) {
-	result = runResult{
-		stdout: new(bytes.Buffer),
-		stderr: new(bytes.Buffer),
-	}
-	cmd := exec.CommandContext(ctx, name, args...)
-	cmd.Stdout = result.stdout
-	cmd.Stderr = result.stderr
-	log := logger.FromContext(ctx)
-	log.DebugContext(ctx, "run: "+name, "name", name, "args", args)
-	err = cmd.Run()
-	return
-}
-
 // runHelm provides the values produced by CUE to helm template and returns
 // the rendered kubernetes api objects in the result.
 func runHelm(ctx context.Context, hc *HelmChart, r *Result, path holos.PathComponent) error {
@@ -407,21 +404,26 @@ func runHelm(ctx context.Context, hc *HelmChart, r *Result, path holos.PathCompo
 		return nil
 	}
 
-	cachedChartPath := filepath.Join(string(path), ChartDir, hc.Chart.Name)
+	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
 	if isNotExist(cachedChartPath) {
 		// Add repositories
 		repo := hc.Chart.Repository
-		out, err := runCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
-		if err != nil {
-			log.ErrorContext(ctx, "could not run helm", "stderr", out.stderr.String(), "stdout", out.stdout.String())
-			return wrapper.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
-		}
-		// Update repository
-		out, err = runCmd(ctx, "helm", "repo", "update", repo.Name)
-		if err != nil {
-			log.ErrorContext(ctx, "could not run helm", "stderr", out.stderr.String(), "stdout", out.stdout.String())
-			return wrapper.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+		if repo.URL != "" {
+			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
+			}
+			// Update repository
+			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+			}
+		} else {
+			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
 		}
+
 		// Cache the chart
 		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
 			return fmt.Errorf("could not cache chart: %w", err)
@@ -443,9 +445,9 @@ func runHelm(ctx context.Context, hc *HelmChart, r *Result, path holos.PathCompo
 
 	// Run charts
 	chart := hc.Chart
-	helmOut, err := runCmd(ctx, "helm", "template", "--values", valuesPath, "--namespace", hc.Namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Name, cachedChartPath)
+	helmOut, err := util.RunCmd(ctx, "helm", "template", "--include-crds", "--values", valuesPath, "--namespace", hc.Namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
 	if err != nil {
-		stderr := helmOut.stderr.String()
+		stderr := helmOut.Stderr.String()
 		lines := strings.Split(stderr, "\n")
 		for _, line := range lines {
 			if strings.HasPrefix(line, "Error:") {
@@ -455,7 +457,7 @@ func runHelm(ctx context.Context, hc *HelmChart, r *Result, path holos.PathCompo
 		return wrapper.Wrap(fmt.Errorf("could not run helm template: %w", err))
 	}
 
-	r.accumulatedOutput = helmOut.stdout.String()
+	r.accumulatedOutput = helmOut.Stdout.String()
 
 	return nil
 }
@@ -485,12 +487,15 @@ func cacheChart(ctx context.Context, path holos.PathComponent, chartDir string,
 	}
 	defer remove(ctx, cacheTemp)
 
-	chartName := fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
-	helmOut, err := runCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
+	chartName := chart.Name
+	if chart.Repository.Name != "" {
+		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
+	}
+	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
 	if err != nil {
 		return wrapper.Wrap(fmt.Errorf("could not run helm pull: %w", err))
 	}
-	log.Debug("helm pull", "stdout", helmOut.stdout, "stderr", helmOut.stderr)
+	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
 
 	cachePath := filepath.Join(string(path), chartDir)
 	if err := os.Rename(cacheTemp, cachePath); err != nil {

pkg/util/run.go

@@ -0,0 +1,56 @@
+package util
+
+import (
+	"bytes"
+	"context"
+	"os"
+	"os/exec"
+
+	"github.com/holos-run/holos/pkg/logger"
+)
+
+// runResult holds the stdout and stderr of a command.
+type RunResult struct {
+	Stdout *bytes.Buffer
+	Stderr *bytes.Buffer
+}
+
+// RunCmd runs a command within a context, captures its output, provides debug
+// logging, and returns the result.
+// Example:
+//
+//	result, err := RunCmd(ctx, "echo", "hello")
+//	if err != nil {
+//	  return wrapper.Wrap(err)
+//	}
+//	fmt.Println(result.Stdout.String())
+//
+// Output:
+//
+//	"hello\n"
+func RunCmd(ctx context.Context, name string, args ...string) (result RunResult, err error) {
+	result = RunResult{
+		Stdout: new(bytes.Buffer),
+		Stderr: new(bytes.Buffer),
+	}
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Stdout = result.Stdout
+	cmd.Stderr = result.Stderr
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "running: "+name, "name", name, "args", args)
+	err = cmd.Run()
+	return result, err
+}
+
+// RunInteractiveCmd runs a command within a context but allows the command to
+// accept stdin interactively from the user. The caller is expected to handle
+// errors.
+func RunInteractiveCmd(ctx context.Context, name string, args ...string) error {
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "running: "+name, "name", name, "args", args)
+	return cmd.Run()
+}

pkg/version/embedded/minor

@@ -1 +1 @@
-51
+55

pkg/version/embedded/patch

@@ -1 +1 @@
-2
+1