(#86) ArgoCD

Using the Helm chart so we can inject the istio sidecar with a kustomize
patch and tweak the configs for OIDC integration.

Login works, istio sidecar is injected.  ArgoCD can only be configured
with one domain unfortunately, it's not accessible at argocd.ois.run,
only argocd.k2.ois.run (or whatever cluster it's installed into).

Ideally it would use the Host header but it does not.

RBAC is not implemented but the User Info endpoint does have group
membership so this shouldn't be a problem to implement.

.gitignore

@@ -5,3 +5,4 @@ coverage.out
 dist/
 *.hold/
 /deploy/
+.vscode/

Makefile

@@ -4,7 +4,7 @@ PROJ=holos
 ORG_PATH=github.com/holos-run
 REPO_PATH=$(ORG_PATH)/$(PROJ)
 
-VERSION := $(shell grep "const Version " pkg/version/version.go | sed -E 's/.*"(.+)"$$/\1/')
+VERSION := $(shell cat pkg/version/embedded/major pkg/version/embedded/minor pkg/version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
 DOCKER_REPO=quay.io/openinfrastructure/holos
@@ -39,18 +39,27 @@ bumpmajor: ## Bump the major version.
 	scripts/bump minor 0
 	scripts/bump patch 0
 
+.PHONY: show-version
+show-version: ## Print the full version.
+	@echo $(VERSION)
+
 .PHONY: tidy
 tidy: ## Tidy go module.
 	go mod tidy
 
 .PHONY: fmt
-fmt: ## Format Go code.
+fmt: ## Format code.
+	cd docs/examples && cue fmt ./...
 	go fmt ./...
 
 .PHONY: vet
 vet: ## Vet Go code.
 	go vet ./...
 
+.PHONY: gencue
+gencue: ## Generate CUE definitions
+	cd docs/examples && cue get go github.com/holos-run/holos/api/...
+
 .PHONY: generate
 generate: ## Generate code.
 	go generate ./...

api/v1alpha1/buildplan.go

@@ -0,0 +1,40 @@
+package v1alpha1
+
+import (
+	"fmt"
+	"strings"
+)
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+type BuildPlan struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta    `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	Spec     BuildPlanSpec `json:"spec,omitempty" yaml:"spec,omitempty"`
+}
+
+type BuildPlanSpec struct {
+	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
+	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+}
+
+type BuildPlanComponents struct {
+	HelmChartList         []HelmChart                  `json:"helmChartList,omitempty" yaml:"helmChartList,omitempty"`
+	KubernetesObjectsList []KubernetesObjects          `json:"kubernetesObjectsList,omitempty" yaml:"kubernetesObjectsList,omitempty"`
+	KustomizeBuildList    []KustomizeBuild             `json:"kustomizeBuildList,omitempty" yaml:"kustomizeBuildList,omitempty"`
+	Resources             map[string]KubernetesObjects `json:"resources,omitempty" yaml:"resources,omitempty"`
+}
+
+func (bp *BuildPlan) Validate() error {
+	errs := make([]string, 0, 2)
+	if bp.Kind != BuildPlanKind {
+		errs = append(errs, fmt.Sprintf("kind invalid: want: %s have: %s", BuildPlanKind, bp.Kind))
+	}
+	if bp.APIVersion != APIVersion {
+		errs = append(errs, fmt.Sprintf("apiVersion invalid: want: %s have: %s", APIVersion, bp.APIVersion))
+	}
+	if len(errs) > 0 {
+		return fmt.Errorf("invalid BuildPlan: " + strings.Join(errs, ", "))
+	}
+	return nil
+}

api/v1alpha1/component.go

@@ -0,0 +1,22 @@
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+type HolosComponent struct {
+	TypeMeta `json:",inline" yaml:",inline"`
+	// Metadata represents the holos component name
+	Metadata ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty" yaml:"apiObjectMap,omitempty"`
+	// Kustomization holds the marshalled representation of the flux kustomization
+	// which reconciles resources in git with the api server.
+	Kustomization `json:",inline" yaml:",inline"`
+	// Kustomize represents a kubectl kustomize build post-processing step.
+	Kustomize `json:",inline" yaml:",inline"`
+	// Skip causes holos to take no action regarding the component.
+	Skip bool
+}
+
+func (hc *HolosComponent) NewResult() *Result {
+	return &Result{HolosComponent: *hc}
+}

api/v1alpha1/constants.go

@@ -0,0 +1,11 @@
+package v1alpha1
+
+const (
+	APIVersion    = "holos.run/v1alpha1"
+	BuildPlanKind = "BuildPlan"
+	HelmChartKind = "HelmChart"
+	// ChartDir is the directory name created in the holos component directory to cache a chart.
+	ChartDir = "vendor"
+	// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+	ResourcesFile = "resources.yaml"
+)

api/v1alpha1/doc.go

@@ -0,0 +1,2 @@
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

api/v1alpha1/helm.go

@@ -0,0 +1,154 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+type HelmChart struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	Namespace     string `json:"namespace"`
+	Chart         Chart  `json:"chart"`
+	ValuesContent string `json:"valuesContent"`
+	EnableHooks   bool   `json:"enableHooks"`
+}
+
+type Chart struct {
+	Name       string     `json:"name"`
+	Version    string     `json:"version"`
+	Release    string     `json:"release"`
+	Repository Repository `json:"repository,omitempty"`
+}
+
+type Repository struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
+}
+
+func (hc *HelmChart) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: hc.HolosComponent}
+	if err := hc.helm(ctx, &result, path); err != nil {
+		return nil, err
+	}
+	result.addObjectMap(ctx, hc.APIObjectMap)
+	if err := result.kustomize(ctx); err != nil {
+		return nil, wrapper.Wrap(fmt.Errorf("could not kustomize: %w", err))
+	}
+	return &result, nil
+}
+
+// runHelm provides the values produced by CUE to helm template and returns
+// the rendered kubernetes api objects in the result.
+func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePath) error {
+	log := logger.FromContext(ctx).With("chart", hc.Chart.Name)
+	if hc.Chart.Name == "" {
+		log.WarnContext(ctx, "skipping helm: no chart name specified, use a different component type")
+		return nil
+	}
+
+	cachedChartPath := filepath.Join(string(path), ChartDir, filepath.Base(hc.Chart.Name))
+	if isNotExist(cachedChartPath) {
+		// Add repositories
+		repo := hc.Chart.Repository
+		if repo.URL != "" {
+			out, err := util.RunCmd(ctx, "helm", "repo", "add", repo.Name, repo.URL)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo add: %w", err))
+			}
+			// Update repository
+			out, err = util.RunCmd(ctx, "helm", "repo", "update", repo.Name)
+			if err != nil {
+				log.ErrorContext(ctx, "could not run helm", "stderr", out.Stderr.String(), "stdout", out.Stdout.String())
+				return wrapper.Wrap(fmt.Errorf("could not run helm repo update: %w", err))
+			}
+		} else {
+			log.DebugContext(ctx, "no chart repository url proceeding assuming oci chart")
+		}
+
+		// Cache the chart
+		if err := cacheChart(ctx, path, ChartDir, hc.Chart); err != nil {
+			return fmt.Errorf("could not cache chart: %w", err)
+		}
+	}
+
+	// Write values file
+	tempDir, err := os.MkdirTemp("", "holos")
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, tempDir)
+
+	valuesPath := filepath.Join(tempDir, "values.yaml")
+	if err := os.WriteFile(valuesPath, []byte(hc.ValuesContent), 0644); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not write values: %w", err))
+	}
+	log.DebugContext(ctx, "helm: wrote values", "path", valuesPath, "bytes", len(hc.ValuesContent))
+
+	// Run charts
+	chart := hc.Chart
+	args := []string{"template"}
+	if !hc.EnableHooks {
+		args = append(args, "--no-hooks")
+	}
+	namespace := hc.Namespace
+	args = append(args, "--include-crds", "--values", valuesPath, "--namespace", namespace, "--kubeconfig", "/dev/null", "--version", chart.Version, chart.Release, cachedChartPath)
+	helmOut, err := util.RunCmd(ctx, "helm", args...)
+	if err != nil {
+		stderr := helmOut.Stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
+		return wrapper.Wrap(fmt.Errorf("could not run helm template: %w", err))
+	}
+
+	r.accumulatedOutput = helmOut.Stdout.String()
+
+	return nil
+}
+
+// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
+func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
+	log := logger.FromContext(ctx)
+
+	cacheTemp, err := os.MkdirTemp(string(path), chartDir)
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not make temp dir: %w", err))
+	}
+	defer util.Remove(ctx, cacheTemp)
+
+	chartName := chart.Name
+	if chart.Repository.Name != "" {
+		chartName = fmt.Sprintf("%s/%s", chart.Repository.Name, chart.Name)
+	}
+	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, chartName)
+	if err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not run helm pull: %w", err))
+	}
+	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
+
+	cachePath := filepath.Join(string(path), chartDir)
+	if err := os.Rename(cacheTemp, cachePath); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not rename: %w", err))
+	}
+	log.InfoContext(ctx, "cached", "chart", chart.Name, "version", chart.Version, "path", cachePath)
+
+	return nil
+}
+func isNotExist(path string) bool {
+	_, err := os.Stat(path)
+	return os.IsNotExist(err)
+}

api/v1alpha1/kubernetesobjects.go

@@ -0,0 +1,21 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+const KubernetesObjectsKind = "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+type KubernetesObjects struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces kubernetes api objects from the APIObjectMap
+func (o *KubernetesObjects) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	result := Result{HolosComponent: o.HolosComponent}
+	result.addObjectMap(ctx, o.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/kustomization.go

@@ -0,0 +1,7 @@
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+type Kustomization struct {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	KsContent string `json:"ksContent,omitempty" yaml:"ksContent,omitempty"`
+}

api/v1alpha1/kustomize.go

@@ -0,0 +1,47 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+const KustomizeBuildKind = "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+type Kustomize struct {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty" yaml:"kustomizeFiles,omitempty"`
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	ResourcesFile string `json:"resourcesFile,omitempty" yaml:"resourcesFile,omitempty"`
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+type KustomizeBuild struct {
+	HolosComponent `json:",inline" yaml:",inline"`
+}
+
+// Render produces a Result by executing kubectl kustomize on the holos
+// component path. Useful for processing raw yaml files.
+func (kb *KustomizeBuild) Render(ctx context.Context, path holos.InstancePath) (*Result, error) {
+	log := logger.FromContext(ctx)
+	result := Result{HolosComponent: kb.HolosComponent}
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", string(path))
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return nil, wrapper.Wrap(err)
+	}
+	// Replace the accumulated output
+	result.accumulatedOutput = kOut.Stdout.String()
+	// Add CUE based api objects.
+	result.addObjectMap(ctx, kb.APIObjectMap)
+	return &result, nil
+}

api/v1alpha1/objectmap.go

@@ -0,0 +1,14 @@
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+type Label string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+type Kind string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+type APIObjectMap map[Kind]map[Label]string
+
+// FileContentMap is a map of file names to file contents.
+type FileContentMap map[string]string

api/v1alpha1/objectmeta.go

@@ -0,0 +1,15 @@
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+type ObjectMeta struct {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"`
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
+}

api/v1alpha1/render.go

@@ -0,0 +1,22 @@
+package v1alpha1
+
+import (
+	"context"
+
+	"github.com/holos-run/holos"
+)
+
+type Renderer interface {
+	GetKind() string
+	Render(ctx context.Context, path holos.InstancePath) (*Result, error)
+}
+
+// Render produces a Result representing the kubernetes api objects to
+// configure. Each of the various holos component types, e.g. Helm, Kustomize,
+// et al, should implement the Renderer interface. This process is best
+// conceptualized as a data pipeline, for example a component may render a
+// result by first calling helm template, then passing the result through
+// kustomize, then mixing in overlay api objects.
+func Render(ctx context.Context, r Renderer, path holos.InstancePath) (*Result, error) {
+	return r.Render(ctx, path)
+}

api/v1alpha1/result.go

@@ -0,0 +1,138 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"slices"
+
+	"github.com/holos-run/holos/pkg/logger"
+	"github.com/holos-run/holos/pkg/util"
+	"github.com/holos-run/holos/pkg/wrapper"
+)
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+type Result struct {
+	HolosComponent
+	// accumulatedOutput accumulates rendered api objects.
+	accumulatedOutput string
+}
+
+func (r *Result) Name() string {
+	return r.Metadata.Name
+}
+
+func (r *Result) Filename(writeTo string, cluster string) string {
+	name := r.Metadata.Name
+	return filepath.Join(writeTo, "clusters", cluster, "components", name, name+".gen.yaml")
+}
+
+func (r *Result) KustomizationFilename(writeTo string, cluster string) string {
+	return filepath.Join(writeTo, "clusters", cluster, "holos", "components", r.Metadata.Name+"-kustomization.gen.yaml")
+}
+
+// AccumulatedOutput returns the accumulated rendered output.
+func (r *Result) AccumulatedOutput() string {
+	return r.accumulatedOutput
+}
+
+// addObjectMap renders the provided APIObjectMap into the accumulated output.
+func (r *Result) addObjectMap(ctx context.Context, objectMap APIObjectMap) {
+	log := logger.FromContext(ctx)
+	b := []byte(r.AccumulatedOutput())
+	kinds := make([]Kind, 0, len(objectMap))
+	// Sort the keys
+	for kind := range objectMap {
+		kinds = append(kinds, kind)
+	}
+	slices.Sort(kinds)
+
+	for _, kind := range kinds {
+		v := objectMap[kind]
+		// Sort the keys
+		names := make([]Label, 0, len(v))
+		for name := range v {
+			names = append(names, name)
+		}
+		slices.Sort(names)
+
+		for _, name := range names {
+			yamlString := v[name]
+			log.Debug(fmt.Sprintf("%s/%s", kind, name), "kind", kind, "name", name)
+			b = util.EnsureNewline(b)
+			header := fmt.Sprintf("---\n# Source: CUE apiObjects.%s.%s\n", kind, name)
+			b = append(b, []byte(header+yamlString)...)
+			b = util.EnsureNewline(b)
+		}
+	}
+	r.accumulatedOutput = string(b)
+}
+
+// kustomize replaces the accumulated output with the output of kustomize build
+func (r *Result) kustomize(ctx context.Context) error {
+	log := logger.FromContext(ctx)
+	if r.ResourcesFile == "" {
+		log.DebugContext(ctx, "skipping kustomize: no resourcesFile")
+		return nil
+	}
+	if len(r.KustomizeFiles) < 1 {
+		log.DebugContext(ctx, "skipping kustomize: no kustomizeFiles")
+		return nil
+	}
+	tempDir, err := os.MkdirTemp("", "holos.kustomize")
+	if err != nil {
+		return wrapper.Wrap(err)
+	}
+	defer util.Remove(ctx, tempDir)
+
+	// Write the main api object resources file for kustomize.
+	target := filepath.Join(tempDir, r.ResourcesFile)
+	b := []byte(r.AccumulatedOutput())
+	b = util.EnsureNewline(b)
+	if err := os.WriteFile(target, b, 0644); err != nil {
+		return wrapper.Wrap(fmt.Errorf("could not write resources: %w", err))
+	}
+	log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+
+	// Write the kustomization tree, kustomization.yaml must be in this map for kustomize to work.
+	for file, content := range r.KustomizeFiles {
+		target := filepath.Join(tempDir, file)
+		if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+			return wrapper.Wrap(err)
+		}
+		b := []byte(content)
+		b = util.EnsureNewline(b)
+		if err := os.WriteFile(target, b, 0644); err != nil {
+			return wrapper.Wrap(fmt.Errorf("could not write: %w", err))
+		}
+		log.DebugContext(ctx, "wrote: "+target, "op", "write", "path", target, "bytes", len(b))
+	}
+
+	// Run kustomize.
+	kOut, err := util.RunCmd(ctx, "kubectl", "kustomize", tempDir)
+	if err != nil {
+		log.ErrorContext(ctx, kOut.Stderr.String())
+		return wrapper.Wrap(err)
+	}
+	// Replace the accumulated output
+	r.accumulatedOutput = kOut.Stdout.String()
+	return nil
+}
+
+// Save writes the content to the filesystem for git ops.
+func (r *Result) Save(ctx context.Context, path string, content string) error {
+	log := logger.FromContext(ctx)
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, os.FileMode(0775)); err != nil {
+		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
+		return wrapper.Wrap(err)
+	}
+	// Write the kube api objects
+	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
+		log.WarnContext(ctx, "could not write", "path", path, "err", err)
+		return wrapper.Wrap(err)
+	}
+	log.DebugContext(ctx, "out: wrote "+path, "action", "write", "path", path, "status", "ok")
+	return nil
+}

api/v1alpha1/typemeta.go

@@ -0,0 +1,10 @@
+package v1alpha1
+
+type TypeMeta struct {
+	Kind       string `json:"kind,omitempty" yaml:"kind,omitempty"`
+	APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
+}
+
+func (tm *TypeMeta) GetKind() string {
+	return tm.Kind
+}

cmd/holos/testdata/constraints.txt

@@ -1,7 +1,6 @@
 # Want support for intermediary constraints
 exec holos build ./foo/... --log-level debug
 stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
-stderr 'processing holos component kind Skip'
 
 -- cue.mod --
 package holos
@@ -12,31 +11,21 @@ metadata: name: "jeff"
 -- foo/bar/bar.cue --
 package holos
 
-#KubernetesObjects & {
-  apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
-}
+spec: components: KubernetesObjectsList: [
+  #KubernetesObjects & {
+    apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
+  }
+]
 -- schema.cue --
 package holos
 
-cluster: string @tag(cluster, string)
-
-// #OutputTypeMeta is shared among all output types
-#OutputTypeMeta: {
-	apiVersion: "holos.run/v1alpha1"
-	kind: #KubernetesObjects.kind | #NoOutput.kind
-	metadata: name: string
-}
+_cluster: string @tag(cluster, string)
 
 #KubernetesObjects: {
-	#OutputTypeMeta
+	apiVersion: "holos.run/v1alpha1"
 	kind: "KubernetesObjects"
 	apiObjectMap: {...}
 }
 
-#NoOutput: {
-	#OutputTypeMeta
-	kind: string | *"Skip"
-	metadata: name: string | *"skipped"
-}
-
-#NoOutput & {}
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"

cmd/holos/testdata/issue15_cue_errors.txt

@@ -1,16 +1,17 @@
 # Want cue errors to show files and lines
 ! exec holos build .
-stderr '^apiObjectMap.foo.bar: cannot convert non-concrete value string'
-stderr '/component.cue:7:20$'
+stderr 'apiObjectMap.foo.bar: cannot convert incomplete value'
+stderr '/component.cue:\d+:\d+$'
 
 -- cue.mod --
 package holos
 -- component.cue --
 package holos
 
-apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
+_cluster: string @tag(cluster, string)
 
-apiObjectMap: foo: bar: baz
-baz: string
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: foo: bar: _baz}]
+
+_baz: string

cmd/holos/testdata/issue25_apiobjects_cue.txt

@@ -9,15 +9,17 @@ package holos
 package holos
 
 apiVersion: "holos.run/v1alpha1"
-kind: "KubernetesObjects"
-cluster: string @tag(cluster, string)
+kind: "BuildPlan"
+spec: components: KubernetesObjectsList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
 
 #SecretStore: {
     kind: string
     metadata: name: string
 }
 
-#APIObjects & {
+#APIObjects: {
   apiObjects: {
     SecretStore: {
       default: #SecretStore & { metadata: name: "default" }
@@ -54,4 +56,3 @@ import "encoding/yaml"
 		}
 	}
 }
-

cmd/holos/testdata/issue25_apiobjects_helm.txt

@@ -10,15 +10,17 @@ package holos
 package holos
 
 apiVersion: "holos.run/v1alpha1"
-kind: "HelmChart"
-cluster: string @tag(cluster, string)
+kind: "BuildPlan"
+spec: components: HelmChartList: [{apiObjectMap: #APIObjects.apiObjectMap}]
+
+_cluster: string @tag(cluster, string)
 
 #SecretStore: {
     kind: string
     metadata: name: string
 }
 
-#APIObjects & {
+#APIObjects: {
   apiObjects: {
     SecretStore: {
       default: #SecretStore & { metadata: name: "default" }
@@ -55,4 +57,3 @@ import "encoding/yaml"
 		}
 	}
 }
-

cmd/holos/testdata/issue33_helm_stderr.txt

@@ -7,22 +7,27 @@ package holos
 -- zitadel.cue --
 package holos
 
-cluster: string @tag(cluster, string)
-
 apiVersion: "holos.run/v1alpha1"
-kind: "HelmChart"
-metadata: name: "zitadel"
-namespace: "zitadel"
-chart: {
-	name:    "zitadel"
-	version: "7.9.0"
-	release: name
-	repository: {
-		name: "zitadel"
-		url:  "https://charts.zitadel.com"
-	}
-}
+kind: "BuildPlan"
+spec: components: HelmChartList: [_HelmChart]
 
+_cluster: string @tag(cluster, string)
+
+_HelmChart: {
+  apiVersion: "holos.run/v1alpha1"
+  kind: "HelmChart"
+  metadata: name: "zitadel"
+  namespace: "zitadel"
+  chart: {
+    name:    "zitadel"
+    version: "7.9.0"
+    release: name
+    repository: {
+      name: "zitadel"
+      url:  "https://charts.zitadel.com"
+    }
+  }
+}
 
 -- vendor/zitadel/templates/secret_zitadel-masterkey.yaml --
 {{- if (or (and .Values.zitadel.masterkey .Values.zitadel.masterkeySecretName) (and (not .Values.zitadel.masterkey) (not .Values.zitadel.masterkeySecretName)) ) }}

cmd/holos/testdata/issue42_kustomize_build_kind.txt

@@ -9,22 +9,25 @@ package holos
 -- component.cue --
 package holos
 
-cluster: string @tag(cluster, string)
+_cluster: string @tag(cluster, string)
 
 apiVersion: "holos.run/v1alpha1"
-kind: "KustomizeBuild"
-metadata: name: "kstest"
+kind: "BuildPlan"
+spec: components: KustomizeBuildList: [{metadata: name: "kstest"}]
+
 -- kustomization.yaml --
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: mynamespace
 resources:
 - serviceaccount.yaml
+
 -- serviceaccount.yaml --
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: test
+
 -- want.yaml --
 apiVersion: v1
 kind: ServiceAccount

cmd/holos/testdata/issue72_disallow_unknown_fields.txt

@@ -0,0 +1,14 @@
+# https://github.com/holos-run/holos/issues/72
+# Want holos to fail on unknown fields to catch typos and aid refactors
+! exec holos build .
+stderr 'unknown field \\"TypoKubernetesObjectsList\\"'
+
+-- cue.mod --
+package holos
+-- component.cue --
+package holos
+_cluster: string @tag(cluster, string)
+
+apiVersion: "holos.run/v1alpha1"
+kind: "BuildPlan"
+spec: components: TypoKubernetesObjectsList: []

docs/examples/authpolicy.cue

@@ -0,0 +1,37 @@
+package holos
+
+import ap "security.istio.io/authorizationpolicy/v1"
+
+// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need specialized treatment.  Entries in this struct are exclused from the blank ingressauth AuthorizationPolicy governing the ingressgateway and included in a spcialized policy
+#AuthPolicyRules: {
+	// AuthProxySpec represents the identity provider configuration
+	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
+
+	// Hosts are hosts that need specialized treatment
+	hosts: {
+		[Name=_]: {
+			// name is the fully qualifed hostname, a Host: header value.
+			name: Name
+			// slug is the resource name prefix
+			slug: string
+			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
+			spec: ap.#AuthorizationPolicySpec & {
+				action: "CUSTOM"
+				provider: name: AuthProxySpec.provider
+				selector: matchLabels: istio: "ingressgateway"
+			}
+		}
+	}
+
+	objects: #APIObjects & {
+		for Host in hosts {
+			apiObjects: {
+				AuthorizationPolicy: "\(Host.slug)-custom": {
+					metadata: namespace: "istio-ingress"
+					metadata: name:      "\(Host.slug)-custom"
+					spec: Host.spec
+				}
+			}
+		}
+	}
+}

docs/examples/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -0,0 +1,189 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-argocd/prod-platform-argocd.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// AppProject provides a logical grouping of applications,
+// providing controls for: * where the apps may deploy to
+// (cluster whitelist) * what may be deployed (repository
+// whitelist, resource whitelist/blacklist) * who can access
+// these applications (roles, OIDC group claims bindings) * and
+// what they can do (RBAC policies) * automation access to these
+// roles (JWT tokens)
+#AppProject: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "argoproj.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "AppProject"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AppProjectSpec is the specification of an AppProject
+	spec!: #AppProjectSpec
+}
+
+// AppProjectSpec is the specification of an AppProject
+#AppProjectSpec: {
+	// ClusterResourceBlacklist contains list of blacklisted cluster
+	// level resources
+	clusterResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// ClusterResourceWhitelist contains list of whitelisted cluster
+	// level resources
+	clusterResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// Description contains optional project description
+	description?: string
+
+	// Destinations contains list of destinations available for
+	// deployment
+	destinations?: [...{
+		// Name is an alternate way of specifying the target cluster by
+		// its symbolic name. This must be set if Server is not set.
+		name?: string
+
+		// Namespace specifies the target namespace for the application's
+		// resources. The namespace will only be set for namespace-scoped
+		// resources that have not set a value for .metadata.namespace
+		namespace?: string
+
+		// Server specifies the URL of the target cluster's Kubernetes
+		// control plane API. This must be set if Name is not set.
+		server?: string
+	}]
+
+	// NamespaceResourceBlacklist contains list of blacklisted
+	// namespace level resources
+	namespaceResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// NamespaceResourceWhitelist contains list of whitelisted
+	// namespace level resources
+	namespaceResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// OrphanedResources specifies if controller should monitor
+	// orphaned resources of apps in this project
+	orphanedResources?: {
+		// Ignore contains a list of resources that are to be excluded
+		// from orphaned resources monitoring
+		ignore?: [...{
+			group?: string
+			kind?:  string
+			name?:  string
+		}]
+
+		// Warn indicates if warning condition should be created for apps
+		// which have orphaned resources
+		warn?: bool
+	}
+
+	// PermitOnlyProjectScopedClusters determines whether destinations
+	// can only reference clusters which are project-scoped
+	permitOnlyProjectScopedClusters?: bool
+
+	// Roles are user defined RBAC roles associated with this project
+	roles?: [...{
+		// Description is a description of the role
+		description?: string
+
+		// Groups are a list of OIDC group claims bound to this role
+		groups?: [...string]
+
+		// JWTTokens are a list of generated JWT tokens bound to this role
+		jwtTokens?: [...{
+			exp?: int
+			iat:  int
+			id?:  string
+		}]
+
+		// Name is a name for this role
+		name: string
+
+		// Policies Stores a list of casbin formatted strings that define
+		// access policies for the role in the project
+		policies?: [...string]
+	}]
+
+	// SignatureKeys contains a list of PGP key IDs that commits in
+	// Git must be signed with in order to be allowed for sync
+	signatureKeys?: [...{
+		// The ID of the key in hexadecimal notation
+		keyID: string
+	}]
+
+	// SourceNamespaces defines the namespaces application resources
+	// are allowed to be created in
+	sourceNamespaces?: [...string]
+
+	// SourceRepos contains list of repository URLs which can be used
+	// for deployment
+	sourceRepos?: [...string]
+
+	// SyncWindows controls when syncs can be run for apps in this
+	// project
+	syncWindows?: [...{
+		// Applications contains a list of applications that the window
+		// will apply to
+		applications?: [...string]
+
+		// Clusters contains a list of clusters that the window will apply
+		// to
+		clusters?: [...string]
+
+		// Duration is the amount of time the sync window will be open
+		duration?: string
+
+		// Kind defines if the window allows or blocks syncs
+		kind?: string
+
+		// ManualSync enables manual syncs when they would otherwise be
+		// blocked
+		manualSync?: bool
+
+		// Namespaces contains a list of namespaces that the window will
+		// apply to
+		namespaces?: [...string]
+
+		// Schedule is the time the window will begin, specified in cron
+		// format
+		schedule?: string
+
+		// TimeZone of the sync that will be applied to the schedule
+		timeZone?: string
+	}]
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/buildplan_go_gen.cue

@@ -0,0 +1,26 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// BuildPlan is the primary interface between CUE and the Holos cli.
+#BuildPlan: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta    @go(Metadata)
+	spec?:     #BuildPlanSpec @go(Spec)
+}
+
+#BuildPlanSpec: {
+	disabled?:   bool                 @go(Disabled)
+	components?: #BuildPlanComponents @go(Components)
+}
+
+#BuildPlanComponents: {
+	helmChartList?: [...#HelmChart] @go(HelmChartList,[]HelmChart)
+	kubernetesObjectsList?: [...#KubernetesObjects] @go(KubernetesObjectsList,[]KubernetesObjects)
+	kustomizeBuildList?: [...#KustomizeBuild] @go(KustomizeBuildList,[]KustomizeBuild)
+	resources?: {[string]: #KubernetesObjects} @go(Resources,map[string]KubernetesObjects)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/component_go_gen.cue

@@ -0,0 +1,24 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// HolosComponent defines the fields common to all holos component kinds including the Render Result.
+#HolosComponent: {
+	#TypeMeta
+
+	// Metadata represents the holos component name
+	metadata?: #ObjectMeta @go(Metadata)
+
+	// APIObjectMap holds the marshalled representation of api objects. Think of
+	// these as resources overlaid at the back of the render pipeline.
+	apiObjectMap?: #APIObjectMap @go(APIObjectMap)
+
+	#Kustomization
+
+	#Kustomize
+
+	// Skip causes holos to take no action regarding the component.
+	Skip: bool
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/constants_go_gen.cue

@@ -0,0 +1,15 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#APIVersion:    "holos.run/v1alpha1"
+#BuildPlanKind: "BuildPlan"
+#HelmChartKind: "HelmChart"
+
+// ChartDir is the directory name created in the holos component directory to cache a chart.
+#ChartDir: "vendor"
+
+// ResourcesFile is the file name used to store component output when post-processing with kustomize.
+#ResourcesFile: "resources.yaml"

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+// Package v1alpha1 defines the api boundary between CUE and Holos.
+package v1alpha1

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/helm_go_gen.cue

@@ -0,0 +1,28 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
+#HelmChart: {
+	#HolosComponent
+
+	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
+	namespace:     string @go(Namespace)
+	chart:         #Chart @go(Chart)
+	valuesContent: string @go(ValuesContent)
+	enableHooks:   bool   @go(EnableHooks)
+}
+
+#Chart: {
+	name:        string      @go(Name)
+	version:     string      @go(Version)
+	release:     string      @go(Release)
+	repository?: #Repository @go(Repository)
+}
+
+#Repository: {
+	name: string @go(Name)
+	url:  string @go(URL)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kubernetesobjects_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KubernetesObjectsKind: "KubernetesObjects"
+
+// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
+#KubernetesObjects: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomization_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Kustomization holds the rendered flux kustomization api object content for git ops.
+#Kustomization: {
+	// KsContent is the yaml representation of the flux kustomization for gitops.
+	ksContent?: string @go(KsContent)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomize_go_gen.cue

@@ -0,0 +1,25 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// Kustomize represents resources necessary to execute a kustomize build.
+// Intended for at least two use cases:
+//
+//  1. Process raw yaml file resources in a holos component directory.
+//  2. Post process a HelmChart to inject istio, add custom labels, etc...
+#Kustomize: {
+	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
+	kustomizeFiles?: #FileContentMap @go(KustomizeFiles)
+
+	// ResourcesFile is the file name used for api objects in kustomization.yaml
+	resourcesFile?: string @go(ResourcesFile)
+}
+
+// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomizebuild_go_gen.cue

@@ -0,0 +1,12 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#KustomizeBuildKind: "KustomizeBuild"
+
+// KustomizeBuild
+#KustomizeBuild: {
+	#HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmap_go_gen.cue

@@ -0,0 +1,18 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
+#Label: string
+
+// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
+#Kind: string
+
+// APIObjectMap is the shape of marshalled api objects returned from cue to the
+// holos cli. A map is used to improve the clarity of error messages from cue.
+#APIObjectMap: {[string]: [string]: string}
+
+// FileContentMap is a map of file names to file contents.
+#FileContentMap: {[string]: string}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmeta_go_gen.cue

@@ -0,0 +1,22 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// ObjectMeta represents metadata of a holos component object. The fields are a
+// copy of upstream kubernetes api machinery but are by holos objects distinct
+// from kubernetes api objects.
+#ObjectMeta: {
+	// Name uniquely identifies the holos component instance and must be suitable as a file name.
+	name?: string @go(Name)
+
+	// Namespace confines a holos component to a single namespace via kustomize if set.
+	namespace?: string @go(Namespace)
+
+	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+
+	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/render_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#Renderer: _

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/result_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
+#Result: {
+	HolosComponent: #HolosComponent
+}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/typemeta_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
+
+package v1alpha1
+
+#TypeMeta: {
+	kind?:       string @go(Kind)
+	apiVersion?: string @go(APIVersion)
+}

docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -306,19 +306,10 @@ import "strings"
 			// "value"` for prefix-based match - `regex: "value"` for RE2
 			// style regex-based match
 			// (https://github.com/google/re2/wiki/Syntax).
-			uri?: ({} | {
-				exact: _
-			} | {
-				prefix: _
-			} | {
-				regex: _
-			}) & {
+			uri?: {
 				exact?:  string
 				prefix?: string
-
-				// RE2 style regex-based match
-				// (https://github.com/google/re2/wiki/Syntax).
-				regex?: string
+				regex?:  string
 			}
 
 			// withoutHeader has the same syntax with the header, but has

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/buildplan.cue

@@ -0,0 +1,8 @@
+package v1alpha1
+
+// #BuildPlan is the API contract between CUE and the Holos cli.
+// Holos requires CUE to evaluate and provide a valid #BuildPlan.
+#BuildPlan: {
+	kind:       #BuildPlanKind
+	apiVersion: #APIVersion
+}

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/constraints.cue

@@ -0,0 +1 @@
+package v1alpha1

docs/examples/cue.mod/usr/github.com/holos-run/holos/api/v1alpha1/defaults.cue

@@ -0,0 +1,5 @@
+package v1alpha1
+
+#HolosComponent: Skip: true | *false
+
+#HelmChart: enableHooks: true | *false

docs/examples/helpers.cue

@@ -0,0 +1,38 @@
+package holos
+
+import "encoding/yaml"
+
+// #APIObjects is the output type for api objects produced by cue.
+#APIObjects: {
+	// apiObjects holds each the api objects produced by cue.
+	apiObjects: {
+		[Kind=_]: {
+			[string]: {
+				kind: Kind
+				...
+			}
+		}
+		Namespace?: [Name=_]: #Namespace & {metadata: name: Name}
+		ExternalSecret?: [Name=_]: #ExternalSecret & {_name: Name}
+		VirtualService?: [Name=_]: #VirtualService & {metadata: name: Name}
+		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
+		Gateway?: [Name=_]: #Gateway & {metadata: name: Name}
+		ConfigMap?: [Name=_]: #ConfigMap & {metadata: name: Name}
+
+		Deployment?: [_]:            #Deployment
+		RequestAuthentication?: [_]: #RequestAuthentication
+		AuthorizationPolicy?: [_]:   #AuthorizationPolicy
+	}
+
+	// apiObjectMap holds the marshalled representation of apiObjects
+	apiObjectMap: {
+		for kind, v in apiObjects {
+			"\(kind)": {
+				for name, obj in v {
+					"\(name)": yaml.Marshal(obj)
+				}
+			}
+		}
+		...
+	}
+}

docs/examples/holos.cue

@@ -0,0 +1,117 @@
+package holos
+
+import (
+	"encoding/yaml"
+	h "github.com/holos-run/holos/api/v1alpha1"
+	kc "sigs.k8s.io/kustomize/api/types"
+	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
+)
+
+// The overall structure of the data is:
+// 1 CUE Instance => 1 BuildPlan => 0..N HolosComponents
+
+// Holos requires CUE to evaluate and provide a valid BuildPlan.
+// Constrain each CUE instance to output a BuildPlan.
+{} & h.#BuildPlan
+
+let DependsOn = {[Name=_]: name: string & Name}
+
+// #HolosComponent defines struct fields common to all holos component types.
+#HolosComponent: {
+	h.#HolosComponent
+	_dependsOn: DependsOn
+	let DEPENDS_ON = _dependsOn
+	metadata: name: string
+	#namelen: len(metadata.name) & >=1
+	let Name = metadata.name
+
+	// TODO: ksContent needs to be component scoped, not instance scoped.
+	ksContent: yaml.Marshal(#Kustomization & {
+		_dependsOn: DEPENDS_ON
+		metadata: name: Name
+	})
+	// Leave the HolosComponent open for components with additional fields like HelmChart.
+	// Refer to https://cuelang.org/docs/tour/types/closed/
+	...
+}
+
+//#KustomizeFiles represents resources for holos to write into files for kustomize post-processing.
+#KustomizeFiles: {
+	// Objects collects files for Holos to write for kustomize post-processing.
+	Objects: "kustomization.yaml": #Kustomize
+	// Files holds the marshaled output of Objects holos writes to the filesystem before calling the kustomize post-processor.
+	Files: {
+		for filename, obj in Objects {
+			"\(filename)": yaml.Marshal(obj)
+		}
+	}
+}
+
+// Holos component types.
+#HelmChart: #HolosComponent & h.#HelmChart & {
+	_values: {...}
+	_kustomizeFiles: #KustomizeFiles
+
+	// Render the values to yaml for holos to provide to helm.
+	valuesContent: yaml.Marshal(_values)
+	// Kustomize post-processor
+	// resources is the intermediate file name for api objects.
+	resourcesFile: h.#ResourcesFile
+	// kustomizeFiles represents the files in a kustomize directory tree.
+	kustomizeFiles: _kustomizeFiles.Files
+
+	chart: h.#Chart & {
+		name:    string
+		release: string | *name
+	}
+}
+#KubernetesObjects: #HolosComponent & h.#KubernetesObjects
+#KustomizeBuild:    #HolosComponent & h.#KustomizeBuild
+
+// #ClusterName is the cluster name for cluster scoped resources.
+#ClusterName: #InputKeys.cluster
+
+// Flux Kustomization CRDs
+#Kustomization: #NamespaceObject & ksv1.#Kustomization & {
+	_dependsOn: DependsOn
+
+	metadata: {
+		name:      string
+		namespace: string | *"flux-system"
+	}
+	spec: ksv1.#KustomizationSpec & {
+		interval:      string | *"30m0s"
+		path:          string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(metadata.name)"
+		prune:         bool | *true
+		retryInterval: string | *"2m0s"
+		sourceRef: {
+			kind: string | *"GitRepository"
+			name: string | *"flux-system"
+		}
+		suspend?:         bool
+		targetNamespace?: string
+		timeout:          string | *"3m0s"
+		// wait performs health checks for all reconciled resources. If set to true, .spec.healthChecks is ignored.
+		// Setting this to true for all components generates considerable load on the api server from watches.
+		// Operations are additionally more complicated when all resources are watched.  Consider setting wait true for
+		// relatively simple components, otherwise target specific resources with spec.healthChecks.
+		wait: true | *false
+		dependsOn: [for k, v in _dependsOn {v}, ...]
+	}
+}
+
+// #Kustomize represents the kustomize post processor.
+#Kustomize: kc.#Kustomization & {
+	_patches: {[_]: kc.#Patch}
+	apiVersion: "kustomize.config.k8s.io/v1beta1"
+	kind:       "Kustomization"
+	// resources are file names holos will use to store intermediate component output for kustomize to post-process (i.e. helm template | kubectl kustomize)
+	// See the related resourcesFile field of the holos component.
+	resources: [h.#ResourcesFile]
+	if len(_patches) > 0 {
+		patches: [for v in _patches {v}]
+	}
+}
+
+// So components don't need to import the package.
+#Patch: kc.#Patch

docs/examples/meshconfig.cue

@@ -0,0 +1,54 @@
+package holos
+
+// #MeshConfig provides the istio meshconfig in the config key given projects.
+#MeshConfig: {
+	projects: #Projects
+	// clusterName is the value of the --cluster-name flag, the cluster currently being manged / rendered.
+	clusterName: string | *#ClusterName
+
+	// for extAuthzHttp extension providers
+	extensionProviderMap: [Name=_]: #ExtAuthzProxy & {name: Name}
+	// for other extension providers like zipkin
+	extensionProviderExtraMap: [Name=_]: {name: Name}
+
+	config: {
+		accessLogEncoding: string | *"JSON"
+		accessLogFile:     string | *"/dev/stdout"
+		defaultConfig: {
+			discoveryAddress: string | *"istiod.istio-system.svc:15012"
+			tracing: zipkin: address: string | *"zipkin.istio-system:9411"
+		}
+		defaultProviders: metrics: [...string] | *["prometheus"]
+		enablePrometheusMerge: false | *true
+		rootNamespace:         string | *"istio-system"
+		trustDomain:           string | *"cluster.local"
+		extensionProviders: [
+			for x in extensionProviderMap {x},
+			for y in extensionProviderExtraMap {y},
+		]
+	}
+}
+
+// #ExtAuthzProxy defines the provider configuration for an istio external authorization auth proxy.
+#ExtAuthzProxy: {
+	name: string
+	envoyExtAuthzHttp: {
+		headersToDownstreamOnDeny: [
+			"content-type",
+			"set-cookie",
+		]
+		headersToUpstreamOnAllow: [
+			"authorization",
+			"path",
+			"x-oidc-id-token",
+		]
+		includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
+		includeRequestHeadersInCheck: [
+			"authorization",
+			"cookie",
+			"x-forwarded-for",
+		]
+		port:    4180
+		service: string
+	}
+}

docs/examples/optionalservices.cue

@@ -1,16 +1,19 @@
-package holos
-
 // Controls optional feature flags for services distributed across multiple holos components.
 // For example, enable issuing certificates in the provisioner cluster when an optional service is
 // enabled for a workload cluster.
+package holos
+
+import "list"
 
 #OptionalService: {
 	name:    string
 	enabled: true | *false
 	clusters: [Name=_]: #Platform.clusters[Name]
-	clusterNames: [for k, v in clusters {k}]
-	namespaces: [Name=_]: #ManagedNamespace & {
-		name: Name
+	clusterNames: [for c in clusters {c.name}]
+
+	managedNamespaces: [Name=_]: #ManagedNamespace & {
+		namespace: metadata: name: Name
+		clusterNames: ["provisioner", for c in clusters {c.name}]
 	}
 	// servers represents istio Gateway.spec.servers.hosts entries
 	// Refer to istio/gateway/gateway.cue
@@ -34,6 +37,10 @@ package holos
 	}
 }
 
-for k, v in #OptionalServices {
-	#ManagedNamespaces: v.namespaces
+for svc in #OptionalServices {
+	for nsName, ns in svc.managedNamespaces {
+		if svc.enabled && list.Contains(ns.clusterNames, #ClusterName) {
+			#ManagedNamespaces: "\(nsName)": ns
+		}
+	}
 }

docs/examples/platforms/optional.site.cue

@@ -8,7 +8,9 @@ let TargetNamespace = "prod-core-vault"
 		enabled: true
 		clusters: core1: _
 		clusters: core2: _
-		namespaces: "prod-core-vault": labels: "istio-injection": "enabled"
+		managedNamespaces: "prod-core-vault": {
+			namespace: metadata: labels: "istio-injection": "enabled"
+		}
 		certs: "vault-core": #Certificate & {
 			metadata: name:      "vault-core"
 			metadata: namespace: "istio-ingress"

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/postgres-certs/postgres-certs.cue

@@ -1,13 +1,39 @@
 package holos
 
 #InputKeys: component: "postgres-certs"
-#KubernetesObjects & {
+
+let SecretNames = {
+	[Name=_]: {name: Name}
+	"\(_DBName)-primary-tls": _
+	"\(_DBName)-repl-tls":    _
+	"\(_DBName)-client-tls":  _
+	"\(_DBName)-root-ca":     _
+}
+
+#Kustomization: spec: targetNamespace: #TargetNamespace
+#Kustomization: spec: healthChecks: [
+	for s in SecretNames {
+		apiVersion: "external-secrets.io/v1beta1"
+		kind:       "ExternalSecret"
+		name:       s.name
+		namespace:  #TargetNamespace
+	},
+]
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-iam-postgres-certs"
+
+		_dependsOn: "prod-secrets-stores": _
+
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
-		ExternalSecret: {
-			"\(_DBName)-primary-tls": _
-			"\(_DBName)-repl-tls":    _
-			"\(_DBName)-client-tls":  _
-			"\(_DBName)-root-ca":     _
+		for s in SecretNames {
+			ExternalSecret: "\(s.name)": _
 		}
 	}
 }

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/postgres/postgres.cue

@@ -18,9 +18,34 @@ let BucketRepoName = "repo2"
 // Restore the most recent backup.
 let RestoreOptions = []
 
-#KubernetesObjects & {
+#Kustomization: spec: healthChecks: [
+	{
+		apiVersion: "external-secrets.io/v1beta1"
+		kind:       "ExternalSecret"
+		name:       S3Secret
+		namespace:  #TargetNamespace
+	},
+	{
+		apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+		kind:       "PostgresCluster"
+		name:       _DBName
+		namespace:  #TargetNamespace
+	},
+]
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-iam-postgres"
+
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-iam-postgres-certs": _
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
-		ExternalSecret: "pgo-s3-creds": _
+		ExternalSecret: "\(S3Secret)": _
 		PostgresCluster: db: #PostgresCluster & HighlyAvailable & {
 			metadata: name:      _DBName
 			metadata: namespace: #TargetNamespace

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel.cue

@@ -1,5 +1,6 @@
 package holos
 
+#InstancePrefix:  "prod-iam"
 #TargetNamespace: #InstancePrefix + "-zitadel"
 
 // _DBName is the database name used across multiple holos components in this project

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel/zitadel.cue

@@ -4,24 +4,30 @@ import "encoding/yaml"
 
 let Name = "zitadel"
 #InputKeys: component: Name
-#DependsOn: postgres:  _
 
-// Upstream helm chart doesn't specify the namespace field for all resources.
-#Kustomization: spec: targetNamespace: #TargetNamespace
+spec: components: HelmChartList: [
+	#HelmChart & {
+		metadata: name: "\(#InstancePrefix)-zitadel"
 
-#HelmChart & {
-	namespace:   #TargetNamespace
-	enableHooks: true
-	chart: {
-		name:    Name
-		version: "7.9.0"
-		repository: {
-			name: Name
-			url:  "https://charts.zitadel.com"
+		_dependsOn: "prod-secrets-stores":         _
+		_dependsOn: "\(#InstancePrefix)-postgres": _
+
+		namespace:   #TargetNamespace
+		enableHooks: true
+		chart: {
+			name:    Name
+			version: "7.9.0"
+			repository: {
+				name: Name
+				url:  "https://charts.zitadel.com"
+			}
 		}
-	}
-	values: #Values
+		_values:      #Values
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
 
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		ExternalSecret: "zitadel-masterkey": _
 		VirtualService: "\(Name)": {
@@ -61,43 +67,107 @@ let DatabaseCACertPatch = [
 	},
 ]
 
-#Kustomize: {
-	patches: [
-		{
+let CAPatch = #Patch & {
+	target: {
+		group:   "apps" | "batch"
+		version: "v1"
+		kind:    "Job" | "Deployment"
+		name:    string
+	}
+	patch: yaml.Marshal(DatabaseCACertPatch)
+}
+
+#Kustomize: _patches: {
+	mesh: {
+		target: {
+			group:   "apps"
+			version: "v1"
+			kind:    "Deployment"
+			name:    Name
+		}
+		patch: yaml.Marshal(IstioInject)
+	}
+	deploymentCA: CAPatch & {
+		target: group: "apps"
+		target: kind:  "Deployment"
+		target: name:  Name
+	}
+	initJob: CAPatch & {
+		target: group: "batch"
+		target: kind:  "Job"
+		target: name:  "\(Name)-init"
+	}
+	setupJob: CAPatch & {
+		target: group: "batch"
+		target: kind:  "Job"
+		target: name:  "\(Name)-setup"
+	}
+	testDisable: {
+		target: {
+			version: "v1"
+			kind:    "Pod"
+			name:    "\(Name)-test-connection"
+		}
+		patch: yaml.Marshal(DisableFluxPatch)
+	}
+	if #IsPrimaryCluster == false {
+		fluxDisable: {
 			target: {
 				group:   "apps"
 				version: "v1"
 				kind:    "Deployment"
 				name:    Name
 			}
-			patch: yaml.Marshal(IstioInject)
-		},
-		{
-			target: {
-				group:   "apps"
-				version: "v1"
-				kind:    "Deployment"
-				name:    Name
-			}
-			patch: yaml.Marshal(DatabaseCACertPatch)
-		},
-		{
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+		initDisable: {
 			target: {
 				group:   "batch"
 				version: "v1"
 				kind:    "Job"
 				name:    "\(Name)-init"
 			}
-			patch: yaml.Marshal(DatabaseCACertPatch)
-		},
-		{
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+		setupDisable: {
 			target: {
 				group:   "batch"
 				version: "v1"
 				kind:    "Job"
 				name:    "\(Name)-setup"
 			}
-			patch: yaml.Marshal(DatabaseCACertPatch)
+			patch: yaml.Marshal(DisableFluxPatch)
+		}
+	}
+}
+
+let DisableFluxPatch = [{op: "replace", path: "/metadata/annotations/kustomize.toolkit.fluxcd.io~1reconcile", value: "disabled"}]
+
+// Upstream helm chart doesn't specify the namespace field for all resources.
+#Kustomization: spec: {
+	targetNamespace: #TargetNamespace
+	wait:            false
+}
+
+if #IsPrimaryCluster == true {
+	#Kustomization: spec: healthChecks: [
+		{
+			apiVersion: "apps/v1"
+			kind:       "Deployment"
+			name:       Name
+			namespace:  #TargetNamespace
+		},
+		{
+			apiVersion: "batch/v1"
+			kind:       "Job"
+			name:       "\(Name)-init"
+			namespace:  #TargetNamespace
+		},
+		{
+			apiVersion: "batch/v1"
+			kind:       "Job"
+			name:       "\(Name)-setup"
+			namespace:  #TargetNamespace
 		},
 	]
 }

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/argocd.cue

@@ -0,0 +1,84 @@
+package holos
+
+import "encoding/yaml"
+
+let ArgoCD = "argocd"
+let Namespace = "prod-platform"
+
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-stores": _
+		namespace: Namespace
+
+		metadata: name: "\(namespace)-\(ArgoCD)"
+
+		chart: {
+			name:    "argo-cd"
+			release: "argocd"
+			version: "6.7.8"
+			repository: {
+				name: "argocd"
+				url:  "https://argoproj.github.io/argo-helm"
+			}
+		}
+
+		_values: #ArgoCDValues & {
+			kubeVersionOverride: "1.29.0"
+			global: domain: "argocd.\(#ClusterName).\(#Platform.org.domain)"
+
+			configs: params: "server.insecure": true
+
+			configs: cm: {
+				"admin.enabled": false
+				"oidc.config":   yaml.Marshal(OIDCConfig)
+			}
+		}
+
+		// Holos overlay objects
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		// ExternalSecret: "deploy-key": _
+		VirtualService: (ArgoCD): {
+			metadata: name:      ArgoCD
+			metadata: namespace: Namespace
+			spec: hosts: [
+				ArgoCD + ".\(#Platform.org.domain)",
+				ArgoCD + ".\(#ClusterName).\(#Platform.org.domain)",
+			]
+			spec: gateways: ["istio-ingress/\(Namespace)"]
+			spec: http: [{route: [{destination: {
+				host: "argocd-server.\(Namespace).svc.cluster.local"
+				port: number: 80
+			}}]}]
+		}
+	}
+}
+let IstioInject = [{op: "add", path: "/spec/template/metadata/labels/sidecar.istio.io~1inject", value: "true"}]
+
+#Kustomize: _patches: {
+	mesh: {
+		target: {
+			group:   "apps"
+			version: "v1"
+			kind:    "Deployment"
+			name:    "argocd-server"
+		}
+		patch: yaml.Marshal(IstioInject)
+	}
+}
+
+// Probably shouldn't use the authproxy struct and should instead define an identity provider struct.
+let AuthProxySpec = #AuthProxySpec & #Platform.authproxy
+
+let OIDCConfig = {
+	name:     "Holos Platform"
+	issuer:   AuthProxySpec.issuer
+	clientID: #Platform.argocd.clientID
+	requestedIDTokenClaims: groups: essential: true
+	requestedScopes: ["openid", "profile", "email", "groups", "urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"]
+	enablePKCEAuthentication: true
+}

docs/examples/platforms/reference/clusters/foundation/cloud/github/arc/arc.cue

@@ -4,6 +4,6 @@ package holos
 #InputKeys: project: "github"
 #DependsOn: Namespaces: name: "prod-secrets-namespaces"
 
-#TargetNamespace: #InputKeys.component
+#ARCSystemNamespace: "arc-system"
 #HelmChart: namespace: #TargetNamespace
 #HelmChart: chart: version: "0.8.3"

docs/examples/platforms/reference/clusters/foundation/cloud/github/arc/runner/arc-runner.cue

@@ -1,26 +1,51 @@
 package holos
 
+#TargetNamespace: "arc-runner"
 #InputKeys: component: "arc-runner"
 #Kustomization: spec: targetNamespace: #TargetNamespace
 
-#HelmChart & {
-	values: {
-		#Values
-		controllerServiceAccount: name:      "gha-rs-controller"
-		controllerServiceAccount: namespace: "arc-system"
-		githubConfigSecret: "controller-manager"
-		githubConfigUrl:    "https://github.com/" + #Platform.org.github.orgs.primary.name
-	}
-	apiObjects: ExternalSecret: "\(values.githubConfigSecret)": _
-	chart: {
-		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
-		// NOTE: Unfortunately the INSTALLATION_NAME is used as the helm release
-		// name and GitHub removed support for runner labels, so the only way to
-		// specify which runner a workflow runs on is using this helm release name.
-		// The quote is "Update the INSTALLATION_NAME value carefully. You will use
-		// the installation name as the value of runs-on in your workflows."  Refer to
-		// https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
-		release: "gha-rs"
-		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
-	}
+let GitHubConfigSecret = "controller-manager"
+
+// Just sync the external secret, don't configure the scale set
+// Work around https://github.com/actions/actions-runner-controller/issues/3351
+if #IsPrimaryCluster == false {
+	spec: components: KubernetesObjectsList: [
+		#KubernetesObjects & {
+			metadata: name:                        "prod-github-arc-runner"
+			_dependsOn: "prod-secrets-namespaces": _
+
+			apiObjectMap: (#APIObjects & {
+				apiObjects: ExternalSecret: "\(GitHubConfigSecret)": _
+			}).apiObjectMap
+		},
+	]
+}
+
+// Put the scale set on the primary cluster.
+if #IsPrimaryCluster == true {
+	spec: components: HelmChartList: [
+		#HelmChart & {
+			_dependsOn: "prod-secrets-namespaces": _
+			metadata: name:                        "prod-github-arc-runner"
+			_values: {
+				#Values
+				controllerServiceAccount: name:      "gha-rs-controller"
+				controllerServiceAccount: namespace: "arc-system"
+				githubConfigSecret: GitHubConfigSecret
+				githubConfigUrl:    "https://github.com/" + #Platform.org.github.orgs.primary.name
+			}
+			apiObjectMap: (#APIObjects & {apiObjects: ExternalSecret: "\(_values.githubConfigSecret)": _}).apiObjectMap
+			chart: {
+				// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+				// NOTE: Unfortunately the INSTALLATION_NAME is used as the helm release
+				// name and GitHub removed support for runner labels, so the only way to
+				// specify which runner a workflow runs on is using this helm release name.
+				// The quote is "Update the INSTALLATION_NAME value carefully. You will use
+				// the installation name as the value of runs-on in your workflows."  Refer to
+				// https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller
+				release: "gha-rs"
+				name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set"
+			}
+		},
+	]
 }

docs/examples/platforms/reference/clusters/foundation/cloud/github/arc/system/arc-system.cue

@@ -1,15 +1,20 @@
 package holos
 
-#TargetNamespace: "arc-system"
+#TargetNamespace: #ARCSystemNamespace
 #InputKeys: component: "arc-system"
 
-#HelmChart & {
-	values:    #Values & #DefaultSecurityContext
-	namespace: #TargetNamespace
-	chart: {
-		// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
-		release: "gha-rs-controller"
-		name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
-		version: "0.8.3"
-	}
-}
+spec: components: HelmChartList: [
+	#HelmChart & {
+		metadata: name: "prod-github-arc-system"
+
+		_dependsOn: "prod-secrets-namespaces": _
+		_values:   #Values & #DefaultSecurityContext
+		namespace: #TargetNamespace
+		chart: {
+			// Match the gha-base-name in the chart _helpers.tpl to avoid long full names.
+			release: "gha-rs-controller"
+			name:    "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller"
+			version: "0.8.3"
+		}
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/init/namespaces/component.cue

@@ -1,22 +1,22 @@
 package holos
 
-#TargetNamespace: "default"
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-secrets-namespaces"
+		apiObjectMap: (#APIObjects & {
+			apiObjects: {
+				// #ManagedNamespaces is the set of all namespaces across all clusters in the platform.
+				for k, ns in #ManagedNamespaces {
+					if ns.clusters[#ClusterName] != _|_ {
+						Namespace: "\(k)": #Namespace & ns.namespace
+					}
+				}
 
-#InputKeys: {
-	project:   "secrets"
-	component: "namespaces"
-}
-
-#KubernetesObjects & {
-	apiObjects: {
-		// #ManagedNamespaces is the set of all namespaces across all clusters in the platform.
-		for k, ns in #ManagedNamespaces {
-			Namespace: "\(ns.name)": #Namespace & {metadata: ns}
-		}
-
-		// #PlatformNamespaces is deprecated in favor of #ManagedNamespaces.
-		for ns in #PlatformNamespaces {
-			Namespace: "\(ns.name)": #Namespace & {metadata: ns}
-		}
-	}
-}
+				// #PlatformNamespaces is deprecated in favor of #ManagedNamespaces.
+				for ns in #PlatformNamespaces {
+					Namespace: "\(ns.name)": #Namespace & {metadata: ns}
+				}
+			}
+		}).apiObjectMap
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio-base/istiobase.cue

@@ -1,17 +1,19 @@
 package holos
 
-#InputKeys: component: "istio-base"
-#TargetNamespace: "istio-system"
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces": _
 
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: {
-		name:    "base"
-		version: "1.20.3"
-		repository: {
-			name: "istio"
-			url:  "https://istio-release.storage.googleapis.com/charts"
+		metadata: name: "prod-mesh-istio-base"
+		namespace: "istio-system"
+		chart: {
+			name:    "base"
+			version: #IstioVersion
+			repository: {
+				name: "istio"
+				url:  "https://istio-release.storage.googleapis.com/charts"
+			}
 		}
-	}
-	values: #IstioValues
-}
+		_values: #IstioValues
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/cni/cni.cue

@@ -1,10 +1,13 @@
 package holos
 
-#InputKeys: component: "cni"
-#TargetNamespace: "kube-system"
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-mesh-istio-base":    _
 
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: name: "cni"
-	values: #IstioValues
-}
+		_values: #IstioValues
+		metadata: name: "\(#InstancePrefix)-\(chart.name)"
+		namespace: "kube-system"
+		chart: name: "cni"
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/gateway/gateway.cue

@@ -4,15 +4,23 @@ import "list"
 
 // The primary istio Gateway, named default
 let Name = "gateway"
-
 #InputKeys: component: Name
-
 #TargetNamespace: "istio-ingress"
-#DependsOn:       _IngressGateway
 
 let LoginCert = #PlatformCerts.login
 
-#KubernetesObjects & {
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-mesh-istio-base":    _
+		_dependsOn: "prod-mesh-ingress":       _
+
+		metadata: name: "\(#InstancePrefix)-\(Name)"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		ExternalSecret: login: #ExternalSecret & {
 			_name: "login"

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/httpbin/httpbin.cue

@@ -1,8 +1,13 @@
 package holos
 
 let Name = "httpbin"
+let ComponentName = "\(#InstancePrefix)-\(Name)"
+
 let SecretName = #InputKeys.cluster + "-" + Name
-let MatchLabels = {app: Name} & #SelectorLabels
+let MatchLabels = {
+	app:                          Name
+	"app.kubernetes.io/instance": ComponentName
+}
 let Metadata = {
 	name:      Name
 	namespace: #TargetNamespace
@@ -12,11 +17,22 @@ let Metadata = {
 #InputKeys: component: Name
 
 #TargetNamespace: "istio-ingress"
-#DependsOn:       _IngressGateway
 
 let Cert = #PlatformCerts[SecretName]
 
-#KubernetesObjects & {
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-namespaces":       _
+		_dependsOn: "\(#InstancePrefix)-istio-base": _
+		_dependsOn: "\(#InstancePrefix)-ingress":    _
+
+		metadata: name: ComponentName
+
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		ExternalSecret: "\(Cert.spec.secretName)": _
 		Deployment: httpbin: #Deployment & {
@@ -24,7 +40,6 @@ let Cert = #PlatformCerts[SecretName]
 			spec: selector: matchLabels: MatchLabels
 			spec: template: {
 				metadata: labels: MatchLabels
-				metadata: labels: #CommonLabels
 				metadata: labels: #IstioSidecar
 				spec: securityContext: seccompProfile: type: "RuntimeDefault"
 				spec: containers: [{
@@ -35,8 +50,8 @@ let Cert = #PlatformCerts[SecretName]
 						seccompProfile: type: "RuntimeDefault"
 						allowPrivilegeEscalation: false
 						runAsNonRoot:             true
-						runAsUser:                1337
-						runAsGroup:               1337
+						runAsUser:                8192
+						runAsGroup:               8192
 						capabilities: drop: ["ALL"]
 					}}]
 			}
@@ -54,7 +69,7 @@ let Cert = #PlatformCerts[SecretName]
 			spec: servers: [
 				{
 					hosts: [for host in Cert.spec.dnsNames {"\(#TargetNamespace)/\(host)"}]
-					port: name:          "https-\(#InstanceName)"
+					port: name:          "https-\(ComponentName)"
 					port: number:        443
 					port: protocol:      "HTTPS"
 					tls: credentialName: Cert.spec.secretName

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/ingress/ingress.cue

@@ -2,50 +2,64 @@ package holos
 
 import "encoding/json"
 
-#InputKeys: component: "ingress"
-#TargetNamespace: "istio-ingress"
-#DependsOn:       _IstioD
+let ComponentName = "\(#InstancePrefix)-ingress"
 
-#HelmChart & {
-	chart: name: "gateway"
-	namespace: #TargetNamespace
-	values: #GatewayValues & {
-		// This component expects the load balancer to send the PROXY protocol header.
-		// Refer to: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#proxy-protocol-v2
-		podAnnotations: "proxy.istio.io/config": json.Marshal(_ProxyProtocol)
-		// TODO This configuration is specific to the OIS Metal NLB, refactor it out to the metal collection.
-		service: {
-			type: "NodePort"
-			annotations: "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
-			externalTrafficPolicy: "Local"
-			// Add 30000 to the port to get the Nodeport
-			ports: [
-				{
-					name:       "status-port"
-					port:       15021
-					protocol:   "TCP"
-					targetPort: 15021
-					nodePort:   30021
-				},
-				{
-					name:       "http2"
-					port:       80
-					protocol:   "TCP"
-					targetPort: 80
-					nodePort:   30080
-				},
-				{
-					name:       "https"
-					port:       443
-					protocol:   "TCP"
-					targetPort: 443
-					nodePort:   30443
-				},
-			]
+#TargetNamespace: "istio-ingress"
+
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces":       _
+		_dependsOn: "\(#InstancePrefix)-istio-base": _
+		_dependsOn: "\(#InstancePrefix)-istiod":     _
+
+		metadata: name: ComponentName
+
+		chart: name: "gateway"
+		namespace: #TargetNamespace
+		_values: #GatewayValues & {
+			// This component expects the load balancer to send the PROXY protocol header.
+			// Refer to: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#proxy-protocol-v2
+			podAnnotations: "proxy.istio.io/config": json.Marshal(_ProxyProtocol)
+			// TODO This configuration is specific to the OIS Metal NLB, refactor it out to the metal collection.
+			service: {
+				type: "NodePort"
+				annotations: "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"
+				externalTrafficPolicy: "Local"
+				// Add 30000 to the port to get the Nodeport
+				ports: [
+					{
+						name:       "status-port"
+						port:       15021
+						protocol:   "TCP"
+						targetPort: 15021
+						nodePort:   30021
+					},
+					{
+						name:       "http2"
+						port:       80
+						protocol:   "TCP"
+						targetPort: 80
+						nodePort:   30080
+					},
+					{
+						name:       "https"
+						port:       443
+						protocol:   "TCP"
+						targetPort: 443
+						nodePort:   30443
+					},
+				]
+			}
 		}
-	}
-	apiObjects: _APIObjects
-}
+		apiObjectMap: OBJECTS.apiObjectMap
+		// Auth Proxy
+		apiObjectMap: _IngressAuthProxy.Deployment.apiObjectMap
+		// Auth Policy
+		apiObjectMap: _IngressAuthProxy.Policy.apiObjectMap
+		// Auth Policy Exclusions
+		apiObjectMap: _AuthPolicyRules.objects.apiObjectMap
+	},
+]
 
 _ProxyProtocol: gatewayTopology: proxyProtocol: {}
 
@@ -60,36 +74,82 @@ let RedirectMetaName = {
 	namespace: #TargetNamespace
 }
 
-// https-redirect
-_APIObjects: {
-	Gateway: {
-		"\(RedirectMetaName.name)": #Gateway & {
-			metadata: RedirectMetaName
-			spec: selector: GatewayLabels
-			spec: servers: [{
-				port: {
-					number:   80
-					name:     "http2"
-					protocol: "HTTP2"
-				}
-				hosts: ["*"]
-				// handled by the VirtualService
-				tls: httpsRedirect: false
-			}]
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		Gateway: {
+			"\(RedirectMetaName.name)": #Gateway & {
+				metadata: RedirectMetaName
+				spec: selector: GatewayLabels
+				spec: servers: [{
+					port: {
+						number:   80
+						name:     "http2"
+						protocol: "HTTP2"
+					}
+					hosts: ["*"]
+					// handled by the VirtualService
+					tls: httpsRedirect: false
+				}]
+			}
 		}
-	}
-	VirtualService: {
-		"\(RedirectMetaName.name)": #VirtualService & {
-			metadata: RedirectMetaName
-			spec: hosts: ["*"]
-			spec: gateways: [RedirectMetaName.name]
-			spec: http: [{
-				match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
-				redirect: {
-					scheme:       "https"
-					redirectCode: 302
+		VirtualService: {
+			"\(RedirectMetaName.name)": #VirtualService & {
+				metadata: RedirectMetaName
+				spec: hosts: ["*"]
+				spec: gateways: [RedirectMetaName.name]
+				spec: http: [{
+					match: [{withoutHeaders: ":path": prefix: "/.well-known/acme-challenge/"}]
+					redirect: {
+						scheme:       "https"
+						redirectCode: 302
+					}
+				}]
+			}
+		}
+		Deployment: {
+			loopback: #Deployment & {
+				_description: LoopbackDescription
+				metadata:     LoopbackMetaName
+				spec: {
+					selector: matchLabels: LoopbackLabels
+					template: {
+						metadata: {
+							annotations: "inject.istio.io/templates": "gateway"
+							annotations: #Description & {
+								_Description: LoopbackDescription
+							}
+							labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
+						}
+						spec: {
+							serviceAccountName: "istio-ingressgateway"
+							// Allow binding to all ports (such as 80 and 443)
+							securityContext: {
+								runAsNonRoot: true
+								seccompProfile: type: "RuntimeDefault"
+								sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
+							}
+							containers: [{
+								name:  "istio-proxy"
+								image: "auto" // Managed by istiod
+								securityContext: {
+									allowPrivilegeEscalation: false
+									capabilities: drop: ["ALL"]
+									runAsUser:  1337
+									runAsGroup: 1337
+								}
+							}]
+						}
+					}
 				}
-			}]
+			}
+		}
+		Service: {
+			loopback: #Service & {
+				_description: LoopbackDescription
+				metadata:     LoopbackMetaName
+				spec: selector:      LoopbackLabels
+				spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
+			}
 		}
 	}
 }
@@ -104,52 +164,3 @@ let LoopbackMetaName = {
 	name:      LoopbackName
 	namespace: #TargetNamespace
 }
-
-// istio-ingressgateway-loopback
-_APIObjects: {
-	Deployment: {
-		loopback: #Deployment & {
-			_description: LoopbackDescription
-			metadata:     LoopbackMetaName
-			spec: {
-				selector: matchLabels: LoopbackLabels
-				template: {
-					metadata: {
-						annotations: "inject.istio.io/templates": "gateway"
-						annotations: #Description & {
-							_Description: LoopbackDescription
-						}
-						labels: LoopbackLabels & {"sidecar.istio.io/inject": "true"}
-					}
-					spec: {
-						serviceAccountName: "istio-ingressgateway"
-						// Allow binding to all ports (such as 80 and 443)
-						securityContext: {
-							runAsNonRoot: true
-							seccompProfile: type: "RuntimeDefault"
-							sysctls: [{name: "net.ipv4.ip_unprivileged_port_start", value: "0"}]
-						}
-						containers: [{
-							name:  "istio-proxy"
-							image: "auto" // Managed by istiod
-							securityContext: {
-								allowPrivilegeEscalation: false
-								capabilities: drop: ["ALL"]
-								runAsUser:  1337
-								runAsGroup: 1337
-							}
-						}]
-					}
-				}
-			}
-		}
-	}
-	Service: {
-		loopback: #Service & {
-			_description: LoopbackDescription
-			metadata:     LoopbackMetaName
-			spec: selector:      LoopbackLabels
-			spec: ports: [{port: 80, name: "http"}, {port: 443, name: "https"}]
-		}
-	}
-}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istio.cue

@@ -1,10 +1,8 @@
 package holos
 
-#DependsOn: _IstioBase
-
 #HelmChart: {
 	chart: {
-		version: "1.20.3"
+		version: #IstioVersion
 		repository: {
 			name: "istio"
 			url:  "https://istio-release.storage.googleapis.com/charts"

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istiod/istiod.cue

@@ -5,22 +5,28 @@ import "encoding/yaml"
 #InputKeys: component: "istiod"
 #TargetNamespace: "istio-system"
 
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: {
-		name: "istiod"
-	}
-	values: #IstioValues & {
-		pilot: {
-			// The istio meshconfig ConfigMap is handled in the holos component instead of
-			// the upstream chart so extension providers can be collected from holos data.
-			configMap: false
-			// Set to `type: RuntimeDefault` to use the default profile if available.
-			seccompProfile: type: "RuntimeDefault"
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces":       _
+		_dependsOn: "\(#InstancePrefix)-istio-base": _
+
+		metadata: name: "prod-mesh-istiod"
+		chart: name:    "istiod"
+		namespace: #TargetNamespace
+		_values: #IstioValues & {
+			pilot: {
+				// The istio meshconfig ConfigMap is handled in the holos component instead of
+				// the upstream chart so extension providers can be collected from holos data.
+				configMap: false
+				// Set to `type: RuntimeDefault` to use the default profile if available.
+				seccompProfile: type: "RuntimeDefault"
+			}
 		}
-	}
-	apiObjects: ConfigMap: istio: #IstioConfigMap
-}
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {apiObjects: ConfigMap: istio: #IstioConfigMap}
 
 #IstioConfigMap: #ConfigMap & {
 	metadata: {

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/istiod/meshconfig.cue

@@ -1,74 +1,9 @@
 package holos
 
+// Ingress Gateway default auth proxy
+let Provider = _IngressAuthProxy.AuthProxySpec.provider
+let Service = _IngressAuthProxy.service
+#MeshConfig: extensionProviderMap: (Provider): envoyExtAuthzHttp: service: Service
+
 // Istio meshconfig
-// TODO: Generate per-project extauthz providers.
-_MeshConfig: {
-	accessLogEncoding: "JSON"
-	accessLogFile:     "/dev/stdout"
-	defaultConfig: {
-		discoveryAddress: "istiod.istio-system.svc:15012"
-		tracing: zipkin: address: "zipkin.istio-system:9411"
-	}
-	defaultProviders: metrics: ["prometheus"]
-	enablePrometheusMerge: true
-	// For PROXY PROTOCOL at the ingress gateway.
-	gatewayTopology: {
-		numTrustedProxies: 2
-	}
-	rootNamespace: "istio-system"
-	trustDomain:   "cluster.local"
-	extensionProviders: [{
-		name: "cluster-trace"
-		zipkin: {
-			maxTagLength: 56
-			port:         9411
-			service:      "zipkin.istio-system.svc"
-		}
-	}, {
-		name: "cluster-gatekeeper"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.istio-ingress.svc.cluster.local"
-		}
-	}, {
-		name: "core-authorizer"
-		envoyExtAuthzHttp: {
-			headersToDownstreamOnDeny: [
-				"content-type",
-				"set-cookie",
-			]
-			headersToUpstreamOnAllow: [
-				"authorization",
-				"path",
-				"x-auth-request-user",
-				"x-auth-request-email",
-				"x-auth-request-access-token",
-			]
-			includeAdditionalHeadersInCheck: "X-Auth-Request-Redirect": "%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%%REQ(:query)%"
-			includeRequestHeadersInCheck: [
-				"authorization",
-				"cookie",
-				"x-forwarded-for",
-			]
-			port:    4180
-			service: "oauth2-proxy.prod-core-system.svc.cluster.local"
-		}
-	}]
-}
+_MeshConfig: (#MeshConfig & {projects: _Projects}).config

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/values.cni.cue

@@ -126,7 +126,7 @@ package holos
 		hub: "docker.io/istio"
 
 		// Default tag for Istio images.
-		tag: "1.20.3"
+		tag: #IstioVersion
 
 		// Variant of the image to use.
 		// Currently supported are: [debug, distroless]

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/mesh.cue

@@ -1,14 +1,323 @@
 package holos
 
-// Components under this directory are part of this collection
-#InputKeys: project: "mesh"
+import "encoding/yaml"
 
-// Shared dependencies for all components in this collection.
-#DependsOn: _Namespaces
+#InstancePrefix: "prod-mesh"
 
-// Common Dependencies
-_CertManager: CertManager: name:       "\(#InstancePrefix)-certmanager"
-_Namespaces: Namespaces: name:         "\(#StageName)-secrets-namespaces"
-_IstioBase: IstioBase: name:           "\(#InstancePrefix)-istio-base"
-_IstioD: IstioD: name:                 "\(#InstancePrefix)-istiod"
-_IngressGateway: IngressGateway: name: "\(#InstancePrefix)-ingress"
+#IstioVersion: "1.21.0"
+
+// The ingress gateway auth proxy is used by multiple cue instances.
+// AUTHPROXY configures one oauth2-proxy deployment for each host in each stage of a project.  Multiple deployments per stage are used to narrow down the cookie domain.
+_IngressAuthProxy: {
+	Name:          "authproxy"
+	Namespace:     "istio-ingress"
+	service:       "\(Name).\(Namespace).svc.cluster.local"
+	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
+
+	Domains: [DOMAIN=string]: {name: DOMAIN}
+	Domains: (#Platform.org.domain):                    _
+	Domains: "\(#ClusterName).\(#Platform.org.domain)": _
+
+	let Metadata = {
+		name:      string
+		namespace: Namespace
+		labels: "app.kubernetes.io/name":    name
+		labels: "app.kubernetes.io/part-of": "istio-ingressgateway"
+		...
+	}
+
+	let ProxyMetadata = Metadata & {name: Name}
+	let RedisMetadata = Metadata & {name: Name + "-redis"}
+
+	// Deployment represents the oauth2-proxy deployment
+	Deployment: #APIObjects & {
+		apiObjects: {
+			// oauth2-proxy
+			ExternalSecret: (Name): metadata: ProxyMetadata
+			// Place the ID token in a header that does not conflict with the Authorization header.
+			// Refer to: https://github.com/oauth2-proxy/oauth2-proxy/issues/1877#issuecomment-1364033723
+			ConfigMap: (Name): {
+				metadata: ProxyMetadata
+				data: "config.yaml": yaml.Marshal(AuthProxyConfig)
+				let AuthProxyConfig = {
+					injectResponseHeaders: [{
+						name: "x-oidc-id-token"
+						values: [{claim: "id_token"}]
+					}]
+					providers: [{
+						id:                    "Holos Platform"
+						name:                  "Holos Platform"
+						provider:              "oidc"
+						scope:                 "openid profile email groups offline_access urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"
+						clientID:              AuthProxySpec.clientID
+						clientSecretFile:      "/dev/null"
+						code_challenge_method: "S256"
+						loginURLParameters: [{
+							default: ["force"]
+							name: "approval_prompt"
+						}]
+						oidcConfig: {
+							issuerURL: AuthProxySpec.issuer
+							audienceClaims: ["aud"]
+							emailClaim:  "email"
+							groupsClaim: "groups"
+							userIDClaim: "sub"
+						}
+					}]
+					server: BindAddress: ":4180"
+					upstreamConfig: upstreams: [{
+						id:         "static://200"
+						path:       "/"
+						static:     true
+						staticCode: 200
+					}]
+				}
+			}
+			Deployment: (Name): #Deployment & {
+				metadata: ProxyMetadata
+
+				spec: {
+					replicas: 1
+					selector: matchLabels: ProxyMetadata.labels
+					template: {
+						metadata: labels: ProxyMetadata.labels
+						metadata: labels: #IstioSidecar
+						spec: {
+							securityContext: seccompProfile: type: "RuntimeDefault"
+							containers: [{
+								image:           "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+								imagePullPolicy: "IfNotPresent"
+								name:            "oauth2-proxy"
+								volumeMounts: [{
+									name:      "config"
+									mountPath: "/config"
+									readOnly:  true
+								}]
+								args: [
+									// callback url is proxy prefix + /callback
+									"--proxy-prefix=" + AuthProxySpec.proxyPrefix,
+									"--email-domain=*",
+									"--session-store-type=redis",
+									"--redis-connection-url=redis://\(RedisMetadata.name):6379",
+									"--cookie-refresh=12h",
+									"--cookie-expire=2160h",
+									"--cookie-secure=true",
+									"--cookie-name=__Secure-\(#ClusterName)-ingress-\(Name)",
+									"--cookie-samesite=lax",
+									for domain in Domains {"--cookie-domain=.\(domain.name)"},
+									for domain in Domains {"--cookie-domain=\(domain.name)"},
+									for domain in Domains {"--whitelist-domain=.\(domain.name)"},
+									for domain in Domains {"--whitelist-domain=\(domain.name)"},
+									"--cookie-csrf-per-request=true",
+									"--cookie-csrf-expire=120s",
+									// will skip authentication for OPTIONS requests
+									"--skip-auth-preflight=true",
+									"--real-client-ip-header=X-Forwarded-For",
+									"--skip-provider-button=true",
+									"--auth-logging",
+									"--alpha-config=/config/config.yaml",
+								]
+								env: [{
+									name: "OAUTH2_PROXY_COOKIE_SECRET"
+									// echo '{"cookiesecret":"'$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)'"}' | holos create secret -n istio-ingress --append-hash=false --data-stdin authproxy
+									valueFrom: secretKeyRef: {
+										key:  "cookiesecret"
+										name: Name
+									}
+								}]
+								ports: [{
+									containerPort: 4180
+									protocol:      "TCP"
+								}]
+								securityContext: {
+									seccompProfile: type: "RuntimeDefault"
+									allowPrivilegeEscalation: false
+									runAsNonRoot:             true
+									runAsUser:                8192
+									runAsGroup:               8192
+									capabilities: drop: ["ALL"]
+								}
+							}]
+							volumes: [{name: "config", configMap: name: Name}]
+						}
+					}
+				}
+			}
+			Service: (Name): #Service & {
+				metadata: ProxyMetadata
+				spec: selector: ProxyMetadata.labels
+				spec: ports: [
+					{port: 4180, targetPort: 4180, protocol: "TCP", name: "http"},
+				]
+			}
+			VirtualService: (Name): #VirtualService & {
+				metadata: ProxyMetadata
+				spec: hosts: ["*"]
+				spec: gateways: ["istio-ingress/default"]
+				spec: http: [{
+					match: [{uri: prefix: AuthProxySpec.proxyPrefix}]
+					route: [{
+						destination: host: Name
+						destination: port: number: 4180
+					}]
+				}]
+			}
+
+			// redis
+			ConfigMap: (RedisMetadata.name): {
+				metadata: RedisMetadata
+				data: "redis.conf": """
+					maxmemory 128mb
+					maxmemory-policy allkeys-lru
+					"""
+			}
+			Deployment: (RedisMetadata.name): {
+				metadata: RedisMetadata
+				spec: {
+					selector: matchLabels: RedisMetadata.labels
+					template: {
+						metadata: labels: RedisMetadata.labels
+						metadata: labels: #IstioSidecar
+						spec: securityContext: seccompProfile: type: "RuntimeDefault"
+						spec: {
+							containers: [{
+								command: [
+									"redis-server",
+									"/redis-master/redis.conf",
+								]
+								env: [{
+									name:  "MASTER"
+									value: "true"
+								}]
+								image: "quay.io/holos/redis:7.2.4"
+								livenessProbe: {
+									initialDelaySeconds: 15
+									tcpSocket: port: "redis"
+								}
+								name: "redis"
+								ports: [{
+									containerPort: 6379
+									name:          "redis"
+								}]
+								readinessProbe: {
+									exec: command: [
+										"redis-cli",
+										"ping",
+									]
+									initialDelaySeconds: 5
+								}
+								resources: limits: cpu: "0.5"
+								securityContext: {
+									seccompProfile: type: "RuntimeDefault"
+									allowPrivilegeEscalation: false
+									capabilities: drop: ["ALL"]
+									runAsNonRoot: true
+									runAsUser:    999
+									runAsGroup:   999
+								}
+								volumeMounts: [{
+									mountPath: "/redis-master-data"
+									name:      "data"
+								}, {
+									mountPath: "/redis-master"
+									name:      "config"
+								}]
+							}]
+							volumes: [{
+								emptyDir: {}
+								name: "data"
+							}, {
+								configMap: name: RedisMetadata.name
+								name: "config"
+							}]
+						}
+					}
+				}
+			}
+			Service: (RedisMetadata.name): #Service & {
+				metadata: RedisMetadata
+				spec: selector: RedisMetadata.labels
+				spec: type:     "ClusterIP"
+				spec: ports: [{
+					name:       "redis"
+					port:       6379
+					protocol:   "TCP"
+					targetPort: 6379
+				}]
+			}
+		}
+	}
+
+	// Policy represents the AuthorizationPolicy and RequestAuthentication policy
+	Policy: #APIObjects & {
+		apiObjects: {
+			RequestAuthentication: (Name): #RequestAuthentication & {
+				metadata: Metadata & {name: Name}
+				spec: jwtRules: [{
+					audiences: ["\(AuthProxySpec.projectID)"]
+					forwardOriginalToken: true
+					fromHeaders: [{name: AuthProxySpec.idTokenHeader}]
+					issuer: AuthProxySpec.issuer
+				}]
+				spec: selector: matchLabels: istio: "ingressgateway"
+			}
+			AuthorizationPolicy: "\(Name)-custom": {
+				_description: "Route all requests through the auth proxy by default"
+
+				metadata: Metadata & {name: "\(Name)-custom"}
+				spec: {
+					action: "CUSTOM"
+					provider: name: AuthProxySpec.provider
+					rules: [
+						{
+							to: [{
+								operation: notHosts: [
+									// Never send requests for the login service through the authorizer, would block login.
+									AuthProxySpec.issuerHost,
+									// Exclude hosts with specialized rules from the catch-all.
+									for x in _AuthPolicyRules.hosts {x.name},
+								]
+							}]
+							when: [
+								{
+									// bypass the external authorizer when the id token is already in the request.
+									// the RequestAuthentication rule will verify the token.
+									key: "request.headers[\(AuthProxySpec.idTokenHeader)]"
+									notValues: ["*"]
+								},
+							]
+						},
+					]
+					selector: matchLabels: istio: "ingressgateway"
+				}
+			}
+		}
+	}
+}
+
+_AuthPolicyRules: #AuthPolicyRules & {
+	hosts: {
+		let Vault = "vault.core.ois.run"
+		(Vault): {
+			slug: "vault"
+			// Rules for when to route requests through the auth proxy
+			spec: rules: [
+				{
+					to: [{
+						operation: hosts: [Vault]
+						operation: paths: ["/ui", "/ui/*"]
+					}]
+				},
+				{
+					to: [{
+						operation: hosts: [Vault]
+					}]
+					when: [{
+						key: "request.headers[x-vault-request]"
+						notValues: ["true"]
+					}]
+				},
+			]
+		}
+	}
+}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/values.cue

@@ -172,20 +172,14 @@ package holos
 				enabled: true
 				// Indicates whether to enable WebAssembly runtime for stats filter.
 				wasmEnabled: false
-				// overrides stats EnvoyFilter configuration.
-				configOverride: {
-					gateway: {}
-					inboundSidecar: {}
-					outboundSidecar: {}
-				}
 			}
 			// stackdriver filter settings.
 			stackdriver: {
-				enabled:         false
-				logging:         false
-				monitoring:      false
-				topology:        false // deprecated. setting this to true will have no effect, as this option is no longer supported.
-				disableOutbound: false
+				enabled:    false
+				logging:    false
+				monitoring: false
+				topology:   false // deprecated. setting this to true will have no effect, as this option is no longer supported.
+
 				//  configOverride parts give you the ability to override the low level configuration params passed to envoy filter.
 
 				configOverride: {}
@@ -248,7 +242,7 @@ package holos
 		// Dev builds from prow are on gcr.io
 		hub: string | *"docker.io/istio"
 		// Default tag for Istio images.
-		tag: string | *"1.20.3"
+		tag: #IstioVersion
 		// Variant of the image to use.
 		// Currently supported are: [debug, distroless]
 		variant: string | *""

docs/examples/platforms/reference/clusters/foundation/cloud/pgo/controller/controller.cue

@@ -1,6 +1,10 @@
 package holos
 
-#DependsOn: Namespaces: name: "prod-secrets-namespaces"
-#DependsOn: CRDS: name:       "\(#InstancePrefix)-crds"
-#InputKeys: component: "controller"
-{} & #KustomizeBuild
+spec: components: KustomizeBuildList: [
+	#KustomizeBuild & {
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-pgo-crds":           _
+
+		metadata: name: "prod-pgo-controller"
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/pgo/crds/pgocrds.cue

@@ -1,6 +1,8 @@
 package holos
 
 // Refer to https://github.com/CrunchyData/postgres-operator-examples/tree/main/kustomize/install/crd
-
-#InputKeys: component: "crds"
-{} & #KustomizeBuild
+spec: components: KustomizeBuildList: [
+	#KustomizeBuild & {
+		metadata: name: "prod-pgo-crds"
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/secrets/eso-creds-refresher/component.cue

@@ -2,8 +2,6 @@ package holos
 
 import "encoding/json"
 
-#DependsOn: _ESO
-
 #InputKeys: {
 	project:   "secrets"
 	component: "eso-creds-refresher"
@@ -11,8 +9,17 @@ import "encoding/json"
 
 #TargetNamespace: #CredsRefresher.namespace
 
-// output kubernetes api objects for holos
-#KubernetesObjects & {
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-secrets-eso":        _
+
+		metadata: name: "prod-secrets-eso-creds-refresher"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		for obj in #CredsRefresherService.objects {
 			let Kind = obj.kind
@@ -93,7 +100,14 @@ provisioner get serviceaccount -A --selector=holos.run/job.name=\(NAME) --output
 
 # Create the tokens
 mkdir tokens
-jq -r '.items[].metadata | "provisioner -n \\(.namespace) create token --duration=12h \\(.name) > tokens/\\(.namespace).\\(.name).jwt"' serviceaccounts.json | bash -x
+
+kubectl get namespaces -o name > namespaces.txt
+
+# Iterate over local namespaces
+while IFS= read -r NAMESPACE; do
+  echo "Getting token for local cluster $NAMESPACE" >&2
+  jq -r '.items[] | select("namespace/"+.metadata.namespace == "'${NAMESPACE}'") | .metadata | "provisioner -n \\(.namespace) create token --duration=12h \\(.name) > tokens/\\(.namespace).\\(.name).jwt"' serviceaccounts.json | bash -x
+done < namespaces.txt
 
 # Create the secrets
 mksecret tokens/*.jwt
@@ -124,6 +138,11 @@ kubectl apply --server-side=true -f secrets.yaml
 					resources: ["secrets"]
 					verbs: ["*"]
 				},
+				{
+					apiGroups: [""]
+					resources: ["namespaces"]
+					verbs: ["list"]
+				},
 			]
 		},
 		// Bind the Role to the ServiceAccount for the Job.

docs/examples/platforms/reference/clusters/foundation/cloud/secrets/eso/eso.cue

@@ -3,26 +3,22 @@ package holos
 // Manages the External Secrets Operator from the official upstream Helm chart.
 
 #TargetNamespace: "external-secrets"
-
-#InputKeys: component: "eso"
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}
-
 #Kustomization: spec: targetNamespace: #TargetNamespace
-#DependsOn: Namespaces: name:          #InstancePrefix + "-namespaces"
 
-#HelmChart & {
-	values: installCrds: true
-	namespace: #TargetNamespace
-	chart: {
-		name:    "external-secrets"
-		version: "0.9.12"
-		repository: {
-			name: "external-secrets"
-			url:  "https://charts.external-secrets.io"
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces": _
+
+		metadata: name: "prod-secrets-eso"
+		namespace: #TargetNamespace
+		chart: {
+			name:    "external-secrets"
+			version: "0.9.12"
+			repository: {
+				name: "external-secrets"
+				url:  "https://charts.external-secrets.io"
+			}
 		}
-	}
-}
+		_values: installCrds: true
+	},
+]

docs/examples/platforms/reference/clusters/foundation/cloud/secrets/secrets.cue

@@ -2,11 +2,3 @@ package holos
 
 // Components under this directory are part of this collection
 #InputKeys: project: "secrets"
-
-// Shared dependencies for all components in this collection.
-#DependsOn: _Namespaces
-
-// Common Dependencies
-_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"
-_ESO: ESO: name:               "\(#InstancePrefix)-eso"
-_ESOCreds: ESOCreds: name:     "\(#InstancePrefix)-eso-creds-refresher"

docs/examples/platforms/reference/clusters/foundation/cloud/secrets/secretstores/secretstores.cue

@@ -1,12 +1,37 @@
 package holos
 
-#DependsOn: _ESOCreds
+import "list"
 
 #TargetNamespace: "default"
 
-#InputKeys: {
-	project:   "secrets"
-	component: "stores"
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-namespaces":          _
+		_dependsOn: "prod-secrets-eso-creds-refresher": _
+
+		metadata: name: "prod-secrets-stores"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		for ns in #PlatformNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+				let Kind = obj.kind
+				let NS = ns.name
+				let Name = obj.metadata.name
+				"\(Kind)": "\(NS)/\(Name)": obj
+			}
+		}
+
+		for nsName, ns in #ManagedNamespaces {
+			if list.Contains(ns.clusterNames, #ClusterName) {
+				let obj = #SecretStore & {_namespace: nsName}
+				SecretStore: "\(nsName)/\(obj.metadata.name)": obj
+			}
+		}
+	}
 }
 
 // #PlatformNamespaceObjects defines the api objects necessary for eso SecretStores in external clusters to access secrets in a given namespace in the provisioner cluster.
@@ -19,21 +44,3 @@ package holos
 		},
 	]
 }
-
-#KubernetesObjects & {
-	apiObjects: {
-		for ns in #PlatformNamespaces {
-			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
-				let Kind = obj.kind
-				let NS = ns.name
-				let Name = obj.metadata.name
-				"\(Kind)": "\(NS)/\(Name)": obj
-			}
-		}
-
-		for k, ns in #ManagedNamespaces {
-			let obj = #SecretStore & {_namespace: ns.name}
-			SecretStore: "\(ns.name)/\(obj.metadata.name)": obj
-		}
-	}
-}

docs/examples/platforms/reference/clusters/foundation/cloud/secrets/validate/component.cue

@@ -4,14 +4,16 @@ package holos
 
 #TargetNamespace: "holos-system"
 
-#InputKeys: {
-	project:   "secrets"
-	component: "validate"
-}
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		_dependsOn: "prod-secrets-stores": _
 
-#DependsOn: _ESO
+		metadata: name: "prod-secrets-validate"
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
 
-#KubernetesObjects & {
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		ExternalSecret: validate: #ExternalSecret & {
 			_name: "validate"

docs/examples/platforms/reference/clusters/foundation/metal/ceph/ceph.cue

@@ -6,29 +6,30 @@ package holos
 
 #SecretName: "\(#ClusterName)-ceph-csi-rbd"
 
-#InputKeys: {
-	project:   "metal"
-	service:   "ceph"
-	component: "ceph"
-}
+#Kustomization: spec: targetNamespace: "ceph-system"
 
-#Kustomization: spec: targetNamespace: #TargetNamespace
-#DependsOn: Namespaces: name:          "\(#StageName)-secrets-namespaces"
+spec: components: HelmChartList: [
+	#HelmChart & {
+		_dependsOn: "prod-secrets-namespaces": _
 
-#HelmChart & {
-	namespace: #TargetNamespace
-	chart: {
-		name:    "ceph-csi-rbd"
-		version: "3.10.2"
-		repository: {
-			name: "ceph-csi"
-			url:  "https://ceph.github.io/csi-charts"
+		metadata: name: "prod-metal-ceph"
+
+		namespace: #TargetNamespace
+		chart: {
+			name:    "ceph-csi-rbd"
+			version: "3.10.2"
+			repository: {
+				name: "ceph-csi"
+				url:  "https://ceph.github.io/csi-charts"
+			}
 		}
-	}
+		_values:      #ChartValues
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
 
+let OBJECTS = #APIObjects & {
 	apiObjects: {
-		ExternalSecret: "\(#SecretName)": #ExternalSecret & {
-			_name: #SecretName
-		}
+		ExternalSecret: "\(#SecretName)": _
 	}
 }

docs/examples/platforms/reference/clusters/optional/vault/vault.cue

@@ -5,46 +5,31 @@ import "encoding/yaml"
 import "list"
 
 let Name = "vault"
-#InputKeys: component: Name
-#InputKeys: project:   "core"
-#TargetNamespace: "\(#InstancePrefix)-\(Name)"
+#TargetNamespace: "prod-core-\(Name)"
 
 let Vault = #OptionalServices[Name]
 
-if Vault.enabled && list.Contains(Vault.clusterNames, #ClusterName) {
-	#HelmChart & {
-		namespace: #TargetNamespace
-		chart: {
-			name:    Name
-			version: "0.25.0"
-			repository: {
-				name: "hashicorp"
-				url:  "https://helm.releases.hashicorp.com"
-			}
-		}
-		values: #Values
+#Kustomization: spec: wait: true
 
-		apiObjects: {
-			ExternalSecret: "gcpkms-creds":      _
-			ExternalSecret: "vault-server-cert": _
-			VirtualService: "\(Name)": {
-				metadata: name:      Name
-				metadata: namespace: #TargetNamespace
-				spec: hosts: [for cert in Vault.certs {cert.spec.commonName}]
-				spec: gateways: ["istio-ingress/\(Name)"]
-				spec: http: [
-					{
-						route: [
-							{
-								destination: host: "\(Name)-active"
-								destination: port: number: 8200
-							},
-						]
-					},
-				]
+if Vault.enabled && list.Contains(Vault.clusterNames, #ClusterName) {
+	spec: components: HelmChartList: [
+		#HelmChart & {
+			metadata: name: "prod-core-\(Name)"
+
+			namespace: #TargetNamespace
+			chart: {
+				name:    Name
+				version: "0.25.0"
+				repository: {
+					name: "hashicorp"
+					url:  "https://helm.releases.hashicorp.com"
+				}
 			}
-		}
-	}
+			_values:      #Values
+			apiObjectMap: OBJECTS.apiObjectMap
+		},
+
+	]
 
 	#Kustomize: {
 		patches: [
@@ -59,17 +44,40 @@ if Vault.enabled && list.Contains(Vault.clusterNames, #ClusterName) {
 			},
 		]
 	}
-
-	let EnvPatch = [
-		{
-			op:    "test"
-			path:  "/spec/template/spec/containers/0/env/4/name"
-			value: "VAULT_ADDR"
-		},
-		{
-			op:    "replace"
-			path:  "/spec/template/spec/containers/0/env/4/value"
-			value: "http://$(VAULT_K8S_POD_NAME):8200"
-		},
-	]
+}
+
+let EnvPatch = [
+	{
+		op:    "test"
+		path:  "/spec/template/spec/containers/0/env/4/name"
+		value: "VAULT_ADDR"
+	},
+	{
+		op:    "replace"
+		path:  "/spec/template/spec/containers/0/env/4/value"
+		value: "http://$(VAULT_K8S_POD_NAME):8200"
+	},
+]
+
+let OBJECTS = #APIObjects & {
+	apiObjects: {
+		ExternalSecret: "gcpkms-creds":      _
+		ExternalSecret: "vault-server-cert": _
+		VirtualService: "\(Name)": {
+			metadata: name:      Name
+			metadata: namespace: #TargetNamespace
+			spec: hosts: [for cert in Vault.certs {cert.spec.commonName}]
+			spec: gateways: ["istio-ingress/\(Name)"]
+			spec: http: [
+				{
+					route: [
+						{
+							destination: host: "\(Name)-active"
+							destination: port: number: 8200
+						},
+					]
+				},
+			]
+		}
+	}
 }

docs/examples/platforms/reference/clusters/projects.cue

@@ -0,0 +1,51 @@
+package holos
+
+#Project: authProxyOrgDomain: "openinfrastructure.co"
+
+let ZitadelProjectID = 257713952794870157
+
+_Projects: #Projects & {
+	// The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
+	platform: {
+		resourceId: ZitadelProjectID
+		// platform level services typically run in the core cluster pair.
+		clusters: core1: _
+		clusters: core2: _
+		// for development, probably wouldn't run these services in the workload clusters.
+		clusters: k2: _
+		// Services hosted in the platform project
+		hosts: argocd:     _
+		hosts: grafana:    _
+		hosts: prometheus: _
+	}
+
+	holos: {
+		resourceId: ZitadelProjectID
+		clusters: k1: _
+		clusters: k2: _
+		environments: {
+			prod: stage: "prod"
+			dev: stage:  "dev"
+			jeff: stage: dev.stage
+			gary: stage: dev.stage
+			nate: stage: dev.stage
+		}
+	}
+
+	iam: {
+		resourceId: ZitadelProjectID
+		clusters: {
+			core1: _
+			core2: _
+		}
+	}
+}
+
+// Manage namespaces for platform project environments.
+for project in _Projects {
+	for ns in project.managedNamespaces {
+		if ns.clusters[#ClusterName] != _|_ {
+			#ManagedNamespaces: (ns.namespace.metadata.name): ns
+		}
+	}
+}

docs/examples/platforms/reference/clusters/provisioner/iam/iam.cue

@@ -2,9 +2,3 @@ package holos
 
 // Components under this directory are part of this collection
 #InputKeys: project: "iam"
-
-// Shared dependencies for all components in this collection.
-#DependsOn: _Namespaces
-
-// Common Dependencies
-_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/postgres-certs/postgres-certs.cue

@@ -8,13 +8,27 @@ package holos
 
 // Refer to [Using Cert Manager to Deploy TLS for Postgres on Kubernetes](https://www.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes)
 
+#TargetNamespace: "prod-iam-zitadel"
 #InputKeys: component: "postgres-certs"
 
-let SelfSigned = "\(_DBName)-selfsigned"
-let RootCA = "\(_DBName)-root-ca"
+let DBName = "zitadel"
+
+let SelfSigned = "\(DBName)-selfsigned"
+let RootCA = "\(DBName)-root-ca"
 let Orgs = ["Database"]
 
-#KubernetesObjects & {
+#Kustomization: spec: wait: true
+
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-iam-postgres-certs"
+
+		_dependsOn: "prod-secrets-namespaces": _
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		// Put everything in the target namespace.
 		[_]: {
@@ -51,10 +65,10 @@ let Orgs = ["Database"]
 					subject: organizations: Orgs
 				}
 			}
-			"\(_DBName)-primary-tls": #DatabaseCert & {
+			"\(DBName)-primary-tls": #DatabaseCert & {
 				// PGO managed name is "<cluster name>-cluster-cert" e.g. zitadel-cluster-cert
 				spec: {
-					commonName: "\(_DBName)-primary"
+					commonName: "\(DBName)-primary"
 					dnsNames: [
 						commonName,
 						"\(commonName).\(#TargetNamespace)",
@@ -66,16 +80,16 @@ let Orgs = ["Database"]
 					usages: ["digital signature", "key encipherment"]
 				}
 			}
-			"\(_DBName)-repl-tls": #DatabaseCert & {
+			"\(DBName)-repl-tls": #DatabaseCert & {
 				spec: {
 					commonName: "_crunchyrepl"
 					dnsNames: [commonName]
 					usages: ["digital signature", "key encipherment"]
 				}
 			}
-			"\(_DBName)-client-tls": #DatabaseCert & {
+			"\(DBName)-client-tls": #DatabaseCert & {
 				spec: {
-					commonName: "\(_DBName)-client"
+					commonName: "\(DBName)-client"
 					dnsNames: [commonName]
 					usages: ["digital signature", "key encipherment"]
 				}

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/zitadel.cue

@@ -1,6 +1 @@
 package holos
-
-#TargetNamespace: #InstancePrefix + "-zitadel"
-
-// _DBName is the database name used across multiple holos components in this project
-_DBName: "zitadel"

docs/examples/platforms/reference/clusters/provisioner/mesh/certificates/certs.cue

@@ -1,20 +1,35 @@
 package holos
 
-// Provision all platform certificates.
-#InputKeys: component: "certificates"
-
 // Certificates usually go into the istio-system namespace, but they may go anywhere.
 #TargetNamespace: "default"
 
-// Depends on issuers
-#DependsOn: _LetsEncrypt
+#Kustomization: spec: wait: true
 
-#KubernetesObjects & {
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "\(#InstancePrefix)-certificates"
+
+		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-mesh-letsencrypt":   _
+
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let Vault = #OptionalServices.vault
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		for k, obj in #PlatformCerts {
 			"\(obj.kind)": {
 				"\(obj.metadata.namespace)/\(obj.metadata.name)": obj
 			}
 		}
+
+		if Vault.enabled {
+			for k, obj in Vault.certs {
+				"\(obj.kind)": "\(obj.metadata.name)": obj
+			}
+		}
 	}
 }

docs/examples/platforms/reference/clusters/provisioner/mesh/certificates/optional/vault.cue

@@ -1,13 +0,0 @@
-package holos
-
-let Vault = #OptionalServices.vault
-
-if Vault.enabled {
-	#KubernetesObjects & {
-		apiObjects: {
-			for k, obj in Vault.certs {
-				"\(obj.kind)": "\(obj.metadata.name)": obj
-			}
-		}
-	}
-}

docs/examples/platforms/reference/clusters/provisioner/mesh/certmanager/certmanager.cue

@@ -4,28 +4,28 @@ package holos
 
 #TargetNamespace: "cert-manager"
 
-#InputKeys: {
-	component: "certmanager"
-	service:   "cert-manager"
-}
+spec: components: HelmChartList: [
+	#HelmChart & {
+		metadata: name: "\(#InstancePrefix)-certmanager"
 
-#HelmChart & {
-	values: #Values & {
-		installCRDs: true
-		startupapicheck: enabled: false
-		// Must not use kube-system on gke autopilot.  GKE Warden authz blocks access.
-		global: leaderElection: namespace: #TargetNamespace
-	}
-	namespace: #TargetNamespace
-	chart: {
-		name:    "cert-manager"
-		version: "1.14.3"
-		repository: {
-			name: "jetstack"
-			url:  "https://charts.jetstack.io"
+		_dependsOn: "prod-secrets-namespaces": _
+		namespace: #TargetNamespace
+		_values: #Values & {
+			installCRDs: true
+			startupapicheck: enabled: false
+			// Must not use kube-system on gke autopilot.  GKE Warden authz blocks access.
+			global: leaderElection: namespace: #TargetNamespace
 		}
-	}
-}
+		chart: {
+			name:    "cert-manager"
+			version: "1.14.3"
+			repository: {
+				name: "jetstack"
+				url:  "https://charts.jetstack.io"
+			}
+		}
+	},
+]
 
 // https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
 #PodResources: {

docs/examples/platforms/reference/clusters/provisioner/mesh/issuers/letsencrypt.cue

@@ -1,7 +1,6 @@
 package holos
 
 // Lets Encrypt certificate issuers for public tls certs
-#InputKeys: component: "letsencrypt"
 #TargetNamespace: "cert-manager"
 
 let Name = "letsencrypt"
@@ -9,10 +8,17 @@ let Name = "letsencrypt"
 // The cloudflare api token is platform scoped, not cluster scoped.
 #SecretName: "cloudflare-api-token-secret"
 
-// Depends on cert manager
-#DependsOn: _CertManager
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "\(#InstancePrefix)-letsencrypt"
 
-#KubernetesObjects & {
+		_dependsOn: "prod-secrets-namespaces":        _
+		_dependsOn: "\(#InstancePrefix)-certmanager": _
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		ClusterIssuer: {
 			letsencrypt: #ClusterIssuer & {

docs/examples/platforms/reference/clusters/provisioner/mesh/mesh.cue

@@ -1,13 +1,3 @@
 package holos
 
-// Components under this directory are part of this collection
-#InputKeys: project: "mesh"
-
-// Shared dependencies for all components in this collection.
-#DependsOn: _Namespaces
-
-// Common Dependencies
-_Namespaces: Namespaces: name:     "\(#StageName)-secrets-namespaces"
-_CertManager: CertManager: name:   "\(#InstancePrefix)-certmanager"
-_LetsEncrypt: LetsEncrypt: name:   "\(#InstancePrefix)-letsencrypt"
-_Certificates: Certificates: name: "\(#InstancePrefix)-certificates"
+#InstancePrefix: "prod-mesh"

docs/examples/platforms/reference/clusters/provisioner/projects/projects.cue

@@ -0,0 +1,5 @@
+package holos
+
+for Project in _Projects {
+	spec: components: resources: (#ProjectTemplate & {project: Project}).provisioner.resources
+}

docs/examples/platforms/reference/clusters/provisioner/secrets/eso-creds-refresher/component.cue

@@ -8,10 +8,15 @@ package holos
 // - Namespace
 // - ServiceAccount eso-reader, eso-writer
 
-// No flux kustomization
-ksObjects: []
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-secrets-eso-creds-refresher"
 
-#KubernetesObjects & {
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		let role = #CredsRefresherIAM.role
 		let binding = #CredsRefresherIAM.binding
@@ -25,22 +30,16 @@ ksObjects: []
 			}
 		}
 
-		for k, ns in #ManagedNamespaces {
-			for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
+		for nsName, ns in #ManagedNamespaces {
+			for obj in (#PlatformNamespaceObjects & {_ns: ns.namespace.metadata}).objects {
 				let Kind = obj.kind
 				let Name = obj.metadata.name
-				"\(Kind)": "\(ns.name)/\(Name)": obj
+				"\(Kind)": "\(nsName)/\(Name)": obj
 			}
 		}
 	}
 }
 
-#InputKeys: {
-	cluster:   "provisioner"
-	project:   "secrets"
-	component: "eso-creds-refresher"
-}
-
 // #CredsRefresherIAM defines the rbac policy for the job that refreshes credentials used by eso SecretStore resources in clusters other than the provisioner cluster.
 #CredsRefresherIAM: {
 	let _name = #CredsRefresher.name

docs/examples/platforms/reference/clusters/provisioner/secrets/namespaces/component.cue

@@ -2,16 +2,19 @@ package holos
 
 #TargetNamespace: "default"
 
-#InputKeys: {
-	project:   "secrets"
-	component: "namespaces"
-}
+spec: components: KubernetesObjectsList: [
+	#KubernetesObjects & {
+		metadata: name: "prod-secrets-namespaces"
 
-#KubernetesObjects & {
+		apiObjectMap: OBJECTS.apiObjectMap
+	},
+]
+
+let OBJECTS = #APIObjects & {
 	apiObjects: {
 		// #ManagedNamespaces is the set of all namespaces across all clusters in the platform.
-		for k, ns in #ManagedNamespaces {
-			Namespace: "\(ns.name)": #Namespace & {metadata: ns}
+		for nsName, ns in #ManagedNamespaces {
+			Namespace: "\(nsName)": #Namespace & ns.namespace
 		}
 
 		// #PlatformNamespaces is deprecated in favor of #ManagedNamespaces.

docs/examples/platforms/reference/clusters/workload/projects/projects.cue

@@ -0,0 +1,5 @@
+package holos
+
+for Project in _Projects {
+	spec: components: resources: (#ProjectTemplate & {project: Project}).workload.resources
+}

docs/examples/platforms/reference/meshconfig.cue

@@ -0,0 +1,34 @@
+package holos
+
+#MeshConfig: {
+	projects:    _
+	clusterName: _
+
+	extensionProviderExtraMap: {
+		"cluster-trace": {
+			zipkin: {
+				maxTagLength: 56
+				port:         9411
+				service:      "zipkin.istio-system.svc"
+			}
+		}
+	}
+
+	config: {
+		// For PROXY PROTOCOL at the ingress gateway.
+		gatewayTopology: {
+			numTrustedProxies: 2
+		}
+	}
+
+	// Configure an ExtAuthzHttp provider for each stage's authproxy
+	for Project in projects {
+		if Project.clusters[clusterName] != _|_ {
+			for Stage in Project.stages {
+				extensionProviderMap: (Stage.extAuthzProviderName): #ExtAuthzProxy & {
+					envoyExtAuthzHttp: service: "authproxy.\(Stage.namespace).svc.cluster.local"
+				}
+			}
+		}
+	}
+}

docs/examples/platforms/reference/platform_projects.cue

@@ -0,0 +1,531 @@
+package holos
+
+import "encoding/yaml"
+
+// Platform level definition of a project.
+#Project: {
+	name: string
+
+	// All projects have at least a prod environment and stage.
+	stages: prod: stageSegments: []
+	environments: prod: stage: "prod"
+	environments: prod: envSegments: []
+	stages: dev: _
+	environments: dev: stage: "dev"
+	environments: dev: envSegments: []
+	// Ensure at least the project name is a short hostname.  Additional may be added.
+	hosts: (name): _
+
+	// environments share the stage segments of their stage.
+	environments: [_]: {
+		stage:         string
+		stageSegments: stages[stage].stageSegments
+	}
+}
+
+#ProjectTemplate: {
+	project: #Project
+	let Project = project
+
+	// GatewayServers maps Gateway spec.servers #GatewayServer values indexed by stage then name.
+	let GatewayServers = {
+		// Initialize all stages, even if they have no environments.
+		for stage in project.stages {
+			(stage.name): {}
+		}
+
+		// For each stage, construct entries for the Gateway spec.servers.hosts field.
+		for env in project.environments {
+			(env.stage): {
+				let Env = env
+				let Stage = project.stages[env.stage]
+				for host in (#EnvHosts & {project: Project, env: Env}).hosts {
+					(host.name): #GatewayServer & {
+						hosts: [
+							"\(env.namespace)/\(host.name)",
+							// Allow the authproxy VirtualService to match the project.authProxyPrefix path.
+							"\(Stage.namespace)/\(host.name)",
+						]
+						port: host.port
+						tls: credentialName: host.name
+						tls: mode:           "SIMPLE"
+					}
+				}
+			}
+		}
+	}
+
+	workload: resources: {
+		// Provide resources only if the project is managed on --cluster-name
+		if project.clusters[#ClusterName] != _|_ {
+			for stage in project.stages {
+				let Stage = stage
+
+				// Istio Gateway
+				"\(stage.slug)-gateway": #KubernetesObjects & {
+					apiObjectMap: (#APIObjects & {
+						apiObjects: Gateway: (stage.slug): #Gateway & {
+							spec: servers: [for server in GatewayServers[stage.name] {server}]
+						}
+
+						for host in GatewayServers[stage.name] {
+							apiObjects: ExternalSecret: (host.tls.credentialName): metadata: namespace: "istio-ingress"
+						}
+					}).apiObjectMap
+				}
+
+				// Manage auth-proxy in each stage
+				if project.features.authproxy.enabled {
+					"\(stage.slug)-authproxy": #KubernetesObjects & {
+						apiObjectMap: (#APIObjects & {
+							apiObjects: (AUTHPROXY & {stage: Stage, project: Project, servers: GatewayServers[stage.name]}).apiObjects
+						}).apiObjectMap
+					}
+
+					for Env in project.environments if Env.stage == stage.name {
+						"\(Env.slug)-authpolicy": #KubernetesObjects & {
+							// Manage auth policy in each env
+							apiObjectMap: (#APIObjects & {
+								apiObjects: (AUTHPOLICY & {env: Env, project: Project, servers: GatewayServers[stage.name]}).apiObjects
+							}).apiObjectMap
+						}
+					}
+				}
+
+				// Manage httpbin in each environment
+				if project.features.httpbin.enabled {
+					for Env in project.environments if Env.stage == stage.name {
+						"\(Env.slug)-httpbin": #KubernetesObjects & {
+							let Project = project
+							apiObjectMap: (#APIObjects & {
+								apiObjects: (HTTPBIN & {env: Env, project: Project}).apiObjects
+							}).apiObjectMap
+						}
+					}
+				}
+			}
+		}
+	}
+
+	provisioner: resources: {
+		for stage in project.stages {
+			"\(stage.slug)-certs": #KubernetesObjects & {
+				apiObjectMap: (#APIObjects & {
+					for host in GatewayServers[stage.name] {
+						let CN = host.tls.credentialName
+						apiObjects: Certificate: (CN): #Certificate & {
+							metadata: name:      CN
+							metadata: namespace: "istio-ingress"
+							spec: {
+								commonName: CN
+								dnsNames: [CN]
+								secretName: CN
+								issuerRef: {
+									kind: "ClusterIssuer"
+									name: "letsencrypt"
+								}
+							}
+						}
+					}
+				}).apiObjectMap
+			}
+		}
+	}
+}
+
+let HTTPBIN = {
+	name:    string | *"httpbin"
+	project: #Project
+	env:     #Environment
+	let Name = name
+	let Stage = project.stages[env.stage]
+
+	let Metadata = {
+		name:      Name
+		namespace: env.namespace
+		labels: app: name
+	}
+	let Labels = {
+		"app.kubernetes.io/name":       Name
+		"app.kubernetes.io/instance":   env.slug
+		"app.kubernetes.io/part-of":    env.project
+		"security.holos.run/authproxy": Stage.extAuthzProviderName
+	}
+
+	apiObjects: {
+		Deployment: (Name): #Deployment & {
+			metadata: Metadata
+
+			spec: selector: matchLabels: Metadata.labels
+			spec: template: {
+				metadata: labels: Metadata.labels & #IstioSidecar & Labels
+				spec: securityContext: seccompProfile: type: "RuntimeDefault"
+				spec: containers: [{
+					name:  Name
+					image: "quay.io/holos/mccutchen/go-httpbin"
+					ports: [{containerPort: 8080}]
+					securityContext: {
+						seccompProfile: type: "RuntimeDefault"
+						allowPrivilegeEscalation: false
+						runAsNonRoot:             true
+						runAsUser:                8192
+						runAsGroup:               8192
+						capabilities: drop: ["ALL"]
+					}}]
+			}
+		}
+		Service: (Name): #Service & {
+			metadata: Metadata
+			spec: selector: Metadata.labels
+			spec: ports: [
+				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
+			]
+		}
+		VirtualService: (Name): #VirtualService & {
+			metadata: Metadata
+			let Project = project
+			let Env = env
+			spec: hosts: [for host in (#EnvHosts & {project: Project, env: Env}).hosts {host.name}]
+			spec: gateways: ["istio-ingress/\(env.stageSlug)"]
+			spec: http: [{route: [{destination: host: Name}]}]
+		}
+	}
+}
+
+// AUTHPROXY configures one oauth2-proxy deployment for each host in each stage of a project.  Multiple deployments per stage are used to narrow down the cookie domain.
+let AUTHPROXY = {
+	name:    string | *"authproxy"
+	project: #Project
+	stage:   #Stage
+	servers: {}
+	let Name = name
+	let Project = project
+	let Stage = stage
+
+	let AuthProxySpec = #AuthProxySpec & {
+		namespace: stage.namespace
+		projectID: project.resourceId
+		clientID:  stage.authProxyClientID
+		orgDomain: project.authProxyOrgDomain
+		provider:  stage.extAuthzProviderName
+	}
+
+	let Metadata = {
+		name:      Name
+		namespace: stage.namespace
+		labels: {
+			"app.kubernetes.io/name":     name
+			"app.kubernetes.io/instance": stage.name
+			"app.kubernetes.io/part-of":  stage.project
+		}
+	}
+
+	let RedisMetadata = {
+		name:      Name + "-redis"
+		namespace: stage.namespace
+		labels: {
+			"app.kubernetes.io/name":     name
+			"app.kubernetes.io/instance": stage.name
+			"app.kubernetes.io/part-of":  stage.project
+		}
+	}
+
+	apiObjects: {
+		// oauth2-proxy
+		ExternalSecret: (Name): metadata: Metadata
+		// Place the ID token in a header that does not conflict with the Authorization header.
+		// Refer to: https://github.com/oauth2-proxy/oauth2-proxy/issues/1877#issuecomment-1364033723
+		ConfigMap: (Name): {
+			metadata: Metadata
+			data: "config.yaml": yaml.Marshal(AuthProxyConfig)
+			let AuthProxyConfig = {
+				injectResponseHeaders: [{
+					name: AuthProxySpec.idTokenHeader
+					values: [{claim: "id_token"}]
+				}]
+				providers: [{
+					id:                    "Holos Platform"
+					name:                  "Holos Platform"
+					provider:              "oidc"
+					scope:                 "openid profile email groups offline_access urn:zitadel:iam:org:domain:primary:\(AuthProxySpec.orgDomain)"
+					clientID:              AuthProxySpec.clientID
+					clientSecretFile:      "/dev/null"
+					code_challenge_method: "S256"
+					loginURLParameters: [{
+						default: ["force"]
+						name: "approval_prompt"
+					}]
+					oidcConfig: {
+						issuerURL: AuthProxySpec.issuer
+						audienceClaims: ["aud"]
+						emailClaim:  "email"
+						groupsClaim: "groups"
+						userIDClaim: "sub"
+					}
+				}]
+				server: BindAddress: ":4180"
+				upstreamConfig: upstreams: [{
+					id:         "static://200"
+					path:       "/"
+					static:     true
+					staticCode: 200
+				}]
+			}
+		}
+		Deployment: (Name): #Deployment & {
+			metadata: Metadata
+
+			// project.dev.example.com, project.dev.k1.example.com, project.dev.k2.example.com
+			let StageDomains = {
+				for host in (#StageDomains & {project: Project, stage: Stage}).hosts {
+					(host.name): host
+				}
+			}
+
+			spec: {
+				replicas: 1
+				selector: matchLabels: Metadata.labels
+				template: {
+					metadata: labels: Metadata.labels
+					metadata: labels: #IstioSidecar
+					spec: {
+						securityContext: seccompProfile: type: "RuntimeDefault"
+						containers: [{
+							image:           "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+							imagePullPolicy: "IfNotPresent"
+							name:            "oauth2-proxy"
+							volumeMounts: [{
+								name:      "config"
+								mountPath: "/config"
+								readOnly:  true
+							}]
+							args: [
+								// callback url is proxy prefix + /callback
+								"--proxy-prefix=" + AuthProxySpec.proxyPrefix,
+								"--email-domain=*",
+								"--session-store-type=redis",
+								"--redis-connection-url=redis://\(RedisMetadata.name):6379",
+								"--cookie-refresh=12h",
+								"--cookie-expire=2160h",
+								"--cookie-secure=true",
+								"--cookie-name=__Secure-\(stage.slug)-\(Name)",
+								"--cookie-samesite=lax",
+								for domain in StageDomains {"--cookie-domain=.\(domain.name)"},
+								for domain in StageDomains {"--cookie-domain=\(domain.name)"},
+								for domain in StageDomains {"--whitelist-domain=.\(domain.name)"},
+								for domain in StageDomains {"--whitelist-domain=\(domain.name)"},
+								"--cookie-csrf-per-request=true",
+								"--cookie-csrf-expire=120s",
+								// will skip authentication for OPTIONS requests
+								"--skip-auth-preflight=true",
+								"--real-client-ip-header=X-Forwarded-For",
+								"--skip-provider-button=true",
+								"--auth-logging",
+								"--alpha-config=/config/config.yaml",
+							]
+							env: [{
+								name: "OAUTH2_PROXY_COOKIE_SECRET"
+								// echo '{"cookiesecret":"'$(LC_ALL=C tr -dc "[:alpha:]" </dev/random | tr '[:upper:]' '[:lower:]' | head -c 32)'"}' | holos create secret -n dev-holos-system --append-hash=false --data-stdin authproxy
+								valueFrom: secretKeyRef: {
+									key:  "cookiesecret"
+									name: Name
+								}
+							}]
+							ports: [{
+								containerPort: 4180
+								protocol:      "TCP"
+							}]
+							securityContext: {
+								seccompProfile: type: "RuntimeDefault"
+								allowPrivilegeEscalation: false
+								runAsNonRoot:             true
+								runAsUser:                8192
+								runAsGroup:               8192
+								capabilities: drop: ["ALL"]
+							}
+						}]
+						volumes: [{name: "config", configMap: name: Name}]
+					}
+				}
+			}
+		}
+		Service: (Name): #Service & {
+			metadata: Metadata
+			spec: selector: Metadata.labels
+			spec: ports: [
+				{port: 4180, targetPort: 4180, protocol: "TCP", name: "http"},
+			]
+		}
+		VirtualService: (Name): #VirtualService & {
+			metadata: Metadata
+			spec: hosts: ["*"]
+			spec: gateways: ["istio-ingress/\(stage.slug)"]
+			spec: http: [{
+				match: [{uri: prefix: AuthProxySpec.proxyPrefix}]
+				route: [{
+					destination: host: Name
+					destination: port: number: 4180
+				}]
+			}]
+		}
+
+		// redis
+		ConfigMap: (RedisMetadata.name): {
+			metadata: RedisMetadata
+			data: "redis.conf": """
+				maxmemory 128mb
+				maxmemory-policy allkeys-lru
+				"""
+		}
+		Deployment: (RedisMetadata.name): {
+			metadata: RedisMetadata
+			spec: {
+				selector: matchLabels: RedisMetadata.labels
+				template: {
+					metadata: labels: RedisMetadata.labels
+					metadata: labels: #IstioSidecar
+					spec: securityContext: seccompProfile: type: "RuntimeDefault"
+					spec: {
+						containers: [{
+							command: [
+								"redis-server",
+								"/redis-master/redis.conf",
+							]
+							env: [{
+								name:  "MASTER"
+								value: "true"
+							}]
+							image: "quay.io/holos/redis:7.2.4"
+							livenessProbe: {
+								initialDelaySeconds: 15
+								tcpSocket: port: "redis"
+							}
+							name: "redis"
+							ports: [{
+								containerPort: 6379
+								name:          "redis"
+							}]
+							readinessProbe: {
+								exec: command: [
+									"redis-cli",
+									"ping",
+								]
+								initialDelaySeconds: 5
+							}
+							resources: limits: cpu: "0.5"
+							securityContext: {
+								seccompProfile: type: "RuntimeDefault"
+								allowPrivilegeEscalation: false
+								capabilities: drop: ["ALL"]
+								runAsNonRoot: true
+								runAsUser:    999
+								runAsGroup:   999
+							}
+							volumeMounts: [{
+								mountPath: "/redis-master-data"
+								name:      "data"
+							}, {
+								mountPath: "/redis-master"
+								name:      "config"
+							}]
+						}]
+						volumes: [{
+							emptyDir: {}
+							name: "data"
+						}, {
+							configMap: name: RedisMetadata.name
+							name: "config"
+						}]
+					}
+				}
+			}
+		}
+		Service: (RedisMetadata.name): #Service & {
+			metadata: RedisMetadata
+			spec: selector: RedisMetadata.labels
+			spec: type:     "ClusterIP"
+			spec: ports: [{
+				name:       "redis"
+				port:       6379
+				protocol:   "TCP"
+				targetPort: 6379
+			}]
+		}
+	}
+}
+
+// AUTHPOLICY configures the baseline AuthorizationPolicy and RequestAuthentication policy for each stage of each project.
+let AUTHPOLICY = {
+	project: #Project
+	env:     #Environment
+	let Name = "\(stage.slug)-authproxy"
+	let Project = project
+	let stage = project.stages[env.stage]
+	let Env = env
+
+	let AuthProxySpec = #AuthProxySpec & {
+		namespace: stage.namespace
+		projectID: project.resourceId
+		clientID:  stage.authProxyClientID
+		orgDomain: project.authProxyOrgDomain
+		provider:  stage.extAuthzProviderName
+	}
+
+	let Metadata = {
+		name:      string
+		namespace: env.namespace
+		labels: {
+			"app.kubernetes.io/name":     name
+			"app.kubernetes.io/instance": stage.name
+			"app.kubernetes.io/part-of":  stage.project
+		}
+	}
+
+	// Collect all the hosts associated with the stage
+	let Hosts = {
+		for HOST in (#EnvHosts & {project: Project, env: Env}).hosts {
+			(HOST.name): HOST
+		}
+	}
+
+	// HostList is a list of hosts for AuthorizationPolicy rules
+	let HostList = [
+		for host in Hosts {host.name},
+		for host in Hosts {host.name + ":*"},
+	]
+	let MatchLabels = {"security.holos.run/authproxy": AuthProxySpec.provider}
+
+	apiObjects: {
+		RequestAuthentication: (Name): #RequestAuthentication & {
+			metadata: Metadata & {name: Name}
+			spec: jwtRules: [{
+				audiences: [AuthProxySpec.clientID]
+				forwardOriginalToken: true
+				fromHeaders: [{name: AuthProxySpec.idTokenHeader}]
+				issuer: AuthProxySpec.issuer
+			}]
+			spec: selector: matchLabels: MatchLabels
+		}
+		AuthorizationPolicy: "\(Name)-custom": {
+			metadata: Metadata & {name: "\(Name)-custom"}
+			spec: {
+				action: "CUSTOM"
+				// send the request to the auth proxy
+				provider: name: AuthProxySpec.provider
+				rules: [{
+					to: [{operation: hosts: HostList}]
+					when: [
+						{
+							key: "request.headers[\(AuthProxySpec.idTokenHeader)]"
+							notValues: ["*"]
+						},
+						{
+							key: "request.headers[host]"
+							notValues: [AuthProxySpec.issuerHost]
+						},
+					]}]
+				selector: matchLabels: MatchLabels
+			}
+		}
+	}
+}

docs/examples/platforms/reference/project_constraints.cue

@@ -0,0 +1 @@
+package holos

docs/examples/platforms/reference/projects/secrets/components/namespaces/inputkeys.cue

@@ -1,8 +0,0 @@
-package holos
-
-#TargetNamespace: "external-secrets"
-
-#InputKeys: {
-	project: "secrets"
-	service: "eso"
-}

docs/examples/platforms/reference/projects/secrets/components/namespaces/namespaces.cue

@@ -1,10 +0,0 @@
-package holos
-
-#InputKeys: component: "namespaces"
-
-metadata: name: #InstanceName
-objects: [
-	#Namespace & {
-		metadata: name: #TargetNamespace
-	},
-]

docs/examples/platforms/reference/projects/secrets/components/namespaces/output.cue

@@ -1,6 +0,0 @@
-package holos
-
-// Output schema
-{} & #KubernetesObjects & {
-	ksObjects: [#Kustomization]
-}

docs/examples/project_types.cue

@@ -0,0 +1,200 @@
+package holos
+
+import h "github.com/holos-run/holos/api/v1alpha1"
+
+import "strings"
+
+// #Projects is a map of all the projects in the platform.
+#Projects: [Name=_]: #Project & {name: Name}
+
+// The platform project is required and where platform services reside.  ArgoCD, Grafana, Prometheus, etc...
+#Projects: platform: _
+
+#Project: {
+	name: string
+	// resourceId is the zitadel project Resource ID
+	resourceId: number
+	let ProjectName = name
+	description: string
+	environments: [Name=string]: #Environment & {
+		name:    Name
+		project: ProjectName
+	}
+	stages: [Name=string]: #Stage & {
+		name:    Name
+		project: ProjectName
+	}
+	domain: string | *#Platform.org.domain
+
+	// authProxyOrgDomain is the primary org domain for zitadel.
+	authProxyOrgDomain: string | *#Platform.org.domain
+	// authProxyIssuer is the issuer url
+	authProxyIssuer: string | *"https://login.\(#Platform.org.domain)"
+
+	// hosts are short hostnames to configure for the project.
+	// Each value is routed to every environment in the project as a dns prefix.
+	hosts: [Name=string]: #Host & {name: Name}
+	// clusters are the cluster names the project is configured on.
+	clusters: [Name=string]: #Cluster & {name: Name}
+	clusterNames: [for c in clusters {c.name}]
+
+	// managedNamespaces ensures project namespaces have SecretStores that can sync ExternalSecrets from the provisioner cluster.
+	managedNamespaces: {
+		// Define the shape of a managed namespace.
+		[Name=_]: #ManagedNamespace & {
+			namespace: metadata: name: Name
+			clusterNames: ["provisioner", for c in clusters {c.name}]
+		}
+
+		// Manage a system namespace for each stage in the project.
+		for stage in stages {
+			for ns in stage.namespaces {
+				(ns.name): _
+			}
+		}
+
+		// Manage a namespace for each environment in the project.
+		for env in environments {
+			(env.namespace): _
+		}
+	}
+
+	// features is YAGNI maybe? 
+	features: [Name=string]: #Feature & {name: Name}
+	features: authproxy: _
+	features: httpbin:   _
+}
+
+// #Cluster defines a cluster
+#Cluster: name: string
+
+// #Host defines a short hostname
+#Host: name: string
+
+#Environment: {
+	// name uniquely identifies the environment within the scope of the project.
+	name:      string
+	project:   string
+	stage:     string | "dev" | "prod"
+	slug:      "\(name)-\(project)"
+	namespace: "\(name)-\(project)"
+	stageSlug: "\(stage)-\(project)"
+
+	// envSegments are the env portion of the dns segments
+	envSegments: [...string] | *[name]
+	// stageSegments are the stage portion of the dns segments
+	stageSegments: [...string] | *[stage]
+
+	// #host provides a hostname
+	// Refer to: https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
+	#host: {
+		name:     string
+		cluster?: string
+		clusterSegments: [...string]
+		if cluster != _|_ {
+			clusterSegments: [cluster]
+		}
+		let SEGMENTS = envSegments + [name] + stageSegments + clusterSegments + [#Platform.org.domain]
+		let NAMESEGMENTS = ["https"] + SEGMENTS
+		host: {
+			name: strings.Join(SEGMENTS, ".")
+			port: {
+				name:     strings.Replace(strings.Join(NAMESEGMENTS, "-"), ".", "-", -1)
+				number:   443
+				protocol: "HTTPS"
+			}
+		}
+	}
+}
+
+#Stage: {
+	name:    string
+	project: string
+	slug:    "\(name)-\(project)"
+	// namespace is the system namespace for the project stage
+	namespace: "\(name)-\(project)-system"
+	// Manage a system namespace for each stage
+	namespaces: [Name=_]: name: Name
+	namespaces: (namespace): _
+	// stageSegments are the stage portion of the dns segments
+	stageSegments: [...string] | *[name]
+	// authProxyClientID is the ClientID registered with the oidc issuer.
+	authProxyClientID: string
+	// extAuthzProviderName is the provider name in the mesh config
+	extAuthzProviderName: "\(slug)-authproxy"
+}
+
+#Feature: {
+	name:        string
+	description: string
+	enabled:     true | *false
+}
+
+#ProjectTemplate: {
+	project: #Project
+
+	// workload cluster resources
+	workload: resources: [Name=_]: h.#KubernetesObjects & {
+		metadata: name: Name
+	}
+
+	// provisioner cluster resources
+	provisioner: resources: [Name=_]: h.#KubernetesObjects & {
+		metadata: name: Name
+	}
+}
+
+// #EnvHosts provides hostnames given a project and environment.
+// Refer to https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
+#EnvHosts: {
+	project: #Project & {name: env.project}
+	env: #Environment
+
+	hosts: {
+		for host in project.hosts {
+			// globally scoped hostname
+			let HOST = (env.#host & {name: host.name}).host
+			(HOST.name): HOST
+
+			// cluster scoped hostname
+			for Cluster in project.clusters {
+				let HOST = (env.#host & {name: host.name, cluster: Cluster.name}).host
+				(HOST.name): HOST
+			}
+		}
+	}
+}
+
+// #StageDomains provides hostnames given a project and stage.  Primarily for the
+// auth proxy.
+// Refer to https://github.com/holos-run/holos/issues/66#issuecomment-2027562626
+#StageDomains: {
+	// names are the leading prefix names to create hostnames for.
+	// this is a two level list to support strings.Join()
+	prefixes: [...[...string]] | *[[]]
+	stage: #Stage
+	project: #Project & {
+		name: stage.project
+	}
+
+	// blank segment for the global domain plus each cluster in the project.
+	let ClusterSegments = [[], for cluster in project.clusters {[cluster.name]}]
+
+	hosts: {
+		for prefix in prefixes {
+			for ClusterSegment in ClusterSegments {
+				let SEGMENTS = prefix + [project.name] + stage.stageSegments + ClusterSegment + [project.domain]
+				let NAMESEGMENTS = ["https"] + SEGMENTS
+				let HOSTNAME = strings.Join(SEGMENTS, ".")
+				(HOSTNAME): {
+					name: HOSTNAME
+					port: {
+						name:     strings.Replace(strings.Join(NAMESEGMENTS, "-"), ".", "-", -1)
+						number:   443
+						protocol: "HTTPS"
+					}
+				}
+			}
+		}
+	}
+}

docs/examples/schema.cue

@@ -2,7 +2,6 @@ package holos
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	ksv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -14,59 +13,28 @@ import (
 	crt "cert-manager.io/certificate/v1"
 	gw "networking.istio.io/gateway/v1beta1"
 	vs "networking.istio.io/virtualservice/v1beta1"
-	kc "sigs.k8s.io/kustomize/api/types"
+	ra "security.istio.io/requestauthentication/v1"
+	ap "security.istio.io/authorizationpolicy/v1"
 	pg "postgres-operator.crunchydata.com/postgrescluster/v1beta1"
-	"encoding/yaml"
 )
 
-let ResourcesFile = "resources.yaml"
-
 // _apiVersion is the version of this schema.  Defines the interface between CUE output and the holos cli.
 _apiVersion: "holos.run/v1alpha1"
 
-// #ClusterName is the cluster name for cluster scoped resources.
-#ClusterName: #InputKeys.cluster
+// #ComponentName is the name of the holos component.
+// TODO: Refactor to support multiple components per BuildPlan
+#ComponentName: #InputKeys.component
 
 // #StageName is prod, dev, stage, etc...  Usually prod for platform components.
 #StageName: #InputKeys.stage
 
-// #CollectionName is the preferred handle to the collection element of the instance name.  A collection name mapes to an "application name" as described in the kubernetes recommended labels documentation.  Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
-#CollectionName: #InputKeys.project
-
-// #ComponentName is the name of the holos component.
-#ComponentName: #InputKeys.component
-
-// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
-#InstanceName: "\(#StageName)-\(#CollectionName)-\(#ComponentName)"
-
-// #InstancePrefix is the stage and project without the component name.  Useful for dependency management among multiple components for a project stage.
-#InstancePrefix: "\(#StageName)-\(#CollectionName)"
-
 // #TargetNamespace is the target namespace for a holos component.
 #TargetNamespace: string
 
-// #SelectorLabels are mixed into selectors.
-#SelectorLabels: {
-	"holos.run/stage.name":     #StageName
-	"holos.run/project.name":   #CollectionName
-	"holos.run/component.name": #ComponentName
-	...
-}
-
-// #CommonLabels are mixed into every kubernetes api object.
-#CommonLabels: {
-	#SelectorLabels
-	"app.kubernetes.io/part-of":   #StageName
-	"app.kubernetes.io/name":      #CollectionName
-	"app.kubernetes.io/component": #ComponentName
-	"app.kubernetes.io/instance":  #InstanceName
-	...
-}
-
 #ClusterObject: {
 	_description: string | *""
 	metadata: metav1.#ObjectMeta & {
-		labels: #CommonLabels
+		// labels: #CommonLabels
 		annotations: #Description & {
 			_Description: _description
 			...
@@ -88,30 +56,35 @@ _apiVersion: "holos.run/v1alpha1"
 }
 
 // Kubernetes API Objects
-#Namespace: corev1.#Namespace & #ClusterObject & {
-	metadata: {
-		name: string
-		labels: "kubernetes.io/metadata.name": name
-	}
+#Namespace: corev1.#Namespace & {
+	metadata: name: string
+	metadata: labels: "kubernetes.io/metadata.name": metadata.name
 }
+
 #ClusterRole:        #ClusterObject & rbacv1.#ClusterRole
 #ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
 #ClusterIssuer: #ClusterObject & ci.#ClusterIssuer & {...}
 
-#Issuer:          #NamespaceObject & is.#Issuer
-#Role:            #NamespaceObject & rbacv1.#Role
-#RoleBinding:     #NamespaceObject & rbacv1.#RoleBinding
-#ConfigMap:       #NamespaceObject & corev1.#ConfigMap
-#ServiceAccount:  #NamespaceObject & corev1.#ServiceAccount
-#Pod:             #NamespaceObject & corev1.#Pod
-#Service:         #NamespaceObject & corev1.#Service
-#Job:             #NamespaceObject & batchv1.#Job
-#CronJob:         #NamespaceObject & batchv1.#CronJob
-#Deployment:      #NamespaceObject & appsv1.#Deployment
-#Gateway:         #NamespaceObject & gw.#Gateway
-#VirtualService:  #NamespaceObject & vs.#VirtualService
-#Certificate:     #NamespaceObject & crt.#Certificate
-#PostgresCluster: #NamespaceObject & pg.#PostgresCluster
+#Issuer:                #NamespaceObject & is.#Issuer
+#Role:                  #NamespaceObject & rbacv1.#Role
+#RoleBinding:           #NamespaceObject & rbacv1.#RoleBinding
+#ConfigMap:             #NamespaceObject & corev1.#ConfigMap
+#ServiceAccount:        #NamespaceObject & corev1.#ServiceAccount
+#Pod:                   #NamespaceObject & corev1.#Pod
+#Service:               #NamespaceObject & corev1.#Service
+#Job:                   #NamespaceObject & batchv1.#Job
+#CronJob:               #NamespaceObject & batchv1.#CronJob
+#Deployment:            #NamespaceObject & appsv1.#Deployment
+#VirtualService:        #NamespaceObject & vs.#VirtualService
+#RequestAuthentication: #NamespaceObject & ra.#RequestAuthentication
+#AuthorizationPolicy:   #NamespaceObject & ap.#AuthorizationPolicy
+#Certificate:           #NamespaceObject & crt.#Certificate
+#PostgresCluster:       #NamespaceObject & pg.#PostgresCluster
+
+#Gateway: #NamespaceObject & gw.#Gateway & {
+	metadata: namespace: string | *"istio-ingress"
+	spec: selector: istio: string | *"ingressgateway"
+}
 
 // #HTTP01Cert defines a http01 certificate.
 #HTTP01Cert: {
@@ -134,43 +107,12 @@ _apiVersion: "holos.run/v1alpha1"
 	}
 }
 
-// Flux Kustomization CRDs
-#Kustomization: #NamespaceObject & ksv1.#Kustomization & {
-	metadata: {
-		name:      #InstanceName
-		namespace: string | *"flux-system"
-	}
-	spec: ksv1.#KustomizationSpec & {
-		interval:      string | *"30m0s"
-		path:          string | *"deploy/clusters/\(#InputKeys.cluster)/components/\(#InstanceName)"
-		prune:         bool | *true
-		retryInterval: string | *"2m0s"
-		sourceRef: {
-			kind: string | *"GitRepository"
-			name: string | *"flux-system"
-		}
-		suspend?:         bool
-		targetNamespace?: string
-		timeout:          string | *"3m0s"
-		wait:             bool | *true
-		dependsOn: [for k, v in #DependsOn {v}]
-	}
-}
-
-// #DependsOn stores all of the dependencies between components.  It's a struct to support merging across levels in the tree.
-#DependsOn: {
-	[Name=_]: {
-		name: string | *"\(#InstancePrefix)-\(Name)"
-	}
-	...
-}
-
 // External Secrets CRDs
 #ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
 	_name: string
 	metadata: {
 		name:      _name
-		namespace: #TargetNamespace
+		namespace: string | *#TargetNamespace
 	}
 	spec: {
 		refreshInterval: string | *"1h"
@@ -283,20 +225,54 @@ _apiVersion: "holos.run/v1alpha1"
 	services: [ID=_]: {
 		name: string & ID
 	}
+	// authproxy configures the auth proxy attached to the default ingress gateway in the istio-ingress namespace.
+	authproxy: #AuthProxySpec & {
+		namespace: "istio-ingress"
+		provider:  "ingressauth"
+	}
+}
+
+#AuthProxySpec: {
+	// projectID is the zitadel project resource id.
+	projectID: number
+	// clientID is the zitadel application client id.
+	clientID: string
+	// namespace is the namespace
+	namespace: string
+	// provider is the istio extension provider name in the mesh config.
+	provider: string
+	// orgDomain is the zitadel organization domain for logins.
+	orgDomain: string | *#Platform.org.domain
+	// issuerHost is the Host: header value of the oidc issuer
+	issuerHost: string | *"login.\(#Platform.org.domain)"
+	// issuer is the oidc identity provider issuer url
+	issuer: string | *"https://\(issuerHost)"
+	// path is the oauth2-proxy --proxy-prefix value.  The default callback url is the Host: value with a path of /holos/oidc/callback
+	proxyPrefix: string | *"/holos/authproxy/\(namespace)"
+	// idTokenHeader represents the header where the id token is placed
+	idTokenHeader: string | *"x-oidc-id-token"
 }
 
 // ManagedNamespace is a namespace to manage across all clusters in the holos platform.
 #ManagedNamespace: {
-	// TODO metadata labels and annotations
-	name: string
-	labels: [string]: string
+	namespace: {
+		metadata: {
+			name: string
+			labels: [string]: string
+		}
+	}
+	// clusterNames represents the set of clusters the namespace is managed on.  Usually all clusters.
+	clusterNames: [...string]
+	for cluster in clusterNames {
+		clusters: (cluster): name: cluster
+	}
 }
 
 // #ManagedNamepsaces is the union of all namespaces across all cluster types and optional services.
 // Holos adopts the namespace sameness position of SIG Multicluster, refer to https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md
 #ManagedNamespaces: {
-	[Name=_]: {
-		name: Name
+	[Name=_]: #ManagedNamespace & {
+		namespace: metadata: name: Name
 	}
 }
 
@@ -309,65 +285,6 @@ _apiVersion: "holos.run/v1alpha1"
 	}
 }
 
-// #APIObjects is the output type for api objects produced by cue.  A map is used to aid debugging and clarity.
-#APIObjects: {
-	// apiObjects holds each the api objects produced by cue.
-	apiObjects: {
-		[Kind=_]: {
-			[Name=_]: metav1.#TypeMeta & {
-				kind: Kind
-			}
-		}
-		ExternalSecret?: [Name=_]: #ExternalSecret & {_name: Name}
-		VirtualService?: [Name=_]: #VirtualService & {metadata: name: Name}
-		Issuer?: [Name=_]: #Issuer & {metadata: name: Name}
-	}
-
-	// apiObjectMap holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-					"\(name)": yaml.Marshal(obj)
-				}
-			}
-		}
-		...
-	}
-}
-
-// #OutputTypeMeta is shared among all output types
-#OutputTypeMeta: {
-	// apiVersion is the output api version
-	apiVersion: _apiVersion
-	// kind is a discriminator of the type of output
-	kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind | #NoOutput.kind
-	// name holds a unique name suitable for a filename
-	metadata: name: string
-	// debug returns arbitrary debug output.
-	debug?: _
-}
-
-#NoOutput: {
-	#OutputTypeMeta
-	kind: string | *"Skip"
-	metadata: name: string | *"skipped"
-}
-
-// #KubernetesObjectOutput is the output schema of a single component.
-#KubernetesObjects: {
-	#OutputTypeMeta
-	#APIObjects
-	kind: "KubernetesObjects"
-	metadata: name: #InstanceName
-	// ksObjects holds the flux Kustomization objects for gitops
-	ksObjects: [...#Kustomization] | *[#Kustomization]
-	// ksContent is the yaml representation of kustomization
-	ksContent: yaml.Marshal(#Kustomization)
-	// platform returns the platform data structure for visibility / troubleshooting.
-	platform: #Platform
-}
-
 // #Chart defines an upstream helm chart
 #Chart: {
 	name:    string
@@ -382,57 +299,6 @@ _apiVersion: "holos.run/v1alpha1"
 // #ChartValues represent the values provided to a helm chart.  Existing values may be imorted using cue import values.yaml -p holos then wrapping the values.cue content in #Values: {}
 #ChartValues: {...}
 
-// #HelmChart is a holos component which produces kubernetes api objects from cue values provided to the helm template command.
-#HelmChart: {
-	#OutputTypeMeta
-	#APIObjects
-	kind: "HelmChart"
-	metadata: name: #InstanceName
-	// ksObjects holds the flux Kustomization objects for gitops.
-	ksObjects: [...#Kustomization] | *[#Kustomization]
-	// ksContent is the yaml representation of kustomization.
-	ksContent: yaml.MarshalStream(ksObjects)
-	// namespace defines the value passed to the helm --namespace flag
-	namespace: #TargetNamespace
-	// chart defines the upstream helm chart to process.
-	chart: #Chart
-	// values represents the helm values to provide to the chart.
-	values: #ChartValues
-	// valuesContent holds the values yaml
-	valuesContent: yaml.Marshal(values)
-	// platform returns the platform data structure for visibility / troubleshooting.
-	platform: #Platform
-	// instance returns the key values of the holos component instance.
-	instance: #InputKeys
-	// resources is the intermediate file name for api objects.
-	resourcesFile: ResourcesFile
-	// kustomizeFiles represents the files in a kustomize directory tree.
-	kustomizeFiles: #KustomizeFiles.Files
-	// enableHooks removes the --no-hooks flag from helm template
-	enableHooks: true | *false
-}
-
-// #KustomizeBuild is a holos component that uses plain yaml files as the source of api objects for a holos component.
-// Intended for upstream components like the CrunchyData Postgres Operator.  The holos cli is expected to execute kustomize build on the component directory to produce the rendered output.
-#KustomizeBuild: {
-	#OutputTypeMeta
-	#APIObjects
-	kind: "KustomizeBuild"
-	metadata: name: #InstanceName
-	// ksObjects holds the flux Kustomization objects for gitops.
-	ksObjects: [...#Kustomization] | *[#Kustomization]
-	// ksContent is the yaml representation of kustomization.
-	ksContent: yaml.MarshalStream(ksObjects)
-	// namespace defines the value passed to the helm --namespace flag
-	namespace: #TargetNamespace
-}
-
-// #PlatformSpec is the output schema of a platform specification.
-#PlatformSpec: {
-	#OutputTypeMeta
-	kind: "PlatformSpec"
-}
-
 // #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
 #SecretName: string
 
@@ -445,28 +311,6 @@ _apiVersion: "holos.run/v1alpha1"
 	...
 }
 
-// #KustomizeTree represents a kustomize build.
-#KustomizeFiles: {
-	Objects: {
-		"kustomization.yaml": #Kustomize
-	}
-	// Files holds the marshaled output holos writes to the filesystem
-	Files: {
-		for filename, obj in Objects {
-			"\(filename)": yaml.Marshal(obj)
-		}
-		...
-	}
-}
-
-// kustomization.yaml
-#Kustomize: kc.#Kustomization & {
-	apiVersion: "kustomize.config.k8s.io/v1beta1"
-	kind:       "Kustomization"
-	resources: [ResourcesFile]
-	...
-}
-
 // #DefaultSecurityContext is the holos default security context to comply with the restricted namespace policy.
 // Refer to https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
 #DefaultSecurityContext: {
@@ -485,7 +329,80 @@ _apiVersion: "holos.run/v1alpha1"
 	spec: secretName: metadata.name
 }
 
-// By default, render kind: Skipped so holos knows to skip over intermediate cue files.
-// This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
-// Holos skips over these intermediary cue instances.
-{} & #NoOutput
+// #IsPrimaryCluster is true if the cluster being rendered is the primary cluster
+// Used by the iam project to determine where https://login.example.com is active.
+#IsPrimaryCluster: bool & #ClusterName == #Platform.primaryCluster.name
+
+// #GatewayServer defines the value of the istio Gateway.spec.servers field.
+#GatewayServer: {
+	// The ip or the Unix domain socket to which the listener should
+	// be bound to.
+	bind?:            string
+	defaultEndpoint?: string
+
+	// One or more hosts exposed by this gateway.
+	hosts: [...string]
+
+	// An optional name of the server, when set must be unique across
+	// all servers.
+	name?: string
+
+	// The Port on which the proxy should listen for incoming
+	// connections.
+	port: {
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: int
+
+		// The protocol exposed on the port.
+		protocol:    string
+		targetPort?: int
+	}
+
+	// Set of TLS related options that govern the server's behavior.
+	tls?: {
+		// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+		caCertificates?: string
+
+		// Optional: If specified, only support the specified cipher list.
+		cipherSuites?: [...string]
+
+		// For gateways running on Kubernetes, the name of the secret that
+		// holds the TLS certs including the CA certificates.
+		credentialName?: string
+
+		// If set to true, the load balancer will send a 301 redirect for
+		// all http connections, asking the clients to use HTTPS.
+		httpsRedirect?: bool
+
+		// Optional: Maximum TLS protocol version.
+		maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+		// Optional: Minimum TLS protocol version.
+		minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+		// Optional: Indicates whether connections to this port should be
+		// secured using TLS.
+		mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+		// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+		privateKey?: string
+
+		// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+		serverCertificate?: string
+
+		// A list of alternate names to verify the subject identity in the
+		// certificate presented by the client.
+		subjectAltNames?: [...string]
+
+		// An optional list of hex-encoded SHA-256 hashes of the
+		// authorized client certificates.
+		verifyCertificateHash?: [...string]
+
+		// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+		// of authorized client certificates.
+		verifyCertificateSpki?: [...string]
+	}
+}