Version 0.84.0

(#180) Configure GitHub Apps Discovery

Dockerfile

@@ -0,0 +1,8 @@
+FROM quay.io/holos-run/debian:bullseye AS final
+USER root
+WORKDIR /app
+ADD bin bin
+RUN chown -R app: /app
+# Kubernetes requires the user to be numeric
+USER 8192
+ENTRYPOINT bin/holos server

Makefile

@@ -7,7 +7,7 @@ REPO_PATH=$(ORG_PATH)/$(PROJ)
 VERSION := $(shell cat version/embedded/major version/embedded/minor version/embedded/patch | xargs printf "%s.%s.%s")
 BIN_NAME := holos
 
-DOCKER_REPO=quay.io/openinfrastructure/holos
+DOCKER_REPO=quay.io/holos-run/holos
 IMAGE_NAME=$(DOCKER_REPO)
 
 $( shell mkdir -p bin)
@@ -147,6 +147,11 @@ frontend: buf
 	cd internal/frontend/holos && ng build
 	touch internal/frontend/frontend.go
 
+.PHONY: image
+image: build
+	docker build . -t ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+	docker push ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+
 .PHONY: help
 help:  ## Display this help menu.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

api/v1alpha1/buildplan.go

@@ -16,6 +16,10 @@ type BuildPlan struct {
 type BuildPlanSpec struct {
 	Disabled   bool                `json:"disabled,omitempty" yaml:"disabled,omitempty"`
 	Components BuildPlanComponents `json:"components,omitempty" yaml:"components,omitempty"`
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
 }
 
 type BuildPlanComponents struct {

api/v1alpha1/component.go

@@ -20,3 +20,11 @@ type HolosComponent struct {
 func (hc *HolosComponent) NewResult() *Result {
 	return &Result{HolosComponent: *hc}
 }
+
+func (hc *HolosComponent) GetAPIVersion() string {
+	return hc.APIVersion
+}
+
+func (hc *HolosComponent) GetKind() string {
+	return hc.Kind
+}

api/v1alpha1/helm.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"syscall"
 
 	"github.com/holos-run/holos"
 	"github.com/holos-run/holos/internal/errors"
@@ -121,6 +122,14 @@ func (hc *HelmChart) helm(ctx context.Context, r *Result, path holos.InstancePat
 }
 
 // cacheChart stores a cached copy of Chart in the chart subdirectory of path.
+//
+// It is assumed that the only method responsible for writing to chartDir is
+// cacheChart itself.
+//
+// This relies on the atomicity of moving temporary directories into place on
+// the same filesystem via os.Rename. If a syscall.EEXIST error occurs during
+// renaming, it indicates that the cached chart already exists, which is an
+// expected scenario when this function is called concurrently.
 func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, chart Chart) error {
 	log := logger.FromContext(ctx)
 
@@ -156,11 +165,16 @@ func cacheChart(ctx context.Context, path holos.InstancePath, chartDir string, c
 		dst := filepath.Join(cachePath, item.Name())
 		log.DebugContext(ctx, "rename", "src", src, "dst", dst)
 		if err := os.Rename(src, dst); err != nil {
-			return errors.Wrap(fmt.Errorf("could not rename: %w", err))
+			var linkErr *os.LinkError
+			if errors.As(err, &linkErr) && errors.Is(linkErr.Err, syscall.EEXIST) {
+				log.DebugContext(ctx, "cache already exists", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
+			} else {
+				return errors.Wrap(fmt.Errorf("could not rename: %w", err))
+			}
 		}
 	}
 
-	log.InfoContext(ctx, "cached", "chart", chart.Name, "version", chart.Version, "path", cachePath)
+	log.InfoContext(ctx, "cached", "chart", chart.Name, "chart_version", chart.Version, "path", cachePath)
 
 	return nil
 }

api/v1alpha1/result.go

@@ -17,6 +17,10 @@ type Result struct {
 	HolosComponent
 	// accumulatedOutput accumulates rendered api objects.
 	accumulatedOutput string
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	DeployFiles FileContentMap `json:"deployFiles,omitempty" yaml:"deployFiles,omitempty"`
 }
 
 // Continue returns true if Skip is true indicating the result is to be skipped over.
@@ -133,6 +137,21 @@ func (r *Result) kustomize(ctx context.Context) error {
 	return nil
 }
 
+func (r *Result) WriteDeployFiles(ctx context.Context, path string) error {
+	log := logger.FromContext(ctx)
+	if len(r.DeployFiles) == 0 {
+		return nil
+	}
+	for k, content := range r.DeployFiles {
+		path := filepath.Join(path, k)
+		if err := r.Save(ctx, path, content); err != nil {
+			return errors.Wrap(err)
+		}
+		log.InfoContext(ctx, "wrote deploy file", "path", path, "bytes", len(content))
+	}
+	return nil
+}
+
 // Save writes the content to the filesystem for git ops.
 func (r *Result) Save(ctx context.Context, path string, content string) error {
 	log := logger.FromContext(ctx)
@@ -141,7 +160,7 @@ func (r *Result) Save(ctx context.Context, path string, content string) error {
 		log.WarnContext(ctx, "could not mkdir", "path", dir, "err", err)
 		return errors.Wrap(err)
 	}
-	// Write the kube api objects
+	// Write the file content
 	if err := os.WriteFile(path, []byte(content), os.FileMode(0644)); err != nil {
 		log.WarnContext(ctx, "could not write", "path", path, "err", err)
 		return errors.Wrap(err)

docs/runbooks/argocd.md

@@ -0,0 +1,14 @@
+# ArgoCD
+
+Create the deploy key secret in the management cluster.
+
+```bash
+tmp="$(mktemp -d)"
+(cd $tmp && ssh-keygen -t ed25519 -f sshPrivateKey -m pem -C argocd -N '')
+echo git@github.com:holos-run/holos-infra.git > "${tmp}/url"
+holos create secret -n argocd --append-hash=false creds-holos-infra --from-file $tmp
+rm -rf "$tmp"
+```
+
+When syncing the secret, the ExternalSecret needs to set the label
+`argocd.argoproj.io/secret-type: repo-creds`.

docs/runbooks/login/backups.md

@@ -0,0 +1,97 @@
+# PostgresCluster Backups
+
+This document describes how the S3 bucket for `PostgresCluster` backups is configured.  These buckets are configured both for ZITADEL and for Holos 
+Server and are applicable to any service in Holos that stores data in a pgo `PostgresCluster` resource.
+
+## Create the Bucket
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+> [!NOTE]
+> The settings below match the default settings recommended by AWS.
+
+Object Ownership: `ACLs disabled` (recommended) Checked.
+Block Public Access settings for this bucket: **`Block all public access`** Checked.
+Bucket Versioning: `Disable`
+Default encryption: `Server-side encryption with Amazon S3 managed keys (SSE-S3)`
+Bucket Key: `Enable`
+Object Lock: `Disable`
+
+## Create an IAM Policy
+Create one IAM Policy for each bucket to grant full access to the bucket.  Replace the resource with each bucket name.
+Name: `holos-zitadel-backups` for `zitadel`
+Name: `holos-server-backups` for `holos server`
+Description: `Read and write access to a specific bucket for pgrest operating within a pgo PostgresCluster.`
+
+Policy JSON:
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListAllMyBuckets"
+            ],
+            "Resource": "arn:aws:s3:::*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": [
+                "arn:aws:s3:::holos-zitadel-backups",
+                "arn:aws:s3:::holos-zitadel-backups/*"
+            ]
+        }
+    ]
+}
+```
+## Create an IAM Group
+Create an IAM Group to attach the policy granting access to the bucket.
+Name: `holos-zitadel-backups` for `zitadel`
+Attach permission policies: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Attach permission policies: `holos-server-backups`
+## Create the IAM User
+Create an IAM User entity for each PostgresCluster.  Do not provide user access to the AWS Management Console.
+Name: `holos-zitadel-backups` for `zitadel`
+Group: `holos-zitadel-backups`
+
+Name: `holos-server-backups` for `holos server`
+Group: `holos-server-backups`
+
+## Create an Access Key
+Create an access key for `pgbackrest` associated with the `PostgresCluster`.
+
+Description: 
+> Used by pgbackrest associated with the PostgresCluster resource.  Refer to the PostgresCluster resource pgbackrest.cofiguration.secret.name for the stored location of the access key.  Synced from the Management Cluster using an ExternalSecret.
+## Create the Secret
+Create a `Secret` in the holos management cluster usable by pgbackrest.  This is a secret with a single key, `s3.conf` with the following format:
+```
+[global]
+repo2-cipher-pass=
+repo2-s3-key=
+repo2-s3-key-secret=
+repo3-cipher-pass=
+repo3-s3-key=
+repo3-s3-key-secret=
+```
+> [!NOTE]
+> Use the same values for repo2 and repo3.  The purpose is to make space for migrating if need be in the future.
+
+Generate the cipher pass using.  This password is used to encrypt all backups using client side before the backup is written to the bucket.
+```
+tr -dc A-Za-z0-9 </dev/urandom | head -c 64
+```
+
+Store the secret into the management cluster:
+```
+holos create secret --namespace zitadel holos-zitadel-backups \
+  --append-hash=false --from-file .
+```
+
+```
+holos create secret --namespace holos holos-server-backups \
+  --append-hash=false --from-file .
+```

docs/runbooks/namespace.md

@@ -0,0 +1,30 @@
+# Namespaces
+
+Holos follows the [Namespace Sameness - Sig Multicluster Position][1].  A
+namespace is the same on all clusters within the scope of a platform.
+
+Namespaces are also security boundaries for role based access control.  As such,
+permission to read a secret in a namespace means the secret is readable on all
+clusters in the platform.
+
+When adding a component to a platform, create a namespace using the following
+process.  This ensures a namespace scoped `SecretStore` is created to sync
+`ExternalSecret` resources from the management cluster.
+
+ 1. Add a new project to the `_Projects` struct in `platform.cue`.
+ 2. Add the namespace to the `spec.namespaces` field of the project.
+ 3. Render the platform
+ 4. Apply the `namespaces` component to the management cluster
+ 5. Apply the `eso-creds-manager` component to the management cluster to create the `eso-reader` ksa for the namespace `SecretStore`
+ 6. Get a timestamp: `STAMP="$(date +%s)"`
+ 7. Run the job to populate ecr creds: `kubectl create job -n holos-system --from=cronjob/ecr-creds-manager ecr-creds-manager-$STAMP`
+ 8. Wait for the job to complete: `kubectl -n holos-system logs -l job-name=ecr-creds-manager-$STAMP -f`
+ 9. Apply the `namespaces` component to the workload clusters
+ 10. On the workload cluster, run the job to fetch the eso-reader creds: `kubectl create job -n holos-system --from=cronjob/eso-creds-refresher eso-creds-refresher-${STAMP}`
+ 11. Wait for the job to complete: `kubectl -n holos-system logs -l job-name=eso-creds-refresher-${STAMP}`
+ 12. Apply the secretstores component to the workload cluster.
+ 13. Apply any other cluster specific components which were modified by the `holos render platform ./platform` command.
+
+Your namespace is created and you have the ability to create secrets in the management cluster and pull them using ExternalSecret resources. (edited)  
+
+[1]: https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md

docs/runbooks/workload-identity.md

@@ -0,0 +1,31 @@
+# Workload Identity
+
+When a new workload cluster is provisioned, allow it to access the Management
+Cluster using workload identity.  This is necessary for the
+`eso-creds-refresher` component and `Job` that executes in each workload
+cluster, which in turn enables the `SecretStore` in each namespace to sync
+secrets.
+
+Build the cluster with Cluster API.
+See https://github.com/holos-run/holos-infra/blob/main/hack/capi/eks/aws2/aws2-managedmachinepool.yaml#L81-L84
+
+## Workload Identity Provider
+Add the Cluster as a workload identity provider to the `holos-ops` gcp project.
+
+Pool: [holos](https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/holos?organizationId=358674006047&project=holos-ops)
+Name: `k8s-aws1`, `k8s-aws2`, etc...
+### Issuer URL:
+```
+kubectl create -n default token default | cut -d. -f2 | base64 -d | jq -r .iss
+```
+
+### Audience
+Use the default audience.
+### Attribute Mapping
+
+| Google                           | OIDC                                                   |
+| -------------------------------- | ------------------------------------------------------ |
+| `google.subject`                 | `assertion.sub`                                        |
+| `attribute.service_account_name` | `assertion['kubernetes.io']['serviceaccount']['name']` |
+| `attribute.uid`                  | `assertion['kubernetes.io']['serviceaccount']['uid']`  |
+| `attribute.pod`                  | `assertion['kubernetes.io']['pod']['name']`            |

internal/builder/builder.go

@@ -184,6 +184,10 @@ func (b Builder) runInstance(ctx context.Context, instance *build.Instance) (res
 
 	// New decoder for the full object
 	decoder = json.NewDecoder(bytes.NewReader(jsonBytes))
+
+	// TODO: When we release v1, explicitly allow unknown fields so we can add
+	// fields without needing to bump the major version.  Disallow until we reach
+	// v1 for clear error reporting.
 	decoder.DisallowUnknownFields()
 
 	switch tm.Kind {
@@ -195,11 +199,14 @@ func (b Builder) runInstance(ctx context.Context, instance *build.Instance) (res
 			return
 		}
 		results, err = b.buildPlan(ctx, &bp, path)
+		if err != nil {
+			return results, err
+		}
 	default:
 		err = errors.Wrap(fmt.Errorf("unknown kind: %v", tm.Kind))
 	}
 
-	return
+	return results, err
 }
 
 func (b *Builder) buildPlan(ctx context.Context, buildPlan *v1alpha1.BuildPlan, path holos.InstancePath) (results []*v1alpha1.Result, err error) {
@@ -248,6 +255,17 @@ func (b *Builder) buildPlan(ctx context.Context, buildPlan *v1alpha1.BuildPlan,
 		}
 	}
 
+	// Add a separate Result if there are DeployFiles from the BuildPlan.
+	if len(buildPlan.Spec.DeployFiles) > 0 {
+		results = append(results, &v1alpha1.Result{
+			HolosComponent: v1alpha1.HolosComponent{
+				TypeMeta: buildPlan.TypeMeta,
+				Metadata: buildPlan.Metadata,
+			},
+			DeployFiles: buildPlan.Spec.DeployFiles,
+		})
+	}
+
 	log.DebugContext(ctx, "returning results", "len", len(results))
 
 	return results, nil

internal/cli/pull/pull.go

@@ -38,8 +38,9 @@ func NewPlatform(cfg *client.Config) *cobra.Command {
 }
 
 func NewPlatformConfig(cfg *client.Config) *cobra.Command {
-	cmd := command.New("config")
-	cmd.Short = "pull platform config"
+	cmd := command.New("model")
+	cmd.Aliases = []string{"config"}
+	cmd.Short = "pull platform model"
 	cmd.Args = cobra.MinimumNArgs(1)
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {

internal/cli/push/push.go

@@ -35,7 +35,7 @@ func NewPlatform(cfg *client.Config) *cobra.Command {
 	cmd.Args = cobra.NoArgs
 
 	cmd.AddCommand(NewPlatformForm(cfg))
-	// cmd.AddCommand(NewPlatformModel(cfg))
+	cmd.AddCommand(NewPlatformModel(cfg))
 
 	return cmd
 }
@@ -74,3 +74,34 @@ func NewPlatformForm(cfg *client.Config) *cobra.Command {
 
 	return cmd
 }
+
+func NewPlatformModel(cfg *client.Config) *cobra.Command {
+	cmd := command.New("model")
+	cmd.Short = "push platform model to holos server"
+	cmd.Args = cobra.MinimumNArgs(1)
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Root().Context()
+		if ctx == nil {
+			return errors.Wrap(errors.New("cannot execute: no context"))
+		}
+		ctx = logger.NewContext(ctx, logger.FromContext(ctx).With("server", cfg.Client().Server()))
+		rpc := client.New(cfg)
+		for _, name := range args {
+			// Get the platform config for the platform id.
+			p, err := client.LoadPlatformConfig(ctx, name)
+			if err != nil {
+				return errors.Wrap(err)
+			}
+
+			// Make the rpc call to update the platform form.
+			if err := rpc.UpdatePlatformModel(ctx, p.PlatformId, p.PlatformModel); err != nil {
+				return errors.Wrap(err)
+			}
+			slog.Default().InfoContext(ctx, fmt.Sprintf("pushed: %s/ui/platform/%s", cfg.Client().Server(), p.PlatformId))
+		}
+		return nil
+	}
+
+	return cmd
+}

internal/cli/render/render.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"runtime"
 
 	"github.com/holos-run/holos/internal/builder"
 	"github.com/holos-run/holos/internal/cli/command"
@@ -43,7 +44,6 @@ func NewComponent(cfg *holos.Config) *cobra.Command {
 
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
 		ctx := cmd.Root().Context()
-		log := logger.FromContext(ctx).With("cluster", cfg.ClusterName())
 		build := builder.New(builder.Entrypoints(args), builder.Cluster(cfg.ClusterName()))
 
 		if printInstances {
@@ -67,20 +67,38 @@ func NewComponent(cfg *holos.Config) *cobra.Command {
 		// place.
 		var result Result
 		for _, result = range results {
+			log := logger.FromContext(ctx).With(
+				"cluster", cfg.ClusterName(),
+				"name", result.Name(),
+			)
 			if result.Continue() {
 				continue
 			}
+			// DeployFiles from the BuildPlan
+			if err := result.WriteDeployFiles(ctx, cfg.WriteTo()); err != nil {
+				return errors.Wrap(err)
+			}
+			// Build plans don't have anything but DeployFiles to write.
+			if result.GetKind() == "BuildPlan" {
+				continue
+			}
+
 			// API Objects
 			path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
 			if err := result.Save(ctx, path, result.AccumulatedOutput()); err != nil {
 				return errors.Wrap(err)
 			}
 			// Kustomization
-			path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
-			if err := result.Save(ctx, path, result.KustomizationContent()); err != nil {
-				return errors.Wrap(err)
+			if result.KustomizationContent() == "" {
+				log.DebugContext(ctx, "flux kustomization: skipped "+result.Name(), "status", "ok", "action", "skipped")
+			} else {
+				path = result.KustomizationFilename(cfg.WriteTo(), cfg.ClusterName())
+				if err := result.Save(ctx, path, result.KustomizationContent()); err != nil {
+					return errors.Wrap(err)
+				}
 			}
-			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered", "name", result.Name())
+
+			log.InfoContext(ctx, "rendered "+result.Name(), "status", "ok", "action", "rendered")
 		}
 		return nil
 	}
@@ -96,6 +114,9 @@ func NewPlatform(cfg *holos.Config) *cobra.Command {
 	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
 	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
 
+	var concurrency int
+	cmd.Flags().IntVar(&concurrency, "concurrency", min(runtime.NumCPU(), 8), "Number of concurrent components to render")
+
 	cmd.RunE = func(cmd *cobra.Command, args []string) error {
 		ctx := cmd.Root().Context()
 		build := builder.New(builder.Entrypoints(args))
@@ -105,7 +126,7 @@ func NewPlatform(cfg *holos.Config) *cobra.Command {
 			return errors.Wrap(err)
 		}
 
-		return render.Platform(ctx, platform, cmd.ErrOrStderr())
+		return render.Platform(ctx, concurrency, platform, cmd.ErrOrStderr())
 	}
 
 	return cmd
@@ -119,4 +140,7 @@ type Result interface {
 	Save(ctx context.Context, path string, content string) error
 	AccumulatedOutput() string
 	KustomizationContent() string
+	WriteDeployFiles(ctx context.Context, writeTo string) error
+	GetKind() string
+	GetAPIVersion() string
 }

internal/client/client.go

@@ -91,6 +91,22 @@ func (c *Client) UpdateForm(ctx context.Context, platformID string, form *object
 	return nil
 }
 
+func (c *Client) UpdatePlatformModel(ctx context.Context, platformID string, model *structpb.Struct) error {
+	start := time.Now()
+	req := &platform.UpdatePlatformRequest{
+		PlatformId: platformID,
+		Update:     &platform.PlatformMutation{Model: model},
+		UpdateMask: &fieldmaskpb.FieldMask{Paths: []string{"model"}},
+	}
+	_, err := c.pltSvc.UpdatePlatform(ctx, connect.NewRequest(req))
+	if err != nil {
+		return errors.Wrap(err)
+	}
+	log := logger.FromContext(ctx)
+	log.DebugContext(ctx, "updated platform", "platform_id", platformID, "duration", time.Since(start))
+	return nil
+}
+
 // PlatformModel gets the platform model from the PlatformService.
 func (c *Client) PlatformModel(ctx context.Context, platformID string) (*structpb.Struct, error) {
 	start := time.Now()

internal/frontend/holos/package-lock.json

@@ -18,7 +18,7 @@
         "@angular/platform-browser": "^17.3.0",
         "@angular/platform-browser-dynamic": "^17.3.0",
         "@angular/router": "^17.3.0",
-        "@bufbuild/protobuf": "^1.9.0",
+        "@bufbuild/protobuf": "^1.10.0",
         "@connectrpc/connect": "^1.4.0",
         "@connectrpc/connect-query": "^1.4.1",
         "@connectrpc/connect-web": "^1.4.0",
@@ -37,8 +37,8 @@
         "@angular-eslint/template-parser": "17.3.0",
         "@angular/cli": "^17.3.4",
         "@angular/compiler-cli": "^17.3.0",
-        "@bufbuild/buf": "^1.32.1",
-        "@bufbuild/protoc-gen-es": "^1.9.0",
+        "@bufbuild/buf": "^1.32.2",
+        "@bufbuild/protoc-gen-es": "^1.10.0",
         "@connectrpc/protoc-gen-connect-es": "^1.4.0",
         "@connectrpc/protoc-gen-connect-query": "^1.4.1",
         "@ngx-formly/schematics": "^6.3.0",
@@ -2494,9 +2494,9 @@
       }
     },
     "node_modules/@bufbuild/buf": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf/-/buf-1.32.1.tgz",
-      "integrity": "sha512-uPVhqDzYtz9Q7WTodCschf9xXKL5/TQHtU1fKOUmain/dGe66YtSU4LQ0SWmxAQEJIUSmkH4UOPgKEzNMKdWeg==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf/-/buf-1.32.2.tgz",
+      "integrity": "sha512-WL2mpou8k9EBo2US0KyZhFSHrDmRZvv5ZMp7lywUFb+3lW1+E/OZnBaBYTrSAb9vfzSmwdRsSOJwKdDpfbjdSg==",
       "dev": true,
       "hasInstallScript": true,
       "bin": {
@@ -2508,18 +2508,18 @@
         "node": ">=12"
       },
       "optionalDependencies": {
-        "@bufbuild/buf-darwin-arm64": "1.32.1",
-        "@bufbuild/buf-darwin-x64": "1.32.1",
-        "@bufbuild/buf-linux-aarch64": "1.32.1",
-        "@bufbuild/buf-linux-x64": "1.32.1",
-        "@bufbuild/buf-win32-arm64": "1.32.1",
-        "@bufbuild/buf-win32-x64": "1.32.1"
+        "@bufbuild/buf-darwin-arm64": "1.32.2",
+        "@bufbuild/buf-darwin-x64": "1.32.2",
+        "@bufbuild/buf-linux-aarch64": "1.32.2",
+        "@bufbuild/buf-linux-x64": "1.32.2",
+        "@bufbuild/buf-win32-arm64": "1.32.2",
+        "@bufbuild/buf-win32-x64": "1.32.2"
       }
     },
     "node_modules/@bufbuild/buf-darwin-arm64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-darwin-arm64/-/buf-darwin-arm64-1.32.1.tgz",
-      "integrity": "sha512-Duw4StB5sth8s4cQfOa7Be6+OAXfGuuo3ZOkUzJTxWOVH0sWq0nTkO90kXMJOjOkmB/JMnqRQcVAdKuu9u1pcw==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-darwin-arm64/-/buf-darwin-arm64-1.32.2.tgz",
+      "integrity": "sha512-AR6WlhY6CmLlZetvYzLjbyVpU5jM4eDd3PRTUAK5NcpqIPdCMiMK9nc33Yxc8pO04Lv4yrYdzWnFqZdbCzsS2g==",
       "cpu": [
         "arm64"
       ],
@@ -2533,9 +2533,9 @@
       }
     },
     "node_modules/@bufbuild/buf-darwin-x64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-darwin-x64/-/buf-darwin-x64-1.32.1.tgz",
-      "integrity": "sha512-3ANVbOoSmfdFxhOvjMDLTr2u35+mdEQcF9Tx39ZEA+Las0WucV6n/bGPwucpH04a9UsW59npNt3IzA4VvUDcyw==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-darwin-x64/-/buf-darwin-x64-1.32.2.tgz",
+      "integrity": "sha512-ZmVYsMcS06KHZYy4DmKf95BnDWji5/xo42oybqjtlE/wPGKNpqgiq0UGHSlK0oCh67sybHidXVci6LC95xHNrw==",
       "cpu": [
         "x64"
       ],
@@ -2549,9 +2549,9 @@
       }
     },
     "node_modules/@bufbuild/buf-linux-aarch64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-linux-aarch64/-/buf-linux-aarch64-1.32.1.tgz",
-      "integrity": "sha512-QdGirTSFU/WzI/lBo9ph4ThQJS9S8Zm3l/7hg+07GrF57VqB1pUZvnh2298R10/kLKP6lpMtqeVrjMhIcHtxTw==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-linux-aarch64/-/buf-linux-aarch64-1.32.2.tgz",
+      "integrity": "sha512-OG509xwJHjuzSn5nNrVWghW/RpB76Ovhj7LCKi52QVh/qQq6VUXeQk42XIWjXY/Cmzmg81G7t97kLw27JLzH0w==",
       "cpu": [
         "arm64"
       ],
@@ -2565,9 +2565,9 @@
       }
     },
     "node_modules/@bufbuild/buf-linux-x64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-linux-x64/-/buf-linux-x64-1.32.1.tgz",
-      "integrity": "sha512-6R8whslj+6WQi9nUjVkNx6AW64czFOFD22dLmrB4i3bY/WDku+/5CNHBU/On738pmgujQrEVT4ztB6fVmVtKOg==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-linux-x64/-/buf-linux-x64-1.32.2.tgz",
+      "integrity": "sha512-TFNN87nhLyGFUKOy3beU/0GZk7TEs57J5VQczSq83rHLC+7t1nDuk5Rew8QEyV0OzEzZF+BkpLZj0jY+dWg6/g==",
       "cpu": [
         "x64"
       ],
@@ -2581,9 +2581,9 @@
       }
     },
     "node_modules/@bufbuild/buf-win32-arm64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-win32-arm64/-/buf-win32-arm64-1.32.1.tgz",
-      "integrity": "sha512-QPDxdLRxJpiCTEx7/5bIN3V3EPGvZ1+dyEco6d1qIydDrH9BbCWNy9YLPJOaDxAbewW4lrAX73FmMTTM4tNtbw==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-win32-arm64/-/buf-win32-arm64-1.32.2.tgz",
+      "integrity": "sha512-SsGUfILZblPNbCgG6W9DxzCdfHnT2YTYQEkCS877DL1wkWMlMJ/ijZA9Cg2fx8NrLKzFTKC1nlTfqRBcLPf2Mg==",
       "cpu": [
         "arm64"
       ],
@@ -2597,9 +2597,9 @@
       }
     },
     "node_modules/@bufbuild/buf-win32-x64": {
-      "version": "1.32.1",
-      "resolved": "https://registry.npmjs.org/@bufbuild/buf-win32-x64/-/buf-win32-x64-1.32.1.tgz",
-      "integrity": "sha512-rZSM5id3zko+YQICZB3ypj+AVL0rcN7gra8SN4Ep4aOWAH6gib3RgH51cFcq9VgI1N1xTBy8wZvQMnMLPBn2zg==",
+      "version": "1.32.2",
+      "resolved": "https://registry.npmjs.org/@bufbuild/buf-win32-x64/-/buf-win32-x64-1.32.2.tgz",
+      "integrity": "sha512-FXOHmXB0kxQ7nQ0JYWpByl6/ebkKwWPPjucOHIDcfo7czg5ZD/fRusb738YJ1qeN+5RXybkvhJIrewxVnhYuhg==",
       "cpu": [
         "x64"
       ],
@@ -2613,18 +2613,18 @@
       }
     },
     "node_modules/@bufbuild/protobuf": {
-      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@bufbuild/protobuf/-/protobuf-1.9.0.tgz",
-      "integrity": "sha512-W7gp8Q/v1NlCZLsv8pQ3Y0uCu/SHgXOVFK+eUluUKWXmsb6VHkpNx0apdOWWcDbB9sJoKeP8uPrjmehJz6xETQ=="
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@bufbuild/protobuf/-/protobuf-1.10.0.tgz",
+      "integrity": "sha512-QDdVFLoN93Zjg36NoQPZfsVH9tZew7wKDKyV5qRdj8ntT4wQCOradQjRaTdwMhWUYsgKsvCINKKm87FdEk96Ag=="
     },
     "node_modules/@bufbuild/protoc-gen-es": {
-      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@bufbuild/protoc-gen-es/-/protoc-gen-es-1.9.0.tgz",
-      "integrity": "sha512-LJy1nC3Jsfdhs9v48P7qF6YXIqh+usFhXSVzJDTmw0yKjxQ3CKBNISRtaMql/g9hb1MLRU6unHCcFfdz4HSO/Q==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@bufbuild/protoc-gen-es/-/protoc-gen-es-1.10.0.tgz",
+      "integrity": "sha512-zBYBsVT/ul4uZb6F+kD7/k4sWNHVVbEPfJwKi0FDr+9VJo8MKIofI6pkr5ksBLr4fi/74r+e/75Xi/0clL5dXg==",
       "dev": true,
       "dependencies": {
-        "@bufbuild/protobuf": "^1.9.0",
-        "@bufbuild/protoplugin": "1.9.0"
+        "@bufbuild/protobuf": "^1.10.0",
+        "@bufbuild/protoplugin": "1.10.0"
       },
       "bin": {
         "protoc-gen-es": "bin/protoc-gen-es"
@@ -2633,7 +2633,7 @@
         "node": ">=14"
       },
       "peerDependencies": {
-        "@bufbuild/protobuf": "1.9.0"
+        "@bufbuild/protobuf": "1.10.0"
       },
       "peerDependenciesMeta": {
         "@bufbuild/protobuf": {
@@ -2642,12 +2642,12 @@
       }
     },
     "node_modules/@bufbuild/protoplugin": {
-      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@bufbuild/protoplugin/-/protoplugin-1.9.0.tgz",
-      "integrity": "sha512-/mxMiGs5h78RUHT7v4+mv0Wt0gyRf/SOS5PLzKEg2sclEAlFPbXfZ8HjlvxJpXZP/YpP3HvsW/mil3E69G0mXg==",
+      "version": "1.10.0",
+      "resolved": "https://registry.npmjs.org/@bufbuild/protoplugin/-/protoplugin-1.10.0.tgz",
+      "integrity": "sha512-u6NE4vL0lw1+EK4/PiE/SQB7fKO4LRJNTEScIXVOi2x88K/c8WKc/k0KyEaA0asVBMpwekJQZGnRyj04ZtN5Gg==",
       "dev": true,
       "dependencies": {
-        "@bufbuild/protobuf": "1.9.0",
+        "@bufbuild/protobuf": "1.10.0",
         "@typescript/vfs": "^1.4.0",
         "typescript": "4.5.2"
       }

internal/frontend/holos/package.json

@@ -21,7 +21,7 @@
     "@angular/platform-browser": "^17.3.0",
     "@angular/platform-browser-dynamic": "^17.3.0",
     "@angular/router": "^17.3.0",
-    "@bufbuild/protobuf": "^1.9.0",
+    "@bufbuild/protobuf": "^1.10.0",
     "@connectrpc/connect": "^1.4.0",
     "@connectrpc/connect-query": "^1.4.1",
     "@connectrpc/connect-web": "^1.4.0",
@@ -40,8 +40,8 @@
     "@angular-eslint/template-parser": "17.3.0",
     "@angular/cli": "^17.3.4",
     "@angular/compiler-cli": "^17.3.0",
-    "@bufbuild/buf": "^1.32.1",
-    "@bufbuild/protoc-gen-es": "^1.9.0",
+    "@bufbuild/buf": "^1.32.2",
+    "@bufbuild/protoc-gen-es": "^1.10.0",
     "@connectrpc/protoc-gen-connect-es": "^1.4.0",
     "@connectrpc/protoc-gen-connect-query": "^1.4.1",
     "@ngx-formly/schematics": "^6.3.0",

internal/frontend/holos/src/app/gen/holos/object/v1alpha1/object_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/object/v1alpha1/object.proto (package holos.object.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/organization/v1alpha1/organization_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/organization/v1alpha1/organization.proto (package holos.organization.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/organization/v1alpha1/organization_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/organization/v1alpha1/organization_service.proto (package holos.organization.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/platform/v1alpha1/platform_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/platform/v1alpha1/platform.proto (package holos.platform.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/platform/v1alpha1/platform_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/platform/v1alpha1/platform_service.proto (package holos.platform.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/storage/v1alpha1/storage_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/storage/v1alpha1/storage.proto (package holos.storage.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/system/v1alpha1/system_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/system/v1alpha1/system.proto (package holos.system.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/system/v1alpha1/system_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/system/v1alpha1/system_service.proto (package holos.system.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/user/v1alpha1/user_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/user/v1alpha1/user.proto (package holos.user.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/frontend/holos/src/app/gen/holos/user/v1alpha1/user_service_pb.ts

@@ -1,4 +1,4 @@
-// @generated by protoc-gen-es v1.9.0 with parameter "target=ts"
+// @generated by protoc-gen-es v1.10.0 with parameter "target=ts"
 // @generated from file holos/user/v1alpha1/user_service.proto (package holos.user.v1alpha1, syntax proto3)
 /* eslint-disable */
 // @ts-nocheck

internal/generate/components/cue/argocd/argocd.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Produce a kubectl kustomize build plan.
+(#Kustomize & {Name: "{{ .Name }}"}).Output

internal/generate/components/cue/argocd/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: "{{ .Namespace }}"
+resources:
+  - "https://raw.githubusercontent.com/argoproj/argo-cd/v{{ .Version }}/manifests/install.yaml"

internal/generate/components/cue/argocd/schematic.json

@@ -0,0 +1,7 @@
+{
+  "name": "argocd",
+  "namespace": "argocd",
+  "short": "argocd kustomize",
+  "long": "Manage argocd using a kustomization.yaml build plan.",
+  "version": "2.11.2"
+}

internal/generate/generate.go

@@ -55,7 +55,7 @@ func copyEmbedFS(ctx context.Context, srcFS embed.FS, srcPath, dstPath string, m
 		}
 
 		buf := mapFunc(data)
-		if err := os.WriteFile(dstFullPath, buf.Bytes(), os.ModePerm); err != nil {
+		if err := os.WriteFile(dstFullPath, buf.Bytes(), 0666); err != nil {
 			return errors.Wrap(err)
 		}
 

internal/generate/platforms/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -0,0 +1,189 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/argocd-crds/argocd-crds.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+// AppProject provides a logical grouping of applications,
+// providing controls for: * where the apps may deploy to
+// (cluster whitelist) * what may be deployed (repository
+// whitelist, resource whitelist/blacklist) * who can access
+// these applications (roles, OIDC group claims bindings) * and
+// what they can do (RBAC policies) * automation access to these
+// roles (JWT tokens)
+#AppProject: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "argoproj.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "AppProject"
+	metadata: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// AppProjectSpec is the specification of an AppProject
+	spec!: #AppProjectSpec
+}
+
+// AppProjectSpec is the specification of an AppProject
+#AppProjectSpec: {
+	// ClusterResourceBlacklist contains list of blacklisted cluster
+	// level resources
+	clusterResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// ClusterResourceWhitelist contains list of whitelisted cluster
+	// level resources
+	clusterResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// Description contains optional project description
+	description?: string
+
+	// Destinations contains list of destinations available for
+	// deployment
+	destinations?: [...{
+		// Name is an alternate way of specifying the target cluster by
+		// its symbolic name. This must be set if Server is not set.
+		name?: string
+
+		// Namespace specifies the target namespace for the application's
+		// resources. The namespace will only be set for namespace-scoped
+		// resources that have not set a value for .metadata.namespace
+		namespace?: string
+
+		// Server specifies the URL of the target cluster's Kubernetes
+		// control plane API. This must be set if Name is not set.
+		server?: string
+	}]
+
+	// NamespaceResourceBlacklist contains list of blacklisted
+	// namespace level resources
+	namespaceResourceBlacklist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// NamespaceResourceWhitelist contains list of whitelisted
+	// namespace level resources
+	namespaceResourceWhitelist?: [...{
+		group: string
+		kind:  string
+	}]
+
+	// OrphanedResources specifies if controller should monitor
+	// orphaned resources of apps in this project
+	orphanedResources?: {
+		// Ignore contains a list of resources that are to be excluded
+		// from orphaned resources monitoring
+		ignore?: [...{
+			group?: string
+			kind?:  string
+			name?:  string
+		}]
+
+		// Warn indicates if warning condition should be created for apps
+		// which have orphaned resources
+		warn?: bool
+	}
+
+	// PermitOnlyProjectScopedClusters determines whether destinations
+	// can only reference clusters which are project-scoped
+	permitOnlyProjectScopedClusters?: bool
+
+	// Roles are user defined RBAC roles associated with this project
+	roles?: [...{
+		// Description is a description of the role
+		description?: string
+
+		// Groups are a list of OIDC group claims bound to this role
+		groups?: [...string]
+
+		// JWTTokens are a list of generated JWT tokens bound to this role
+		jwtTokens?: [...{
+			exp?: int
+			iat:  int
+			id?:  string
+		}]
+
+		// Name is a name for this role
+		name: string
+
+		// Policies Stores a list of casbin formatted strings that define
+		// access policies for the role in the project
+		policies?: [...string]
+	}]
+
+	// SignatureKeys contains a list of PGP key IDs that commits in
+	// Git must be signed with in order to be allowed for sync
+	signatureKeys?: [...{
+		// The ID of the key in hexadecimal notation
+		keyID: string
+	}]
+
+	// SourceNamespaces defines the namespaces application resources
+	// are allowed to be created in
+	sourceNamespaces?: [...string]
+
+	// SourceRepos contains list of repository URLs which can be used
+	// for deployment
+	sourceRepos?: [...string]
+
+	// SyncWindows controls when syncs can be run for apps in this
+	// project
+	syncWindows?: [...{
+		// Applications contains a list of applications that the window
+		// will apply to
+		applications?: [...string]
+
+		// Clusters contains a list of clusters that the window will apply
+		// to
+		clusters?: [...string]
+
+		// Duration is the amount of time the sync window will be open
+		duration?: string
+
+		// Kind defines if the window allows or blocks syncs
+		kind?: string
+
+		// ManualSync enables manual syncs when they would otherwise be
+		// blocked
+		manualSync?: bool
+
+		// Namespaces contains a list of namespaces that the window will
+		// apply to
+		namespaces?: [...string]
+
+		// Schedule is the time the window will begin, specified in cron
+		// format
+		schedule?: string
+
+		// TimeZone of the sync that will be applied to the schedule
+		timeZone?: string
+	}]
+}

internal/generate/platforms/cue.mod/gen/aws.upbound.io/providerconfig/v1beta1/types_gen.cue

@@ -0,0 +1,340 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/crossplane-contrib/provider-upjet-aws/v1.5.0/package/crds/aws.upbound.io_providerconfigs.yaml
+
+package v1beta1
+
+import "strings"
+
+// A ProviderConfig configures the AWS provider.
+#ProviderConfig: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "aws.upbound.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ProviderConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// A ProviderConfigSpec defines the desired state of a
+	// ProviderConfig.
+	spec!: #ProviderConfigSpec
+}
+
+// A ProviderConfigSpec defines the desired state of a
+// ProviderConfig.
+#ProviderConfigSpec: {
+	// AssumeRoleChain defines the options for assuming an IAM role
+	assumeRoleChain?: [...{
+		// ExternalID is the external ID used when assuming role.
+		externalID?: string
+
+		// AssumeRoleARN to assume with provider credentials
+		roleARN?: string
+
+		// Tags is list of session tags that you want to pass. Each
+		// session tag consists of a key
+		// name and an associated value. For more information about
+		// session tags, see
+		// Tagging STS Sessions
+		// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html).
+		tags?: [...{
+			// Name of the tag.
+			// Key is a required field
+			key: string
+
+			// Value of the tag.
+			// Value is a required field
+			value: string
+		}]
+
+		// TransitiveTagKeys is a list of keys for session tags that you
+		// want to set as transitive. If you set a
+		// tag key as transitive, the corresponding key and value passes
+		// to subsequent
+		// sessions in a role chain. For more information, see Chaining
+		// Roles with Session Tags
+		// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining).
+		transitiveTagKeys?: [...string]
+	}]
+
+	// Credentials required to authenticate to this provider.
+	credentials: {
+		env?: {
+			// Name is the name of an environment variable.
+			name: string
+		}
+		fs?: {
+			// Path is a filesystem path.
+			path: string
+		}
+
+		// A SecretRef is a reference to a secret key that contains the
+		// credentials
+		// that must be used to connect to the provider.
+		secretRef?: {
+			// The key to select.
+			key: string
+
+			// Name of the secret.
+			name: string
+
+			// Namespace of the secret.
+			namespace: string
+		}
+
+		// Source of the provider credentials.
+		source: "None" | "Secret" | "IRSA" | "WebIdentity" | "Upbound"
+		upbound?: {
+			// WebIdentity defines the options for assuming an IAM role with a
+			// Web
+			// Identity.
+			webIdentity?: {
+				// AssumeRoleARN to assume with provider credentials
+				roleARN?: string
+
+				// RoleSessionName is the session name, if you wish to uniquely
+				// identify this session.
+				roleSessionName?: string
+
+				// TokenConfig is the Web Identity Token config to assume the
+				// role.
+				tokenConfig?: {
+					fs?: {
+						// Path is a filesystem path.
+						path: string
+					}
+
+					// A SecretRef is a reference to a secret key that contains the
+					// credentials
+					// that must be used to obtain the web identity token.
+					secretRef?: {
+						// The key to select.
+						key: string
+
+						// Name of the secret.
+						name: string
+
+						// Namespace of the secret.
+						namespace: string
+					}
+
+					// Source is the source of the web identity token.
+					source: "Secret" | "Filesystem"
+				}
+			}
+		}
+
+		// WebIdentity defines the options for assuming an IAM role with a
+		// Web Identity.
+		webIdentity?: {
+			// AssumeRoleARN to assume with provider credentials
+			roleARN?: string
+
+			// RoleSessionName is the session name, if you wish to uniquely
+			// identify this session.
+			roleSessionName?: string
+
+			// TokenConfig is the Web Identity Token config to assume the
+			// role.
+			tokenConfig?: {
+				fs?: {
+					// Path is a filesystem path.
+					path: string
+				}
+
+				// A SecretRef is a reference to a secret key that contains the
+				// credentials
+				// that must be used to obtain the web identity token.
+				secretRef?: {
+					// The key to select.
+					key: string
+
+					// Name of the secret.
+					name: string
+
+					// Namespace of the secret.
+					namespace: string
+				}
+
+				// Source is the source of the web identity token.
+				source: "Secret" | "Filesystem"
+			}
+		}
+	}
+
+	// Endpoint is where you can override the default endpoint
+	// configuration
+	// of AWS calls made by the provider.
+	endpoint?: {
+		// Specifies if the endpoint's hostname can be modified by the
+		// SDK's API
+		// client.
+		//
+		//
+		// If the hostname is mutable the SDK API clients may modify any
+		// part of
+		// the hostname based on the requirements of the API, (e.g.
+		// adding, or
+		// removing content in the hostname). Such as, Amazon S3 API
+		// client
+		// prefixing "bucketname" to the hostname, or changing the
+		// hostname service name component from "s3." to
+		// "s3-accesspoint.dualstack."
+		// for the dualstack endpoint of an S3 Accesspoint resource.
+		//
+		//
+		// Care should be taken when providing a custom endpoint for an
+		// API. If the
+		// endpoint hostname is mutable, and the client cannot modify the
+		// endpoint
+		// correctly, the operation call will most likely fail, or have
+		// undefined
+		// behavior.
+		//
+		//
+		// If hostname is immutable, the SDK API clients will not modify
+		// the
+		// hostname of the URL. This may cause the API client not to
+		// function
+		// correctly if the API requires the operation specific hostname
+		// values
+		// to be used by the client.
+		//
+		//
+		// This flag does not modify the API client's behavior if this
+		// endpoint
+		// will be used instead of Endpoint Discovery, or if the endpoint
+		// will be
+		// used to perform Endpoint Discovery. That behavior is configured
+		// via the
+		// API Client's Options.
+		// Note that this is effective only for resources that use AWS SDK
+		// v2.
+		hostnameImmutable?: bool
+
+		// The AWS partition the endpoint belongs to.
+		partitionId?: string
+
+		// Specifies the list of services you want endpoint to be used for
+		services?: [...string]
+
+		// The signing method that should be used for signing the requests
+		// to the
+		// endpoint.
+		signingMethod?: string
+
+		// The service name that should be used for signing the requests
+		// to the
+		// endpoint.
+		signingName?: string
+
+		// The region that should be used for signing the request to the
+		// endpoint.
+		// For IAM, which doesn't have any region, us-east-1 is used to
+		// sign the
+		// requests, which is the only signing region of IAM.
+		signingRegion?: string
+
+		// The source of the Endpoint. By default, this will be
+		// ServiceMetadata.
+		// When providing a custom endpoint, you should set the source as
+		// Custom.
+		// If source is not provided when providing a custom endpoint, the
+		// SDK may not
+		// perform required host mutations correctly. Source should be
+		// used along with
+		// HostnameImmutable property as per the usage requirement.
+		// Note that this is effective only for resources that use AWS SDK
+		// v2.
+		source?: "ServiceMetadata" | "Custom"
+
+		// URL lets you configure the endpoint URL to be used in SDK
+		// calls.
+		url: {
+			// Dynamic lets you configure the behavior of endpoint URL
+			// resolver.
+			dynamic?: {
+				// Host is the address of the main host that the resolver will use
+				// to
+				// prepend protocol, service and region configurations.
+				// For example, the final URL for EC2 in us-east-1 looks like
+				// https://ec2.us-east-1.amazonaws.com
+				// You would need to use "amazonaws.com" as Host and "https" as
+				// protocol
+				// to have the resolver construct it.
+				host: string
+
+				// Protocol is the HTTP protocol that will be used in the URL.
+				// Currently,
+				// only http and https are supported.
+				protocol: "http" | "https"
+			}
+
+			// Static is the full URL you'd like the AWS SDK to use.
+			// Recommended for using tools like localstack where a single host
+			// is exposed
+			// for all services and regions.
+			static?: string
+
+			// You can provide a static URL that will be used regardless of
+			// the service
+			// and region by choosing Static type. Alternatively, you can
+			// provide
+			// configuration for dynamically resolving the URL with the config
+			// you provide
+			// once you set the type as Dynamic.
+			type: "Static" | "Dynamic"
+		}
+	}
+
+	// Whether to enable the request to use path-style addressing,
+	// i.e., https://s3.amazonaws.com/BUCKET/KEY.
+	s3_use_path_style?: bool
+
+	// Whether to skip credentials validation via the STS API.
+	// This can be useful for testing and for AWS API implementations
+	// that do not have STS available.
+	skip_credentials_validation?: bool
+
+	// Whether to skip the AWS Metadata API check
+	// Useful for AWS API implementations that do not have a metadata
+	// API endpoint.
+	skip_metadata_api_check?: bool
+
+	// Whether to skip validation of provided region name.
+	// Useful for AWS-like implementations that use their own region
+	// names or to bypass the validation for
+	// regions that aren't publicly available yet.
+	skip_region_validation?: bool
+
+	// Whether to skip requesting the account ID.
+	// Useful for AWS API implementations that do not have the IAM,
+	// STS API, or metadata API
+	skip_requesting_account_id?: bool
+}

internal/generate/platforms/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -0,0 +1,422 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A Certificate resource should be created to ensure an up to
+// date and signed X.509 certificate is stored in the Kubernetes
+// Secret resource named in `spec.secretName`.
+// The stored certificate will be renewed before it expires (as
+// configured by `spec.renewBefore`).
+#Certificate: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Certificate"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the Certificate resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateSpec
+}
+
+// Specification of the desired state of the Certificate resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateSpec: {
+	// Defines extra output formats of the private key and signed
+	// certificate chain to be written to this Certificate's target
+	// Secret.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=AdditionalCertificateOutputFormats=true`
+	// option set on both the controller and webhook components.
+	additionalOutputFormats?: [...{
+		// Type is the name of the format type that should be written to
+		// the Certificate's target Secret.
+		type: "DER" | "CombinedPEM"
+	}]
+
+	// Requested common name X509 certificate subject attribute. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// NOTE: TLS clients will ignore this value when any subject
+	// alternative name is set (see
+	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
+	// Should have a length of 64 characters or fewer to avoid
+	// generating invalid CSRs. Cannot be set if the `literalSubject`
+	// field is set.
+	commonName?: string
+
+	// Requested DNS subject alternative names.
+	dnsNames?: [...string]
+
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	// If unset, this defaults to 90 days. Minimum accepted duration
+	// is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+	duration?: string
+
+	// Requested email subject alternative names.
+	emailAddresses?: [...string]
+
+	// Whether the KeyUsage and ExtKeyUsage extensions should be set
+	// in the encoded CSR.
+	// This option defaults to true, and should only be disabled if
+	// the target issuer does not support CSRs with these X509
+	// KeyUsage/ ExtKeyUsage extensions.
+	encodeUsagesInRequest?: bool
+
+	// Requested IP address subject alternative names.
+	ipAddresses?: [...string]
+
+	// Requested basic constraints isCA value. The isCA value is used
+	// to set the `isCA` field on the created CertificateRequest
+	// resources. Note that the issuer may choose to ignore the
+	// requested isCA value, just like any other requested attribute.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// Additional keystore output formats to be stored in the
+	// Certificate's Secret.
+	keystores?: {
+		// JKS configures options for storing a JKS keystore in the
+		// `spec.secretName` Secret resource.
+		jks?: {
+			// Create enables JKS keystore creation for the Certificate. If
+			// true, a file named `keystore.jks` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.jks` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the JKS keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+		}
+
+		// PKCS12 configures options for storing a PKCS12 keystore in the
+		// `spec.secretName` Secret resource.
+		pkcs12?: {
+			// Create enables PKCS12 keystore creation for the Certificate. If
+			// true, a file named `keystore.p12` will be created in the
+			// target Secret resource, encrypted using the password stored in
+			// `passwordSecretRef`. The keystore file will be updated
+			// immediately. If the issuer provided a CA certificate, a file
+			// named `truststore.p12` will also be created in the target
+			// Secret resource, encrypted using the password stored in
+			// `passwordSecretRef` containing the issuing Certificate
+			// Authority
+			create: bool
+
+			// PasswordSecretRef is a reference to a key in a Secret resource
+			// containing the password used to encrypt the PKCS12 keystore.
+			passwordSecretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be defaulted, in
+				// others it may be required.
+				key?: string
+
+				// Name of the resource being referred to. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name: string
+			}
+
+			// Profile specifies the key and certificate encryption algorithms
+			// and the HMAC algorithm used to create the PKCS12 keystore.
+			// Default value is `LegacyRC2` for backward compatibility.
+			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
+			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
+			// Less secure algorithm. Use this option for maximal
+			// compatibility. `Modern2023`: Secure algorithm. Use this option
+			// in case you have to always use secure algorithms (eg. because
+			// of company policy). Please note that the security of the
+			// algorithm is not that important in reality, because the
+			// unencrypted certificate and private key are also stored in the
+			// Secret.
+			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
+		}
+	}
+
+	// Requested X.509 certificate subject, represented using the LDAP
+	// "String Representation of a Distinguished Name" [1].
+	// Important: the LDAP string format also specifies the order of
+	// the attributes in the subject, this is important when issuing
+	// certs for LDAP authentication. Example:
+	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
+	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
+	// https://github.com/cert-manager/cert-manager/issues/3203 More
+	// info: https://github.com/cert-manager/cert-manager/issues/4424
+	// Cannot be set if the `subject` or `commonName` field is set.
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=LiteralCertificateSubject=true` option set on
+	// both the controller and webhook components.
+	literalSubject?: string
+
+	// x.509 certificate NameConstraint extension which MUST NOT be
+	// used in a non-CA certificate. More Info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=NameConstraints=true` option set on both the
+	// controller and webhook components.
+	nameConstraints?: {
+		// if true then the name constraints are marked critical.
+		critical?: bool
+
+		// Excluded contains the constraints which must be disallowed. Any
+		// name matching a restriction in the excluded field is invalid
+		// regardless of information appearing in the permitted
+		excluded?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+
+		// Permitted contains the constraints in which the names must be
+		// located.
+		permitted?: {
+			// DNSDomains is a list of DNS domains that are permitted or
+			// excluded.
+			dnsDomains?: [...string]
+
+			// EmailAddresses is a list of Email Addresses that are permitted
+			// or excluded.
+			emailAddresses?: [...string]
+
+			// IPRanges is a list of IP Ranges that are permitted or excluded.
+			// This should be a valid CIDR notation.
+			ipRanges?: [...string]
+
+			// URIDomains is a list of URI domains that are permitted or
+			// excluded.
+			uriDomains?: [...string]
+		}
+	}
+
+	// `otherNames` is an escape hatch for SAN that allows any type.
+	// We currently restrict the support to string like otherNames,
+	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
+	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
+	// somevalue for `otherName`. Most commonly this would be UPN set
+	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
+	// OID passed is valid for the UTF8String type as we do not
+	// explicitly validate this.
+	otherNames?: [...{
+		// OID is the object identifier for the otherName SAN. The object
+		// identifier must be expressed as a dotted string, for example,
+		// "1.2.840.113556.1.4.221".
+		oid?: string
+
+		// utf8Value is the string value of the otherName SAN. The
+		// utf8Value accepts any valid UTF8 string to set as value for
+		// the otherName SAN.
+		utf8Value?: string
+	}]
+
+	// Private key options. These include the key algorithm and size,
+	// the used encoding and the rotation policy.
+	privateKey?: {
+		// Algorithm is the private key algorithm of the corresponding
+		// private key for this certificate.
+		// If provided, allowed values are either `RSA`, `ECDSA` or
+		// `Ed25519`. If `algorithm` is specified and `size` is not
+		// provided, key size of 2048 will be used for `RSA` key
+		// algorithm and key size of 256 will be used for `ECDSA` key
+		// algorithm. key size is ignored when using the `Ed25519` key
+		// algorithm.
+		algorithm?: "RSA" | "ECDSA" | "Ed25519"
+
+		// The private key cryptography standards (PKCS) encoding for this
+		// certificate's private key to be encoded in.
+		// If provided, allowed values are `PKCS1` and `PKCS8` standing
+		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
+		// not specified.
+		encoding?: "PKCS1" | "PKCS8"
+
+		// RotationPolicy controls how private keys should be regenerated
+		// when a re-issuance is being processed.
+		// If set to `Never`, a private key will only be generated if one
+		// does not already exist in the target `spec.secretName`. If one
+		// does exists but it does not have the correct algorithm or
+		// size, a warning will be raised to await user intervention. If
+		// set to `Always`, a private key matching the specified
+		// requirements will be generated whenever a re-issuance occurs.
+		// Default is `Never` for backward compatibility.
+		rotationPolicy?: "Never" | "Always"
+
+		// Size is the key bit size of the corresponding private key for
+		// this certificate.
+		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
+		// or `8192`, and will default to `2048` if not specified. If
+		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
+		// or `521`, and will default to `256` if not specified. If
+		// `algorithm` is set to `Ed25519`, Size is ignored. No other
+		// values are allowed.
+		size?: int
+	}
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. For example, if a
+	// certificate is valid for 60 minutes, and `renewBefore=10m`,
+	// cert-manager will begin to attempt to renew the certificate 50
+	// minutes after it was issued (i.e. when there are 10 minutes
+	// remaining until the certificate is no longer valid).
+	// NOTE: The actual lifetime of the issued certificate is used to
+	// determine the renewal time. If an issuer returns a certificate
+	// with a different lifetime than the one requested, cert-manager
+	// will use the lifetime of the issued certificate.
+	// If unset, this defaults to 1/3 of the issued certificate's
+	// lifetime. Minimum accepted value is 5 minutes. Value must be
+	// in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration.
+	renewBefore?: string
+
+	// The maximum number of CertificateRequest revisions that are
+	// maintained in the Certificate's history. Each revision
+	// represents a single `CertificateRequest` created by this
+	// Certificate, either when it was created, renewed, or Spec was
+	// changed. Revisions will be removed by oldest first if the
+	// number of revisions exceeds this number.
+	// If set, revisionHistoryLimit must be a value of `1` or greater.
+	// If unset (`nil`), revisions will not be garbage collected.
+	// Default value is `nil`.
+	revisionHistoryLimit?: int
+
+	// Name of the Secret resource that will be automatically created
+	// and managed by this Certificate resource. It will be populated
+	// with a private key and certificate, signed by the denoted
+	// issuer. The Secret resource lives in the same namespace as the
+	// Certificate resource.
+	secretName: string
+
+	// Defines annotations and labels to be copied to the
+	// Certificate's Secret. Labels and annotations on the Secret
+	// will be changed as they appear on the SecretTemplate when
+	// added or removed. SecretTemplate annotations are added in
+	// conjunction with, and cannot overwrite, the base set of
+	// annotations cert-manager sets on the Certificate's Secret.
+	secretTemplate?: {
+		// Annotations is a key value map to be copied to the target
+		// Kubernetes Secret.
+		annotations?: {
+			[string]: string
+		}
+
+		// Labels is a key value map to be copied to the target Kubernetes
+		// Secret.
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Requested set of X509 certificate subject attributes. More
+	// info:
+	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
+	// The common name attribute is specified separately in the
+	// `commonName` field. Cannot be set if the `literalSubject`
+	// field is set.
+	subject?: {
+		// Countries to be used on the Certificate.
+		countries?: [...string]
+
+		// Cities to be used on the Certificate.
+		localities?: [...string]
+
+		// Organizational Units to be used on the Certificate.
+		organizationalUnits?: [...string]
+
+		// Organizations to be used on the Certificate.
+		organizations?: [...string]
+
+		// Postal codes to be used on the Certificate.
+		postalCodes?: [...string]
+
+		// State/Provinces to be used on the Certificate.
+		provinces?: [...string]
+
+		// Serial number to be used on the Certificate.
+		serialNumber?: string
+
+		// Street addresses to be used on the Certificate.
+		streetAddresses?: [...string]
+	}
+
+	// Requested URI subject alternative names.
+	uris?: [...string]
+
+	// Requested key usages and extended key usages. These usages are
+	// used to set the `usages` field on the created
+	// CertificateRequest resources. If `encodeUsagesInRequest` is
+	// unset or set to `true`, the usages will additionally be
+	// encoded in the `request` field which contains the CSR blob.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+}

internal/generate/platforms/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
+
+package v1
+
+import "strings"
+
+// A CertificateRequest is used to request a signed certificate
+// from one of the configured issuers.
+// All fields within the CertificateRequest's `spec` are immutable
+// after creation. A CertificateRequest will either succeed or
+// fail, as denoted by its `Ready` status condition and its
+// `status.failureTime` field.
+// A CertificateRequest is a one-shot resource, meaning it
+// represents a single point in time request for a certificate
+// and cannot be re-used.
+#CertificateRequest: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "cert-manager.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "CertificateRequest"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Specification of the desired state of the CertificateRequest
+	// resource.
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	spec!: #CertificateRequestSpec
+}
+
+// Specification of the desired state of the CertificateRequest
+// resource.
+// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+#CertificateRequestSpec: {
+	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
+	// that the issuer may choose to ignore the requested duration,
+	// just like any other requested attribute.
+	duration?: string
+
+	// Extra contains extra attributes of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	extra?: {
+		[string]: [...string]
+	}
+
+	// Groups contains group membership of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	groups?: [...string]
+
+	// Requested basic constraints isCA value. Note that the issuer
+	// may choose to ignore the requested isCA value, just like any
+	// other requested attribute.
+	// NOTE: If the CSR in the `Request` field has a BasicConstraints
+	// extension, it must have the same isCA value as specified here.
+	// If true, this will automatically add the `cert sign` usage to
+	// the list of requested `usages`.
+	isCA?: bool
+
+	// Reference to the issuer responsible for issuing the
+	// certificate. If the issuer is namespace-scoped, it must be in
+	// the same namespace as the Certificate. If the issuer is
+	// cluster-scoped, it can be used from any namespace.
+	// The `name` field of the reference must always be specified.
+	issuerRef: {
+		// Group of the resource being referred to.
+		group?: string
+
+		// Kind of the resource being referred to.
+		kind?: string
+
+		// Name of the resource being referred to.
+		name: string
+	}
+
+	// The PEM-encoded X.509 certificate signing request to be
+	// submitted to the issuer for signing.
+	// If the CSR has a BasicConstraints extension, its isCA attribute
+	// must match the `isCA` value of this CertificateRequest. If the
+	// CSR has a KeyUsage extension, its key usages must match the
+	// key usages in the `usages` field of this CertificateRequest.
+	// If the CSR has a ExtKeyUsage extension, its extended key
+	// usages must match the extended key usages in the `usages`
+	// field of this CertificateRequest.
+	request: string
+
+	// UID contains the uid of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	uid?: string
+
+	// Requested key usages and extended key usages.
+	// NOTE: If the CSR in the `Request` field has uses the KeyUsage
+	// or ExtKeyUsage extension, these extensions must have the same
+	// values as specified here without any additional values.
+	// If unset, defaults to `digital signature` and `key
+	// encipherment`.
+	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
+
+	// Username contains the name of the user that created the
+	// CertificateRequest. Populated by the cert-manager webhook on
+	// creation and immutable.
+	username?: string
+}

internal/generate/platforms/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -0,0 +1,148 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"list"
+)
+
+#WasmPlugin: {
+	// Extend the functionality provided by the Istio proxy through
+	// WebAssembly filters. See more details at:
+	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+	spec!:      #WasmPluginSpec
+	apiVersion: "extensions.istio.io/v1alpha1"
+	kind:       "WasmPlugin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Extend the functionality provided by the Istio proxy through
+// WebAssembly filters. See more details at:
+// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
+#WasmPluginSpec: {
+	// Specifies the failure behavior for the plugin due to fatal
+	// errors.
+	//
+	// Valid Options: FAIL_CLOSE, FAIL_OPEN
+	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
+
+	// The pull behaviour to be applied when fetching Wasm module by
+	// either OCI image or `http/https`.
+	//
+	// Valid Options: IfNotPresent, Always
+	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
+
+	// Credentials to use for OCI image pulling.
+	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Specifies the criteria to determine which traffic is passed to
+	// WasmPlugin.
+	match?: [...{
+		// Criteria for selecting traffic by their direction.
+		//
+		// Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
+		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
+
+		// Criteria for selecting traffic by their destination port.
+		ports?: [...{
+			number: uint16 & >=1
+		}]
+	}]
+
+	// Determines where in the filter chain this `WasmPlugin` is to be
+	// injected.
+	//
+	// Valid Options: AUTHN, AUTHZ, STATS
+	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
+
+	// The configuration that will be passed on to the plugin.
+	pluginConfig?: {
+		...
+	}
+
+	// The plugin name to be used in the Envoy configuration (used to
+	// be called `rootID`).
+	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
+
+	// Determines ordering of `WasmPlugins` in the same `phase`.
+	priority?: null | int
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// SHA256 checksum that will be used to verify Wasm module or OCI
+	// container.
+	sha256?: =~"(^$|^[a-f0-9]{64}$)"
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	targetRefs?: [...{
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}]
+
+	// Specifies the type of Wasm Extension to be used.
+	//
+	// Valid Options: HTTP, NETWORK
+	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
+
+	// URL of a Wasm module or OCI container.
+	url:              strings.MinRunes(1)
+	verificationKey?: string
+	vmConfig?: {
+		// Specifies environment variables to be injected to this VM.
+		env?: list.MaxItems(256) & [...{
+			// Name of the environment variable.
+			name: strings.MaxRunes(256) & strings.MinRunes(1)
+
+			// Value for the environment variable.
+			value?: strings.MaxRunes(2048)
+
+			// Source for the environment variable's value.
+			//
+			// Valid Options: INLINE, HOST
+			valueFrom?: "INLINE" | "HOST"
+		}]
+	}
+}

internal/generate/platforms/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,378 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ClusterExternalSecret is the Schema for the
+// clusterexternalsecrets API.
+#ClusterExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ClusterExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ClusterExternalSecretSpec defines the desired state of
+	// ClusterExternalSecret.
+	spec!: #ClusterExternalSecretSpec
+}
+
+// ClusterExternalSecretSpec defines the desired state of
+// ClusterExternalSecret.
+#ClusterExternalSecretSpec: {
+	// The metadata of the external secrets to be created
+	externalSecretMetadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// The name of the external secrets to be created defaults to the
+	// name of the ClusterExternalSecret
+	externalSecretName?: string
+
+	// The spec for the ExternalSecrets to be created
+	externalSecretSpec: {
+		// Data defines the connection between the Kubernetes Secret keys
+		// and the Provider data
+		data?: [...{
+			// RemoteRef points to the remote secret and defines
+			// which secret (version/property/..) to fetch.
+			remoteRef: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// SecretKey defines the key in which the controller stores
+			// the value. This is the key in the Kind=Secret
+			secretKey: string
+
+			// SourceRef allows you to override the source
+			// from which the value will pulled from.
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				//
+				//
+				// Deprecated: The generatorRef is not implemented in .data[].
+				// this will be removed with v1.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// DataFrom is used to fetch all properties from a specific
+		// Provider data
+		// If multiple entries are specified, the Secret keys are merged
+		// in the specified order
+		dataFrom?: [...{
+			// Used to extract multiple key/value pairs from one secret
+			// Note: Extract does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			extract?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+				// Key is the key used in the Provider, mandatory
+				key: string
+
+				// Policy for fetching tags/labels from provider secrets, possible
+				// options are Fetch, None. Defaults to None
+				metadataPolicy?: "None" | "Fetch" | *"None"
+
+				// Used to select a specific property of the Provider value (if a
+				// map), if supported
+				property?: string
+
+				// Used to select a specific version of the Provider value, if
+				// supported
+				version?: string
+			}
+
+			// Used to find secrets based on tags or regular expressions
+			// Note: Find does not support sourceRef.Generator or
+			// sourceRef.GeneratorRef.
+			find?: {
+				// Used to define a conversion Strategy
+				conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+				// Used to define a decoding Strategy
+				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+				name?: {
+					// Finds secrets base
+					regexp?: string
+				}
+
+				// A root path to start the find operations.
+				path?: string
+
+				// Find secrets based on tags.
+				tags?: {
+					[string]: string
+				}
+			}
+
+			// Used to rewrite secret Keys after getting them from the secret
+			// Provider
+			// Multiple Rewrite operations can be provided. They are applied
+			// in a layered order (first to last)
+			rewrite?: [...{
+				// Used to rewrite with regular expressions.
+				// The resulting key will be the output of a regexp.ReplaceAll
+				// operation.
+				regexp?: {
+					// Used to define the regular expression of a re.Compiler.
+					source: string
+
+					// Used to define the target pattern of a ReplaceAll operation.
+					target: string
+				}
+				transform?: {
+					// Used to define the template to apply on the secret name.
+					// `.value ` will specify the secret name in the template.
+					template: string
+				}
+			}]
+
+			// SourceRef points to a store or generator
+			// which contains secret values ready to use.
+			// Use this in combination with Extract or Find pull values out of
+			// a specific SecretStore.
+			// When sourceRef points to a generator Extract or Find is not
+			// supported.
+			// The generator returns a static map of values
+			sourceRef?: struct.MaxFields(1) & {
+				// GeneratorRef points to a generator custom resource.
+				generatorRef?: {
+					// Specify the apiVersion of the generator resource
+					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+					// etc.
+					kind: string
+
+					// Specify the name of the generator resource
+					name: string
+				}
+
+				// SecretStoreRef defines which SecretStore to fetch the
+				// ExternalSecret data.
+				storeRef?: {
+					// Kind of the SecretStore resource (SecretStore or
+					// ClusterSecretStore)
+					// Defaults to `SecretStore`
+					kind?: string
+
+					// Name of the SecretStore resource
+					name: string
+				}
+			}
+		}]
+
+		// RefreshInterval is the amount of time before the values are
+		// read again from the SecretStore provider
+		// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+		// May be set to zero to fetch and create it once. Defaults to 1h.
+		refreshInterval?: string | *"1h"
+
+		// SecretStoreRef defines which SecretStore to fetch the
+		// ExternalSecret data.
+		secretStoreRef?: {
+			// Kind of the SecretStore resource (SecretStore or
+			// ClusterSecretStore)
+			// Defaults to `SecretStore`
+			kind?: string
+
+			// Name of the SecretStore resource
+			name: string
+		}
+
+		// ExternalSecretTarget defines the Kubernetes Secret to be
+		// created
+		// There can be only one target per ExternalSecret.
+		target?: {
+			// CreationPolicy defines rules on how to create the resulting
+			// Secret
+			// Defaults to 'Owner'
+			creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+			// DeletionPolicy defines rules on how to delete the resulting
+			// Secret
+			// Defaults to 'Retain'
+			deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+			// Immutable defines if the final secret will be immutable
+			immutable?: bool
+
+			// Name defines the name of the Secret resource to be managed
+			// This field is immutable
+			// Defaults to the .metadata.name of the ExternalSecret resource
+			name?: string
+
+			// Template defines a blueprint for the created Secret resource.
+			template?: {
+				data?: {
+					[string]: string
+				}
+
+				// EngineVersion specifies the template engine version
+				// that should be used to compile/execute the
+				// template specified in .data and .templateFrom[].
+				engineVersion?: "v1" | "v2" | *"v2"
+				mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+				// ExternalSecretTemplateMetadata defines metadata fields for the
+				// Secret blueprint.
+				metadata?: {
+					annotations?: {
+						[string]: string
+					}
+					labels?: {
+						[string]: string
+					}
+				}
+				templateFrom?: [...{
+					configMap?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					literal?: string
+					secret?: {
+						items: [...{
+							key:         string
+							templateAs?: "Values" | "KeysAndValues" | *"Values"
+						}]
+						name: string
+					}
+					target?: "Data" | "Annotations" | "Labels" | *"Data"
+				}]
+				type?: string
+			}
+		} | *{
+			creationPolicy: "Owner"
+			deletionPolicy: "Retain"
+		}
+	}
+
+	// The labels to select by to find the Namespaces to create the
+	// ExternalSecrets in.
+	namespaceSelector?: {
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn,
+			// the values array must be non-empty. If the operator is Exists
+			// or DoesNotExist,
+			// the values array must be empty. This array is replaced during a
+			// strategic
+			// merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels
+		// map is equivalent to an element of matchExpressions, whose key
+		// field is "key", the
+		// operator is "In", and the values array contains only "value".
+		// The requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+
+	// Choose namespaces by name. This field is ORed with anything
+	// that NamespaceSelector ends up choosing.
+	namespaces?: [...string]
+
+	// The time in which the controller should reconcile its objects
+	// and recheck namespaces for labels.
+	refreshTime?: string
+}

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,168 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// ExternalSecretDataRemoteRef defines Provider data location.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+		secretKey: string
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to define a conversion Strategy
+		conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+		// Key is the key used in the Provider, mandatory
+		key: string
+
+		// Used to select a specific property of the Provider value (if a
+		// map), if supported
+		property?: string
+
+		// Used to select a specific version of the Provider value, if
+		// supported
+		version?: string
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Merge" | "None" | *"Owner"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v1"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...struct.MaxFields(1) & {
+				configMap?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+				secret?: {
+					items: [...{
+						key: string
+					}]
+					name: string
+				}
+			}]
+			type?: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"struct"
+)
+
+// ExternalSecret is the Schema for the external-secrets API.
+#ExternalSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ExternalSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ExternalSecretSpec defines the desired state of ExternalSecret.
+	spec!: #ExternalSecretSpec
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+#ExternalSecretSpec: {
+	// Data defines the connection between the Kubernetes Secret keys
+	// and the Provider data
+	data?: [...{
+		// RemoteRef points to the remote secret and defines
+		// which secret (version/property/..) to fetch.
+		remoteRef: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// SecretKey defines the key in which the controller stores
+		// the value. This is the key in the Kind=Secret
+		secretKey: string
+
+		// SourceRef allows you to override the source
+		// from which the value will pulled from.
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			//
+			//
+			// Deprecated: The generatorRef is not implemented in .data[].
+			// this will be removed with v1.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// DataFrom is used to fetch all properties from a specific
+	// Provider data
+	// If multiple entries are specified, the Secret keys are merged
+	// in the specified order
+	dataFrom?: [...{
+		// Used to extract multiple key/value pairs from one secret
+		// Note: Extract does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		extract?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+
+			// Key is the key used in the Provider, mandatory
+			key: string
+
+			// Policy for fetching tags/labels from provider secrets, possible
+			// options are Fetch, None. Defaults to None
+			metadataPolicy?: "None" | "Fetch" | *"None"
+
+			// Used to select a specific property of the Provider value (if a
+			// map), if supported
+			property?: string
+
+			// Used to select a specific version of the Provider value, if
+			// supported
+			version?: string
+		}
+
+		// Used to find secrets based on tags or regular expressions
+		// Note: Find does not support sourceRef.Generator or
+		// sourceRef.GeneratorRef.
+		find?: {
+			// Used to define a conversion Strategy
+			conversionStrategy?: "Default" | "Unicode" | *"Default"
+
+			// Used to define a decoding Strategy
+			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
+			name?: {
+				// Finds secrets base
+				regexp?: string
+			}
+
+			// A root path to start the find operations.
+			path?: string
+
+			// Find secrets based on tags.
+			tags?: {
+				[string]: string
+			}
+		}
+
+		// Used to rewrite secret Keys after getting them from the secret
+		// Provider
+		// Multiple Rewrite operations can be provided. They are applied
+		// in a layered order (first to last)
+		rewrite?: [...{
+			// Used to rewrite with regular expressions.
+			// The resulting key will be the output of a regexp.ReplaceAll
+			// operation.
+			regexp?: {
+				// Used to define the regular expression of a re.Compiler.
+				source: string
+
+				// Used to define the target pattern of a ReplaceAll operation.
+				target: string
+			}
+			transform?: {
+				// Used to define the template to apply on the secret name.
+				// `.value ` will specify the secret name in the template.
+				template: string
+			}
+		}]
+
+		// SourceRef points to a store or generator
+		// which contains secret values ready to use.
+		// Use this in combination with Extract or Find pull values out of
+		// a specific SecretStore.
+		// When sourceRef points to a generator Extract or Find is not
+		// supported.
+		// The generator returns a static map of values
+		sourceRef?: struct.MaxFields(1) & {
+			// GeneratorRef points to a generator custom resource.
+			generatorRef?: {
+				// Specify the apiVersion of the generator resource
+				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+				// etc.
+				kind: string
+
+				// Specify the name of the generator resource
+				name: string
+			}
+
+			// SecretStoreRef defines which SecretStore to fetch the
+			// ExternalSecret data.
+			storeRef?: {
+				// Kind of the SecretStore resource (SecretStore or
+				// ClusterSecretStore)
+				// Defaults to `SecretStore`
+				kind?: string
+
+				// Name of the SecretStore resource
+				name: string
+			}
+		}
+	}]
+
+	// RefreshInterval is the amount of time before the values are
+	// read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	refreshInterval?: string | *"1h"
+
+	// SecretStoreRef defines which SecretStore to fetch the
+	// ExternalSecret data.
+	secretStoreRef?: {
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string
+
+		// Name of the SecretStore resource
+		name: string
+	}
+
+	// ExternalSecretTarget defines the Kubernetes Secret to be
+	// created
+	// There can be only one target per ExternalSecret.
+	target?: {
+		// CreationPolicy defines rules on how to create the resulting
+		// Secret
+		// Defaults to 'Owner'
+		creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
+
+		// DeletionPolicy defines rules on how to delete the resulting
+		// Secret
+		// Defaults to 'Retain'
+		deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
+
+		// Immutable defines if the final secret will be immutable
+		immutable?: bool
+
+		// Name defines the name of the Secret resource to be managed
+		// This field is immutable
+		// Defaults to the .metadata.name of the ExternalSecret resource
+		name?: string
+
+		// Template defines a blueprint for the created Secret resource.
+		template?: {
+			data?: {
+				[string]: string
+			}
+
+			// EngineVersion specifies the template engine version
+			// that should be used to compile/execute the
+			// template specified in .data and .templateFrom[].
+			engineVersion?: "v1" | "v2" | *"v2"
+			mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+			// ExternalSecretTemplateMetadata defines metadata fields for the
+			// Secret blueprint.
+			metadata?: {
+				annotations?: {
+					[string]: string
+				}
+				labels?: {
+					[string]: string
+				}
+			}
+			templateFrom?: [...{
+				configMap?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				literal?: string
+				secret?: {
+					items: [...{
+						key:         string
+						templateAs?: "Values" | "KeysAndValues" | *"Values"
+					}]
+					name: string
+				}
+				target?: "Data" | "Annotations" | "Labels" | *"Data"
+			}]
+			type?: string
+		}
+	} | *{
+		creationPolicy: "Owner"
+		deletionPolicy: "Retain"
+	}
+}

internal/generate/platforms/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,171 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+
+package v1alpha1
+
+import "strings"
+
+#PushSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PushSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PushSecretSpec configures the behavior of the PushSecret.
+	spec!: #PushSecretSpec
+}
+
+// PushSecretSpec configures the behavior of the PushSecret.
+#PushSecretSpec: {
+	// Secret Data that should be pushed to providers
+	data?: [...{
+		// Match a given Secret Key to be pushed to the provider.
+		match: {
+			// Remote Refs to push to providers.
+			remoteRef: {
+				// Name of the property in the resulting secret
+				property?: string
+
+				// Name of the resulting provider secret.
+				remoteKey: string
+			}
+
+			// Secret Key to be pushed
+			secretKey?: string
+		}
+
+		// Metadata is metadata attached to the secret.
+		// The structure of metadata is provider specific, please look it
+		// up in the provider documentation.
+		metadata?: _
+	}]
+
+	// Deletion Policy to handle Secrets in the provider. Possible
+	// Values: "Delete/None". Defaults to "None".
+	deletionPolicy?: "Delete" | "None" | *"None"
+
+	// The Interval to which External Secrets will try to push a
+	// secret definition
+	refreshInterval?: string
+	secretStoreRefs: [...{
+		// Kind of the SecretStore resource (SecretStore or
+		// ClusterSecretStore)
+		// Defaults to `SecretStore`
+		kind?: string | *"SecretStore"
+
+		// Optionally, sync to secret stores with label selector
+		labelSelector?: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn,
+				// the values array must be non-empty. If the operator is Exists
+				// or DoesNotExist,
+				// the values array must be empty. This array is replaced during a
+				// strategic
+				// merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels
+			// map is equivalent to an element of matchExpressions, whose key
+			// field is "key", the
+			// operator is "In", and the values array contains only "value".
+			// The requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+
+		// Optionally, sync to the SecretStore of the given name
+		name?: string
+	}]
+	selector: {
+		secret: {
+			// Name of the Secret. The Secret must exist in the same namespace
+			// as the PushSecret manifest.
+			name: string
+		}
+	}
+
+	// Template defines a blueprint for the created Secret resource.
+	template?: {
+		data?: {
+			[string]: string
+		}
+
+		// EngineVersion specifies the template engine version
+		// that should be used to compile/execute the
+		// template specified in .data and .templateFrom[].
+		engineVersion?: "v1" | "v2" | *"v2"
+		mergePolicy?:   "Replace" | "Merge" | *"Replace"
+
+		// ExternalSecretTemplateMetadata defines metadata fields for the
+		// Secret blueprint.
+		metadata?: {
+			annotations?: {
+				[string]: string
+			}
+			labels?: {
+				[string]: string
+			}
+		}
+		templateFrom?: [...{
+			configMap?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			literal?: string
+			secret?: {
+				items: [...{
+					key:         string
+					templateAs?: "Values" | "KeysAndValues" | *"Values"
+				}]
+				name: string
+			}
+			target?: "Data" | "Annotations" | "Labels" | *"Data"
+		}]
+		type?: string
+	}
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue

@@ -0,0 +1,672 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1
+
+import (
+	"strings"
+	"list"
+	"struct"
+)
+
+// Gateway represents an instance of a service-traffic handling
+// infrastructure
+// by binding Listeners to a set of IP addresses.
+#Gateway: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of Gateway.
+	spec!: #GatewaySpec
+}
+
+// Spec defines the desired state of Gateway.
+#GatewaySpec: {
+	// Addresses requested for this Gateway. This is optional and
+	// behavior can
+	// depend on the implementation. If a value is set in the spec and
+	// the
+	// requested address is invalid or unavailable, the implementation
+	// MUST
+	// indicate this in the associated entry in
+	// GatewayStatus.Addresses.
+	//
+	//
+	// The Addresses field represents a request for the address(es) on
+	// the
+	// "outside of the Gateway", that traffic bound for this Gateway
+	// will use.
+	// This could be the IP address or hostname of an external load
+	// balancer or
+	// other networking infrastructure, or some other address that
+	// traffic will
+	// be sent to.
+	//
+	//
+	// If no Addresses are specified, the implementation MAY schedule
+	// the
+	// Gateway in an implementation-specific manner, assigning an
+	// appropriate
+	// set of Addresses.
+	//
+	//
+	// The implementation MUST bind all Listeners to every
+	// GatewayAddress that
+	// it assigns to the Gateway and add a corresponding entry in
+	// GatewayStatus.Addresses.
+	//
+	//
+	// Support: Extended
+	addresses?: list.MaxItems(16) & [...({
+		type?: "IPAddress"
+		value?: (_ | _) & {
+			_
+		}
+	} | {
+		type?: _
+	}) & {
+		// Type of the address.
+		type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress"
+
+		// Value of the address. The validity of the values will depend
+		// on the type and support by the controller.
+		//
+		//
+		// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+		value: strings.MaxRunes(253) & strings.MinRunes(1)
+	}]
+
+	// GatewayClassName used for this Gateway. This is the name of a
+	// GatewayClass resource.
+	gatewayClassName: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Listeners associated with this Gateway. Listeners define
+	// logical endpoints that are bound on this Gateway's addresses.
+	// At least one Listener MUST be specified.
+	//
+	//
+	// Each Listener in a set of Listeners (for example, in a single
+	// Gateway)
+	// MUST be _distinct_, in that a traffic flow MUST be able to be
+	// assigned to
+	// exactly one listener. (This section uses "set of Listeners"
+	// rather than
+	// "Listeners in a single Gateway" because implementations MAY
+	// merge configuration
+	// from multiple Gateways onto a single data plane, and these
+	// rules _also_
+	// apply in that case).
+	//
+	//
+	// Practically, this means that each listener in a set MUST have a
+	// unique
+	// combination of Port, Protocol, and, if supported by the
+	// protocol, Hostname.
+	//
+	//
+	// Some combinations of port, protocol, and TLS settings are
+	// considered
+	// Core support and MUST be supported by implementations based on
+	// their
+	// targeted conformance profile:
+	//
+	//
+	// HTTP Profile
+	//
+	//
+	// 1. HTTPRoute, Port: 80, Protocol: HTTP
+	// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate,
+	// TLS keypair provided
+	//
+	//
+	// TLS Profile
+	//
+	//
+	// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+	//
+	//
+	// "Distinct" Listeners have the following property:
+	//
+	//
+	// The implementation can match inbound requests to a single
+	// distinct
+	// Listener. When multiple Listeners share values for fields (for
+	// example, two Listeners with the same Port value), the
+	// implementation
+	// can match requests to only one of the Listeners using other
+	// Listener fields.
+	//
+	//
+	// For example, the following Listener scenarios are distinct:
+	//
+	//
+	// 1. Multiple Listeners with the same Port that all use the
+	// "HTTP"
+	// Protocol that all have unique Hostname values.
+	// 2. Multiple Listeners with the same Port that use either the
+	// "HTTPS" or
+	// "TLS" Protocol that all have unique Hostname values.
+	// 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no
+	// Listener
+	// with the same Protocol has the same Port value.
+	//
+	//
+	// Some fields in the Listener struct have possible values that
+	// affect
+	// whether the Listener is distinct. Hostname is particularly
+	// relevant
+	// for HTTP or HTTPS protocols.
+	//
+	//
+	// When using the Hostname value to select between same-Port,
+	// same-Protocol
+	// Listeners, the Hostname value must be different on each
+	// Listener for the
+	// Listener to be distinct.
+	//
+	//
+	// When the Listeners are distinct based on Hostname, inbound
+	// request
+	// hostnames MUST match from the most specific to least specific
+	// Hostname
+	// values to choose the correct Listener and its associated set of
+	// Routes.
+	//
+	//
+	// Exact matches must be processed before wildcard matches, and
+	// wildcard
+	// matches must be processed before fallback (empty Hostname
+	// value)
+	// matches. For example, `"foo.example.com"` takes precedence over
+	// `"*.example.com"`, and `"*.example.com"` takes precedence over
+	// `""`.
+	//
+	//
+	// Additionally, if there are multiple wildcard entries, more
+	// specific
+	// wildcard entries must be processed before less specific
+	// wildcard entries.
+	// For example, `"*.foo.example.com"` takes precedence over
+	// `"*.example.com"`.
+	// The precise definition here is that the higher the number of
+	// dots in the
+	// hostname to the right of the wildcard character, the higher the
+	// precedence.
+	//
+	//
+	// The wildcard character will match any number of characters _and
+	// dots_ to
+	// the left, however, so `"*.example.com"` will match both
+	// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+	//
+	//
+	// If a set of Listeners contains Listeners that are not distinct,
+	// then those
+	// Listeners are Conflicted, and the implementation MUST set the
+	// "Conflicted"
+	// condition in the Listener Status to "True".
+	//
+	//
+	// Implementations MAY choose to accept a Gateway with some
+	// Conflicted
+	// Listeners only if they only accept the partial Listener set
+	// that contains
+	// no Conflicted Listeners. To put this another way,
+	// implementations may
+	// accept a partial Listener set only if they throw out *all* the
+	// conflicting
+	// Listeners. No picking one of the conflicting listeners as the
+	// winner.
+	// This also means that the Gateway must have at least one
+	// non-conflicting
+	// Listener in this case, otherwise it violates the requirement
+	// that at
+	// least one Listener must be present.
+	//
+	//
+	// The implementation MUST set a "ListenersNotValid" condition on
+	// the
+	// Gateway Status when the Gateway contains Conflicted Listeners
+	// whether or
+	// not they accept the Gateway. That Condition SHOULD clearly
+	// indicate in the Message which Listeners are conflicted, and
+	// which are
+	// Accepted. Additionally, the Listener status for those listeners
+	// SHOULD
+	// indicate which Listeners are conflicted and not Accepted.
+	//
+	//
+	// A Gateway's Listeners are considered "compatible" if:
+	//
+	//
+	// 1. They are distinct.
+	// 2. The implementation can serve them in compliance with the
+	// Addresses
+	// requirement that all Listeners are available on all assigned
+	// addresses.
+	//
+	//
+	// Compatible combinations in Extended support are expected to
+	// vary across
+	// implementations. A combination that is compatible for one
+	// implementation
+	// may not be compatible for another.
+	//
+	//
+	// For example, an implementation that cannot serve both TCP and
+	// UDP listeners
+	// on the same address, or cannot mix HTTPS and generic TLS
+	// listens on the same port
+	// would not consider those cases compatible, even though they are
+	// distinct.
+	//
+	//
+	// Note that requests SHOULD match at most one Listener. For
+	// example, if
+	// Listeners are defined for "foo.example.com" and
+	// "*.example.com", a
+	// request to "foo.example.com" SHOULD only be routed using routes
+	// attached
+	// to the "foo.example.com" Listener (and not the "*.example.com"
+	// Listener).
+	// This concept is known as "Listener Isolation". Implementations
+	// that do
+	// not support Listener Isolation MUST clearly document this.
+	//
+	//
+	// Implementations MAY merge separate Gateways onto a single set
+	// of
+	// Addresses if all Listeners across all Gateways are compatible.
+	//
+	//
+	// Support: Core
+	listeners: list.MaxItems(64) & [...{
+		// AllowedRoutes defines the types of routes that MAY be attached
+		// to a
+		// Listener and the trusted namespaces where those Route resources
+		// MAY be
+		// present.
+		//
+		//
+		// Although a client request may match multiple route rules, only
+		// one rule
+		// may ultimately receive the request. Matching precedence MUST be
+		// determined in order of the following criteria:
+		//
+		//
+		// * The most specific match as defined by the Route type.
+		// * The oldest Route based on creation timestamp. For example, a
+		// Route with
+		// a creation timestamp of "2020-09-08 01:02:03" is given
+		// precedence over
+		// a Route with a creation timestamp of "2020-09-08 01:02:04".
+		// * If everything else is equivalent, the Route appearing first
+		// in
+		// alphabetical order (namespace/name) should be given precedence.
+		// For
+		// example, foo/bar is given precedence over foo/baz.
+		//
+		//
+		// All valid rules within a Route attached to this Listener should
+		// be
+		// implemented. Invalid Route rules can be ignored (sometimes that
+		// will mean
+		// the full Route). If a Route rule transitions from valid to
+		// invalid,
+		// support for that Route rule should be dropped to ensure
+		// consistency. For
+		// example, even if a filter specified by a Route rule is invalid,
+		// the rest
+		// of the rules within that Route should still be supported.
+		//
+		//
+		// Support: Core
+		allowedRoutes?: {
+			// Kinds specifies the groups and kinds of Routes that are allowed
+			// to bind
+			// to this Gateway Listener. When unspecified or empty, the kinds
+			// of Routes
+			// selected are determined using the Listener protocol.
+			//
+			//
+			// A RouteGroupKind MUST correspond to kinds of Routes that are
+			// compatible
+			// with the application protocol specified in the Listener's
+			// Protocol field.
+			// If an implementation does not support or recognize this
+			// resource type, it
+			// MUST set the "ResolvedRefs" condition to False for this
+			// Listener with the
+			// "InvalidRouteKinds" reason.
+			//
+			//
+			// Support: Core
+			kinds?: list.MaxItems(8) & [...{
+				// Group is the group of the Route.
+				group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io"
+
+				// Kind is the kind of the Route.
+				kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+					=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+				}
+			}]
+
+			// Namespaces indicates namespaces from which Routes may be
+			// attached to this
+			// Listener. This is restricted to the namespace of this Gateway
+			// by default.
+			//
+			//
+			// Support: Core
+			namespaces?: {
+				// From indicates where Routes will be selected for this Gateway.
+				// Possible
+				// values are:
+				//
+				//
+				// * All: Routes in all namespaces may be used by this Gateway.
+				// * Selector: Routes in namespaces selected by the selector may
+				// be used by
+				// this Gateway.
+				// * Same: Only Routes in the same namespace may be used by this
+				// Gateway.
+				//
+				//
+				// Support: Core
+				from?: "All" | "Selector" | "Same" | *"Same"
+
+				// Selector must be specified when From is set to "Selector". In
+				// that case,
+				// only Routes in Namespaces matching this Selector will be
+				// selected by this
+				// Gateway. This field is ignored for other values of "From".
+				//
+				//
+				// Support: Core
+				selector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn,
+						// the values array must be non-empty. If the operator is Exists
+						// or DoesNotExist,
+						// the values array must be empty. This array is replaced during a
+						// strategic
+						// merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels
+					// map is equivalent to an element of matchExpressions, whose key
+					// field is "key", the
+					// operator is "In", and the values array contains only "value".
+					// The requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+			} | *{
+				from: "Same"
+			}
+		} | *{
+			namespaces: {
+				from: "Same"
+			}
+		}
+
+		// Hostname specifies the virtual hostname to match for protocol
+		// types that
+		// define this concept. When unspecified, all hostnames are
+		// matched. This
+		// field is ignored for protocols that don't require hostname
+		// based
+		// matching.
+		//
+		//
+		// Implementations MUST apply Hostname matching appropriately for
+		// each of
+		// the following protocols:
+		//
+		//
+		// * TLS: The Listener Hostname MUST match the SNI.
+		// * HTTP: The Listener Hostname MUST match the Host header of the
+		// request.
+		// * HTTPS: The Listener Hostname SHOULD match at both the TLS and
+		// HTTP
+		// protocol layers as described above. If an implementation does
+		// not
+		// ensure that both the SNI and Host header match the Listener
+		// hostname,
+		// it MUST clearly document that.
+		//
+		//
+		// For HTTPRoute and TLSRoute resources, there is an interaction
+		// with the
+		// `spec.hostnames` array. When both listener and route specify
+		// hostnames,
+		// there MUST be an intersection between the values for a Route to
+		// be
+		// accepted. For more information, refer to the Route specific
+		// Hostnames
+		// documentation.
+		//
+		//
+		// Hostnames that are prefixed with a wildcard label (`*.`) are
+		// interpreted
+		// as a suffix match. That means that a match for `*.example.com`
+		// would match
+		// both `test.example.com`, and `foo.test.example.com`, but not
+		// `example.com`.
+		//
+		//
+		// Support: Core
+		hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			=~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Name is the name of the Listener. This name MUST be unique
+		// within a
+		// Gateway.
+		//
+		//
+		// Support: Core
+		name: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Port is the network port. Multiple listeners may use the
+		// same port, subject to the Listener compatibility rules.
+		//
+		//
+		// Support: Core
+		port: uint16 & >=1
+
+		// Protocol specifies the network protocol this listener expects
+		// to receive.
+		//
+		//
+		// Support: Core
+		protocol: strings.MaxRunes(255) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$"
+		}
+
+		// TLS is the TLS configuration for the Listener. This field is
+		// required if
+		// the Protocol field is "HTTPS" or "TLS". It is invalid to set
+		// this field
+		// if the Protocol field is "HTTP", "TCP", or "UDP".
+		//
+		//
+		// The association of SNIs to Certificate defined in
+		// GatewayTLSConfig is
+		// defined based on the Hostname field for this listener.
+		//
+		//
+		// The GatewayClass MUST use the longest matching SNI out of all
+		// available certificates for any TLS handshake.
+		//
+		//
+		// Support: Core
+		tls?: {
+			// CertificateRefs contains a series of references to Kubernetes
+			// objects that
+			// contains TLS certificates and private keys. These certificates
+			// are used to
+			// establish a TLS handshake for requests that match the hostname
+			// of the
+			// associated listener.
+			//
+			//
+			// A single CertificateRef to a Kubernetes Secret has "Core"
+			// support.
+			// Implementations MAY choose to support attaching multiple
+			// certificates to
+			// a Listener, but this behavior is implementation-specific.
+			//
+			//
+			// References to a resource in different namespace are invalid
+			// UNLESS there
+			// is a ReferenceGrant in the target namespace that allows the
+			// certificate
+			// to be attached. If a ReferenceGrant does not allow this
+			// reference, the
+			// "ResolvedRefs" condition MUST be set to False for this listener
+			// with the
+			// "RefNotPermitted" reason.
+			//
+			//
+			// This field is required to have at least one element when the
+			// mode is set
+			// to "Terminate" (default) and is optional otherwise.
+			//
+			//
+			// CertificateRefs can reference to standard Kubernetes resources,
+			// i.e.
+			// Secret, or implementation-specific custom resources.
+			//
+			//
+			// Support: Core - A single reference to a Kubernetes Secret of
+			// type kubernetes.io/tls
+			//
+			//
+			// Support: Implementation-specific (More than one reference or
+			// other resource types)
+			certificateRefs?: list.MaxItems(64) & [...{
+				// Group is the group of the referent. For example,
+				// "gateway.networking.k8s.io".
+				// When unspecified or empty string, core API group is inferred.
+				group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *""
+
+				// Kind is kind of the referent. For example "Secret".
+				kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret"
+
+				// Name is the name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace is the namespace of the referenced object. When
+				// unspecified, the local
+				// namespace is inferred.
+				//
+				//
+				// Note that when a namespace different than the local namespace
+				// is specified,
+				// a ReferenceGrant object is required in the referent namespace
+				// to allow that
+				// namespace's owner to accept the reference. See the
+				// ReferenceGrant
+				// documentation for details.
+				//
+				//
+				// Support: Core
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+					=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+				}
+			}]
+
+			// Mode defines the TLS behavior for the TLS session initiated by
+			// the client.
+			// There are two possible modes:
+			//
+			//
+			// - Terminate: The TLS session between the downstream client and
+			// the
+			// Gateway is terminated at the Gateway. This mode requires
+			// certificates
+			// to be specified in some way, such as populating the
+			// certificateRefs
+			// field.
+			// - Passthrough: The TLS session is NOT terminated by the
+			// Gateway. This
+			// implies that the Gateway can't decipher the TLS stream except
+			// for
+			// the ClientHello message of the TLS protocol. The
+			// certificateRefs field
+			// is ignored in this mode.
+			//
+			//
+			// Support: Core
+			mode?: "Terminate" | "Passthrough" | *"Terminate"
+
+			// Options are a list of key/value pairs to enable extended TLS
+			// configuration for each implementation. For example, configuring
+			// the
+			// minimum TLS version or supported cipher suites.
+			//
+			//
+			// A set of common keys MAY be defined by the API in the future.
+			// To avoid
+			// any ambiguity, implementation-specific definitions MUST use
+			// domain-prefixed names, such as `example.com/my-custom-option`.
+			// Un-prefixed names are reserved for key names defined by Gateway
+			// API.
+			//
+			//
+			// Support: Implementation-specific
+			options?: struct.MaxFields(16) & {
+				{
+					[string]: strings.MaxRunes(4096) & strings.MinRunes(0)
+				}
+			}
+		}
+	}] & [_, ...]
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,672 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"list"
+	"struct"
+)
+
+// Gateway represents an instance of a service-traffic handling
+// infrastructure
+// by binding Listeners to a set of IP addresses.
+#Gateway: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of Gateway.
+	spec!: #GatewaySpec
+}
+
+// Spec defines the desired state of Gateway.
+#GatewaySpec: {
+	// Addresses requested for this Gateway. This is optional and
+	// behavior can
+	// depend on the implementation. If a value is set in the spec and
+	// the
+	// requested address is invalid or unavailable, the implementation
+	// MUST
+	// indicate this in the associated entry in
+	// GatewayStatus.Addresses.
+	//
+	//
+	// The Addresses field represents a request for the address(es) on
+	// the
+	// "outside of the Gateway", that traffic bound for this Gateway
+	// will use.
+	// This could be the IP address or hostname of an external load
+	// balancer or
+	// other networking infrastructure, or some other address that
+	// traffic will
+	// be sent to.
+	//
+	//
+	// If no Addresses are specified, the implementation MAY schedule
+	// the
+	// Gateway in an implementation-specific manner, assigning an
+	// appropriate
+	// set of Addresses.
+	//
+	//
+	// The implementation MUST bind all Listeners to every
+	// GatewayAddress that
+	// it assigns to the Gateway and add a corresponding entry in
+	// GatewayStatus.Addresses.
+	//
+	//
+	// Support: Extended
+	addresses?: list.MaxItems(16) & [...({
+		type?: "IPAddress"
+		value?: (_ | _) & {
+			_
+		}
+	} | {
+		type?: _
+	}) & {
+		// Type of the address.
+		type?: strings.MaxRunes(253) & strings.MinRunes(1) & =~"^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$" | *"IPAddress"
+
+		// Value of the address. The validity of the values will depend
+		// on the type and support by the controller.
+		//
+		//
+		// Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+		value: strings.MaxRunes(253) & strings.MinRunes(1)
+	}]
+
+	// GatewayClassName used for this Gateway. This is the name of a
+	// GatewayClass resource.
+	gatewayClassName: strings.MaxRunes(253) & strings.MinRunes(1)
+
+	// Listeners associated with this Gateway. Listeners define
+	// logical endpoints that are bound on this Gateway's addresses.
+	// At least one Listener MUST be specified.
+	//
+	//
+	// Each Listener in a set of Listeners (for example, in a single
+	// Gateway)
+	// MUST be _distinct_, in that a traffic flow MUST be able to be
+	// assigned to
+	// exactly one listener. (This section uses "set of Listeners"
+	// rather than
+	// "Listeners in a single Gateway" because implementations MAY
+	// merge configuration
+	// from multiple Gateways onto a single data plane, and these
+	// rules _also_
+	// apply in that case).
+	//
+	//
+	// Practically, this means that each listener in a set MUST have a
+	// unique
+	// combination of Port, Protocol, and, if supported by the
+	// protocol, Hostname.
+	//
+	//
+	// Some combinations of port, protocol, and TLS settings are
+	// considered
+	// Core support and MUST be supported by implementations based on
+	// their
+	// targeted conformance profile:
+	//
+	//
+	// HTTP Profile
+	//
+	//
+	// 1. HTTPRoute, Port: 80, Protocol: HTTP
+	// 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate,
+	// TLS keypair provided
+	//
+	//
+	// TLS Profile
+	//
+	//
+	// 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+	//
+	//
+	// "Distinct" Listeners have the following property:
+	//
+	//
+	// The implementation can match inbound requests to a single
+	// distinct
+	// Listener. When multiple Listeners share values for fields (for
+	// example, two Listeners with the same Port value), the
+	// implementation
+	// can match requests to only one of the Listeners using other
+	// Listener fields.
+	//
+	//
+	// For example, the following Listener scenarios are distinct:
+	//
+	//
+	// 1. Multiple Listeners with the same Port that all use the
+	// "HTTP"
+	// Protocol that all have unique Hostname values.
+	// 2. Multiple Listeners with the same Port that use either the
+	// "HTTPS" or
+	// "TLS" Protocol that all have unique Hostname values.
+	// 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no
+	// Listener
+	// with the same Protocol has the same Port value.
+	//
+	//
+	// Some fields in the Listener struct have possible values that
+	// affect
+	// whether the Listener is distinct. Hostname is particularly
+	// relevant
+	// for HTTP or HTTPS protocols.
+	//
+	//
+	// When using the Hostname value to select between same-Port,
+	// same-Protocol
+	// Listeners, the Hostname value must be different on each
+	// Listener for the
+	// Listener to be distinct.
+	//
+	//
+	// When the Listeners are distinct based on Hostname, inbound
+	// request
+	// hostnames MUST match from the most specific to least specific
+	// Hostname
+	// values to choose the correct Listener and its associated set of
+	// Routes.
+	//
+	//
+	// Exact matches must be processed before wildcard matches, and
+	// wildcard
+	// matches must be processed before fallback (empty Hostname
+	// value)
+	// matches. For example, `"foo.example.com"` takes precedence over
+	// `"*.example.com"`, and `"*.example.com"` takes precedence over
+	// `""`.
+	//
+	//
+	// Additionally, if there are multiple wildcard entries, more
+	// specific
+	// wildcard entries must be processed before less specific
+	// wildcard entries.
+	// For example, `"*.foo.example.com"` takes precedence over
+	// `"*.example.com"`.
+	// The precise definition here is that the higher the number of
+	// dots in the
+	// hostname to the right of the wildcard character, the higher the
+	// precedence.
+	//
+	//
+	// The wildcard character will match any number of characters _and
+	// dots_ to
+	// the left, however, so `"*.example.com"` will match both
+	// `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+	//
+	//
+	// If a set of Listeners contains Listeners that are not distinct,
+	// then those
+	// Listeners are Conflicted, and the implementation MUST set the
+	// "Conflicted"
+	// condition in the Listener Status to "True".
+	//
+	//
+	// Implementations MAY choose to accept a Gateway with some
+	// Conflicted
+	// Listeners only if they only accept the partial Listener set
+	// that contains
+	// no Conflicted Listeners. To put this another way,
+	// implementations may
+	// accept a partial Listener set only if they throw out *all* the
+	// conflicting
+	// Listeners. No picking one of the conflicting listeners as the
+	// winner.
+	// This also means that the Gateway must have at least one
+	// non-conflicting
+	// Listener in this case, otherwise it violates the requirement
+	// that at
+	// least one Listener must be present.
+	//
+	//
+	// The implementation MUST set a "ListenersNotValid" condition on
+	// the
+	// Gateway Status when the Gateway contains Conflicted Listeners
+	// whether or
+	// not they accept the Gateway. That Condition SHOULD clearly
+	// indicate in the Message which Listeners are conflicted, and
+	// which are
+	// Accepted. Additionally, the Listener status for those listeners
+	// SHOULD
+	// indicate which Listeners are conflicted and not Accepted.
+	//
+	//
+	// A Gateway's Listeners are considered "compatible" if:
+	//
+	//
+	// 1. They are distinct.
+	// 2. The implementation can serve them in compliance with the
+	// Addresses
+	// requirement that all Listeners are available on all assigned
+	// addresses.
+	//
+	//
+	// Compatible combinations in Extended support are expected to
+	// vary across
+	// implementations. A combination that is compatible for one
+	// implementation
+	// may not be compatible for another.
+	//
+	//
+	// For example, an implementation that cannot serve both TCP and
+	// UDP listeners
+	// on the same address, or cannot mix HTTPS and generic TLS
+	// listens on the same port
+	// would not consider those cases compatible, even though they are
+	// distinct.
+	//
+	//
+	// Note that requests SHOULD match at most one Listener. For
+	// example, if
+	// Listeners are defined for "foo.example.com" and
+	// "*.example.com", a
+	// request to "foo.example.com" SHOULD only be routed using routes
+	// attached
+	// to the "foo.example.com" Listener (and not the "*.example.com"
+	// Listener).
+	// This concept is known as "Listener Isolation". Implementations
+	// that do
+	// not support Listener Isolation MUST clearly document this.
+	//
+	//
+	// Implementations MAY merge separate Gateways onto a single set
+	// of
+	// Addresses if all Listeners across all Gateways are compatible.
+	//
+	//
+	// Support: Core
+	listeners: list.MaxItems(64) & [...{
+		// AllowedRoutes defines the types of routes that MAY be attached
+		// to a
+		// Listener and the trusted namespaces where those Route resources
+		// MAY be
+		// present.
+		//
+		//
+		// Although a client request may match multiple route rules, only
+		// one rule
+		// may ultimately receive the request. Matching precedence MUST be
+		// determined in order of the following criteria:
+		//
+		//
+		// * The most specific match as defined by the Route type.
+		// * The oldest Route based on creation timestamp. For example, a
+		// Route with
+		// a creation timestamp of "2020-09-08 01:02:03" is given
+		// precedence over
+		// a Route with a creation timestamp of "2020-09-08 01:02:04".
+		// * If everything else is equivalent, the Route appearing first
+		// in
+		// alphabetical order (namespace/name) should be given precedence.
+		// For
+		// example, foo/bar is given precedence over foo/baz.
+		//
+		//
+		// All valid rules within a Route attached to this Listener should
+		// be
+		// implemented. Invalid Route rules can be ignored (sometimes that
+		// will mean
+		// the full Route). If a Route rule transitions from valid to
+		// invalid,
+		// support for that Route rule should be dropped to ensure
+		// consistency. For
+		// example, even if a filter specified by a Route rule is invalid,
+		// the rest
+		// of the rules within that Route should still be supported.
+		//
+		//
+		// Support: Core
+		allowedRoutes?: {
+			// Kinds specifies the groups and kinds of Routes that are allowed
+			// to bind
+			// to this Gateway Listener. When unspecified or empty, the kinds
+			// of Routes
+			// selected are determined using the Listener protocol.
+			//
+			//
+			// A RouteGroupKind MUST correspond to kinds of Routes that are
+			// compatible
+			// with the application protocol specified in the Listener's
+			// Protocol field.
+			// If an implementation does not support or recognize this
+			// resource type, it
+			// MUST set the "ResolvedRefs" condition to False for this
+			// Listener with the
+			// "InvalidRouteKinds" reason.
+			//
+			//
+			// Support: Core
+			kinds?: list.MaxItems(8) & [...{
+				// Group is the group of the Route.
+				group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io"
+
+				// Kind is the kind of the Route.
+				kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+					=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+				}
+			}]
+
+			// Namespaces indicates namespaces from which Routes may be
+			// attached to this
+			// Listener. This is restricted to the namespace of this Gateway
+			// by default.
+			//
+			//
+			// Support: Core
+			namespaces?: {
+				// From indicates where Routes will be selected for this Gateway.
+				// Possible
+				// values are:
+				//
+				//
+				// * All: Routes in all namespaces may be used by this Gateway.
+				// * Selector: Routes in namespaces selected by the selector may
+				// be used by
+				// this Gateway.
+				// * Same: Only Routes in the same namespace may be used by this
+				// Gateway.
+				//
+				//
+				// Support: Core
+				from?: "All" | "Selector" | "Same" | *"Same"
+
+				// Selector must be specified when From is set to "Selector". In
+				// that case,
+				// only Routes in Namespaces matching this Selector will be
+				// selected by this
+				// Gateway. This field is ignored for other values of "From".
+				//
+				//
+				// Support: Core
+				selector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn,
+						// the values array must be non-empty. If the operator is Exists
+						// or DoesNotExist,
+						// the values array must be empty. This array is replaced during a
+						// strategic
+						// merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels
+					// map is equivalent to an element of matchExpressions, whose key
+					// field is "key", the
+					// operator is "In", and the values array contains only "value".
+					// The requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+			} | *{
+				from: "Same"
+			}
+		} | *{
+			namespaces: {
+				from: "Same"
+			}
+		}
+
+		// Hostname specifies the virtual hostname to match for protocol
+		// types that
+		// define this concept. When unspecified, all hostnames are
+		// matched. This
+		// field is ignored for protocols that don't require hostname
+		// based
+		// matching.
+		//
+		//
+		// Implementations MUST apply Hostname matching appropriately for
+		// each of
+		// the following protocols:
+		//
+		//
+		// * TLS: The Listener Hostname MUST match the SNI.
+		// * HTTP: The Listener Hostname MUST match the Host header of the
+		// request.
+		// * HTTPS: The Listener Hostname SHOULD match at both the TLS and
+		// HTTP
+		// protocol layers as described above. If an implementation does
+		// not
+		// ensure that both the SNI and Host header match the Listener
+		// hostname,
+		// it MUST clearly document that.
+		//
+		//
+		// For HTTPRoute and TLSRoute resources, there is an interaction
+		// with the
+		// `spec.hostnames` array. When both listener and route specify
+		// hostnames,
+		// there MUST be an intersection between the values for a Route to
+		// be
+		// accepted. For more information, refer to the Route specific
+		// Hostnames
+		// documentation.
+		//
+		//
+		// Hostnames that are prefixed with a wildcard label (`*.`) are
+		// interpreted
+		// as a suffix match. That means that a match for `*.example.com`
+		// would match
+		// both `test.example.com`, and `foo.test.example.com`, but not
+		// `example.com`.
+		//
+		//
+		// Support: Core
+		hostname?: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			=~"^(\\*\\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Name is the name of the Listener. This name MUST be unique
+		// within a
+		// Gateway.
+		//
+		//
+		// Support: Core
+		name: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Port is the network port. Multiple listeners may use the
+		// same port, subject to the Listener compatibility rules.
+		//
+		//
+		// Support: Core
+		port: uint16 & >=1
+
+		// Protocol specifies the network protocol this listener expects
+		// to receive.
+		//
+		//
+		// Support: Core
+		protocol: strings.MaxRunes(255) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9]+$"
+		}
+
+		// TLS is the TLS configuration for the Listener. This field is
+		// required if
+		// the Protocol field is "HTTPS" or "TLS". It is invalid to set
+		// this field
+		// if the Protocol field is "HTTP", "TCP", or "UDP".
+		//
+		//
+		// The association of SNIs to Certificate defined in
+		// GatewayTLSConfig is
+		// defined based on the Hostname field for this listener.
+		//
+		//
+		// The GatewayClass MUST use the longest matching SNI out of all
+		// available certificates for any TLS handshake.
+		//
+		//
+		// Support: Core
+		tls?: {
+			// CertificateRefs contains a series of references to Kubernetes
+			// objects that
+			// contains TLS certificates and private keys. These certificates
+			// are used to
+			// establish a TLS handshake for requests that match the hostname
+			// of the
+			// associated listener.
+			//
+			//
+			// A single CertificateRef to a Kubernetes Secret has "Core"
+			// support.
+			// Implementations MAY choose to support attaching multiple
+			// certificates to
+			// a Listener, but this behavior is implementation-specific.
+			//
+			//
+			// References to a resource in different namespace are invalid
+			// UNLESS there
+			// is a ReferenceGrant in the target namespace that allows the
+			// certificate
+			// to be attached. If a ReferenceGrant does not allow this
+			// reference, the
+			// "ResolvedRefs" condition MUST be set to False for this listener
+			// with the
+			// "RefNotPermitted" reason.
+			//
+			//
+			// This field is required to have at least one element when the
+			// mode is set
+			// to "Terminate" (default) and is optional otherwise.
+			//
+			//
+			// CertificateRefs can reference to standard Kubernetes resources,
+			// i.e.
+			// Secret, or implementation-specific custom resources.
+			//
+			//
+			// Support: Core - A single reference to a Kubernetes Secret of
+			// type kubernetes.io/tls
+			//
+			//
+			// Support: Implementation-specific (More than one reference or
+			// other resource types)
+			certificateRefs?: list.MaxItems(64) & [...{
+				// Group is the group of the referent. For example,
+				// "gateway.networking.k8s.io".
+				// When unspecified or empty string, core API group is inferred.
+				group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *""
+
+				// Kind is kind of the referent. For example "Secret".
+				kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Secret"
+
+				// Name is the name of the referent.
+				name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+				// Namespace is the namespace of the referenced object. When
+				// unspecified, the local
+				// namespace is inferred.
+				//
+				//
+				// Note that when a namespace different than the local namespace
+				// is specified,
+				// a ReferenceGrant object is required in the referent namespace
+				// to allow that
+				// namespace's owner to accept the reference. See the
+				// ReferenceGrant
+				// documentation for details.
+				//
+				//
+				// Support: Core
+				namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+					=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+				}
+			}]
+
+			// Mode defines the TLS behavior for the TLS session initiated by
+			// the client.
+			// There are two possible modes:
+			//
+			//
+			// - Terminate: The TLS session between the downstream client and
+			// the
+			// Gateway is terminated at the Gateway. This mode requires
+			// certificates
+			// to be specified in some way, such as populating the
+			// certificateRefs
+			// field.
+			// - Passthrough: The TLS session is NOT terminated by the
+			// Gateway. This
+			// implies that the Gateway can't decipher the TLS stream except
+			// for
+			// the ClientHello message of the TLS protocol. The
+			// certificateRefs field
+			// is ignored in this mode.
+			//
+			//
+			// Support: Core
+			mode?: "Terminate" | "Passthrough" | *"Terminate"
+
+			// Options are a list of key/value pairs to enable extended TLS
+			// configuration for each implementation. For example, configuring
+			// the
+			// minimum TLS version or supported cipher suites.
+			//
+			//
+			// A set of common keys MAY be defined by the API in the future.
+			// To avoid
+			// any ambiguity, implementation-specific definitions MUST use
+			// domain-prefixed names, such as `example.com/my-custom-option`.
+			// Un-prefixed names are reserved for key names defined by Gateway
+			// API.
+			//
+			//
+			// Support: Implementation-specific
+			options?: struct.MaxFields(16) & {
+				{
+					[string]: strings.MaxRunes(4096) & strings.MinRunes(0)
+				}
+			}
+		}
+	}] & [_, ...]
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1/types_gen.cue

@@ -0,0 +1,149 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1
+
+import "strings"
+
+// GatewayClass describes a class of Gateways available to the
+// user for creating
+// Gateway resources.
+//
+//
+// It is recommended that this resource be used as a template for
+// Gateways. This
+// means that a Gateway is based on the state of the GatewayClass
+// at the time it
+// was created and changes to the GatewayClass or associated
+// parameters are not
+// propagated down to existing Gateways. This recommendation is
+// intended to
+// limit the blast radius of changes to GatewayClass or associated
+// parameters.
+// If implementations choose to propagate GatewayClass changes to
+// existing
+// Gateways, that MUST be clearly documented by the
+// implementation.
+//
+//
+// Whenever one or more Gateways are using a GatewayClass,
+// implementations SHOULD
+// add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+// finalizer on the
+// associated GatewayClass. This ensures that a GatewayClass
+// associated with a
+// Gateway is not deleted while in use.
+//
+//
+// GatewayClass is a Cluster level resource.
+#GatewayClass: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GatewayClass"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of GatewayClass.
+	spec!: #GatewayClassSpec
+}
+
+// Spec defines the desired state of GatewayClass.
+#GatewayClassSpec: {
+	// ControllerName is the name of the controller that is managing
+	// Gateways of
+	// this class. The value of this field MUST be a domain prefixed
+	// path.
+	//
+	//
+	// Example: "example.net/gateway-controller".
+	//
+	//
+	// This field is not mutable and cannot be empty.
+	//
+	//
+	// Support: Core
+	controllerName: strings.MaxRunes(253) & strings.MinRunes(1) & {
+		=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$"
+	}
+
+	// Description helps describe a GatewayClass with more details.
+	description?: strings.MaxRunes(64)
+
+	// ParametersRef is a reference to a resource that contains the
+	// configuration
+	// parameters corresponding to the GatewayClass. This is optional
+	// if the
+	// controller does not require any additional configuration.
+	//
+	//
+	// ParametersRef can reference a standard Kubernetes resource,
+	// i.e. ConfigMap,
+	// or an implementation-specific custom resource. The resource can
+	// be
+	// cluster-scoped or namespace-scoped.
+	//
+	//
+	// If the referent cannot be found, the GatewayClass's
+	// "InvalidParameters"
+	// status condition will be true.
+	//
+	//
+	// A Gateway for this GatewayClass may provide its own
+	// `parametersRef`. When both are specified,
+	// the merging behavior is implementation specific.
+	// It is generally recommended that GatewayClass provides defaults
+	// that can be overridden by a Gateway.
+	//
+	//
+	// Support: Implementation-specific
+	parametersRef?: {
+		// Group is the group of the referent.
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is kind of the referent.
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Name is the name of the referent.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Namespace is the namespace of the referent.
+		// This field is required when referring to a Namespace-scoped
+		// resource and
+		// MUST be unset when referring to a Cluster-scoped resource.
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/gatewayclass/v1beta1/types_gen.cue

@@ -0,0 +1,149 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+// GatewayClass describes a class of Gateways available to the
+// user for creating
+// Gateway resources.
+//
+//
+// It is recommended that this resource be used as a template for
+// Gateways. This
+// means that a Gateway is based on the state of the GatewayClass
+// at the time it
+// was created and changes to the GatewayClass or associated
+// parameters are not
+// propagated down to existing Gateways. This recommendation is
+// intended to
+// limit the blast radius of changes to GatewayClass or associated
+// parameters.
+// If implementations choose to propagate GatewayClass changes to
+// existing
+// Gateways, that MUST be clearly documented by the
+// implementation.
+//
+//
+// Whenever one or more Gateways are using a GatewayClass,
+// implementations SHOULD
+// add the `gateway-exists-finalizer.gateway.networking.k8s.io`
+// finalizer on the
+// associated GatewayClass. This ensures that a GatewayClass
+// associated with a
+// Gateway is not deleted while in use.
+//
+//
+// GatewayClass is a Cluster level resource.
+#GatewayClass: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GatewayClass"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of GatewayClass.
+	spec!: #GatewayClassSpec
+}
+
+// Spec defines the desired state of GatewayClass.
+#GatewayClassSpec: {
+	// ControllerName is the name of the controller that is managing
+	// Gateways of
+	// this class. The value of this field MUST be a domain prefixed
+	// path.
+	//
+	//
+	// Example: "example.net/gateway-controller".
+	//
+	//
+	// This field is not mutable and cannot be empty.
+	//
+	//
+	// Support: Core
+	controllerName: strings.MaxRunes(253) & strings.MinRunes(1) & {
+		=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$"
+	}
+
+	// Description helps describe a GatewayClass with more details.
+	description?: strings.MaxRunes(64)
+
+	// ParametersRef is a reference to a resource that contains the
+	// configuration
+	// parameters corresponding to the GatewayClass. This is optional
+	// if the
+	// controller does not require any additional configuration.
+	//
+	//
+	// ParametersRef can reference a standard Kubernetes resource,
+	// i.e. ConfigMap,
+	// or an implementation-specific custom resource. The resource can
+	// be
+	// cluster-scoped or namespace-scoped.
+	//
+	//
+	// If the referent cannot be found, the GatewayClass's
+	// "InvalidParameters"
+	// status condition will be true.
+	//
+	//
+	// A Gateway for this GatewayClass may provide its own
+	// `parametersRef`. When both are specified,
+	// the merging behavior is implementation specific.
+	// It is generally recommended that GatewayClass provides defaults
+	// that can be overridden by a Gateway.
+	//
+	//
+	// Support: Implementation-specific
+	parametersRef?: {
+		// Group is the group of the referent.
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is kind of the referent.
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Name is the name of the referent.
+		name: strings.MaxRunes(253) & strings.MinRunes(1)
+
+		// Namespace is the namespace of the referent.
+		// This field is required when referring to a Namespace-scoped
+		// resource and
+		// MUST be unset when referring to a Cluster-scoped resource.
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1alpha2/types_gen.cue

@@ -0,0 +1,183 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1alpha2
+
+import (
+	"strings"
+	"list"
+)
+
+// ReferenceGrant identifies kinds of resources in other
+// namespaces that are
+// trusted to reference the specified kinds of resources in the
+// same namespace
+// as the policy.
+//
+//
+// Each ReferenceGrant can be used to represent a unique trust
+// relationship.
+// Additional Reference Grants can be used to add to the set of
+// trusted
+// sources of inbound references for the namespace they are
+// defined within.
+//
+//
+// A ReferenceGrant is required for all cross-namespace references
+// in Gateway API
+// (with the exception of cross-namespace Route-Gateway
+// attachment, which is
+// governed by the AllowedRoutes configuration on the Gateway, and
+// cross-namespace
+// Service ParentRefs on a "consumer" mesh Route, which defines
+// routing rules
+// applicable only to workloads in the Route namespace).
+// ReferenceGrants allowing
+// a reference from a Route to a Service are only applicable to
+// BackendRefs.
+//
+//
+// ReferenceGrant is a form of runtime verification allowing users
+// to assert
+// which cross-namespace object references are permitted.
+// Implementations that
+// support ReferenceGrant MUST NOT permit cross-namespace
+// references which have
+// no grant, and MUST respond to the removal of a grant by
+// revoking the access
+// that the grant allowed.
+#ReferenceGrant: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1alpha2"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ReferenceGrant"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of ReferenceGrant.
+	spec!: #ReferenceGrantSpec
+}
+
+// Spec defines the desired state of ReferenceGrant.
+#ReferenceGrantSpec: {
+	// From describes the trusted namespaces and kinds that can
+	// reference the
+	// resources described in "To". Each entry in this list MUST be
+	// considered
+	// to be an additional place that references can be valid from, or
+	// to put
+	// this another way, entries MUST be combined using OR.
+	//
+	//
+	// Support: Core
+	from: list.MaxItems(16) & [...{
+		// Group is the group of the referent.
+		// When empty, the Kubernetes core API group is inferred.
+		//
+		//
+		// Support: Core
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is the kind of the referent. Although implementations may
+		// support
+		// additional resources, the following types are part of the
+		// "Core"
+		// support level for this field.
+		//
+		//
+		// When used to permit a SecretObjectReference:
+		//
+		//
+		// * Gateway
+		//
+		//
+		// When used to permit a BackendObjectReference:
+		//
+		//
+		// * GRPCRoute
+		// * HTTPRoute
+		// * TCPRoute
+		// * TLSRoute
+		// * UDPRoute
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Namespace is the namespace of the referent.
+		//
+		//
+		// Support: Core
+		namespace: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+		}
+	}] & [_, ...]
+
+	// To describes the resources that may be referenced by the
+	// resources
+	// described in "From". Each entry in this list MUST be considered
+	// to be an
+	// additional place that references can be valid to, or to put
+	// this another
+	// way, entries MUST be combined using OR.
+	//
+	//
+	// Support: Core
+	to: list.MaxItems(16) & [...{
+		// Group is the group of the referent.
+		// When empty, the Kubernetes core API group is inferred.
+		//
+		//
+		// Support: Core
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is the kind of the referent. Although implementations may
+		// support
+		// additional resources, the following types are part of the
+		// "Core"
+		// support level for this field:
+		//
+		//
+		// * Secret when used to permit a SecretObjectReference
+		// * Service when used to permit a BackendObjectReference
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Name is the name of the referent. When unspecified, this policy
+		// refers to all resources of the specified Group and Kind in the
+		// local
+		// namespace.
+		name?: strings.MaxRunes(253) & strings.MinRunes(1)
+	}] & [_, ...]
+}

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/referencegrant/v1beta1/types_gen.cue

@@ -0,0 +1,174 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/gateway-api/gateway-api.gen.yaml
+
+package v1beta1
+
+import (
+	"strings"
+	"list"
+)
+
+// ReferenceGrant identifies kinds of resources in other
+// namespaces that are
+// trusted to reference the specified kinds of resources in the
+// same namespace
+// as the policy.
+//
+//
+// Each ReferenceGrant can be used to represent a unique trust
+// relationship.
+// Additional Reference Grants can be used to add to the set of
+// trusted
+// sources of inbound references for the namespace they are
+// defined within.
+//
+//
+// All cross-namespace references in Gateway API (with the
+// exception of cross-namespace
+// Gateway-route attachment) require a ReferenceGrant.
+//
+//
+// ReferenceGrant is a form of runtime verification allowing users
+// to assert
+// which cross-namespace object references are permitted.
+// Implementations that
+// support ReferenceGrant MUST NOT permit cross-namespace
+// references which have
+// no grant, and MUST respond to the removal of a grant by
+// revoking the access
+// that the grant allowed.
+#ReferenceGrant: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "gateway.networking.k8s.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ReferenceGrant"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// Spec defines the desired state of ReferenceGrant.
+	spec!: #ReferenceGrantSpec
+}
+
+// Spec defines the desired state of ReferenceGrant.
+#ReferenceGrantSpec: {
+	// From describes the trusted namespaces and kinds that can
+	// reference the
+	// resources described in "To". Each entry in this list MUST be
+	// considered
+	// to be an additional place that references can be valid from, or
+	// to put
+	// this another way, entries MUST be combined using OR.
+	//
+	//
+	// Support: Core
+	from: list.MaxItems(16) & [...{
+		// Group is the group of the referent.
+		// When empty, the Kubernetes core API group is inferred.
+		//
+		//
+		// Support: Core
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is the kind of the referent. Although implementations may
+		// support
+		// additional resources, the following types are part of the
+		// "Core"
+		// support level for this field.
+		//
+		//
+		// When used to permit a SecretObjectReference:
+		//
+		//
+		// * Gateway
+		//
+		//
+		// When used to permit a BackendObjectReference:
+		//
+		//
+		// * GRPCRoute
+		// * HTTPRoute
+		// * TCPRoute
+		// * TLSRoute
+		// * UDPRoute
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Namespace is the namespace of the referent.
+		//
+		//
+		// Support: Core
+		namespace: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$"
+		}
+	}] & [_, ...]
+
+	// To describes the resources that may be referenced by the
+	// resources
+	// described in "From". Each entry in this list MUST be considered
+	// to be an
+	// additional place that references can be valid to, or to put
+	// this another
+	// way, entries MUST be combined using OR.
+	//
+	//
+	// Support: Core
+	to: list.MaxItems(16) & [...{
+		// Group is the group of the referent.
+		// When empty, the Kubernetes core API group is inferred.
+		//
+		//
+		// Support: Core
+		group: strings.MaxRunes(253) & {
+			=~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"
+		}
+
+		// Kind is the kind of the referent. Although implementations may
+		// support
+		// additional resources, the following types are part of the
+		// "Core"
+		// support level for this field:
+		//
+		//
+		// * Secret when used to permit a SecretObjectReference
+		// * Service when used to permit a BackendObjectReference
+		kind: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			=~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$"
+		}
+
+		// Name is the name of the referent. When unspecified, this policy
+		// refers to all resources of the specified Group and Kind in the
+		// local
+		// namespace.
+		name?: strings.MaxRunes(253) & strings.MinRunes(1)
+	}] & [_, ...]
+}

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/buildplan_go_gen.cue

@@ -16,6 +16,11 @@ package v1alpha1
 #BuildPlanSpec: {
 	disabled?:   bool                 @go(Disabled)
 	components?: #BuildPlanComponents @go(Components)
+
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	deployFiles?: #FileContentMap @go(DeployFiles)
 }
 
 #BuildPlanComponents: {

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/result_go_gen.cue

@@ -7,4 +7,9 @@ package v1alpha1
 // Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
 #Result: {
 	HolosComponent: #HolosComponent
+
+	// DeployFiles keys represent file paths relative to the cluster deploy
+	// directory.  Map values represent the string encoded file contents.  Used to
+	// write the argocd Application, but may be used to render any file from CUE.
+	deployFiles?: #FileContentMap @go(DeployFiles)
 }

internal/generate/platforms/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

internal/generate/platforms/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,946 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+#PodIndexLabel:                  "apps.kubernetes.io/pod-index"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//   - Network: A single stable DNS and hostname.
+//   - Storage: As many VolumeClaims as requested.
+//
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be partitioned
+	// for updates. During a rolling update, all pods from ordinal Replicas-1 to
+	// Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched.
+	// This is helpful in being able to do a canary based deployment. The default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding up. This can not be 0.
+	// Defaults to 1. This field is alpha-level and is only honored by servers that enable the
+	// MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to
+	// Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it
+	// will be counted towards MaxUnavailable.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(2,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// StatefulSetOrdinals describes the policy used for replica ordinal assignment
+// in this StatefulSet.
+#StatefulSetOrdinals: {
+	// start is the number representing the first replica's index. It may be used
+	// to number replicas from an alternate index (eg: 1-indexed) over the default
+	// 0-indexed names, or to orchestrate progressive movement of replicas from
+	// one StatefulSet to another.
+	// If set, replica indices will be in the range:
+	//   [.spec.ordinals.start, .spec.ordinals.start + .spec.replicas).
+	// If unset, defaults to 0. Replica indices will be in the range:
+	//   [0, .spec.replicas).
+	// +optional
+	start?: int32 @go(Start) @protobuf(1,varint,opt)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet. Each pod will be named with the format
+	// <statefulsetname>-<podindex>. For example, a pod in a StatefulSet named
+	// "web" with index number "3" would be named "web-3".
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+
+	// ordinals controls the numbering of replica indices in a StatefulSet. The
+	// default ordinals behavior assigns a "0" index to the first replica and
+	// increments the index by one for each additional replica requested. Using
+	// the ordinals field requires the StatefulSetStartOrdinal feature gate to be
+	// enabled, which is beta.
+	// +optional
+	ordinals?: null | #StatefulSetOrdinals @go(Ordinals,*StatefulSetOrdinals) @protobuf(11,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	// The only allowed template.spec.restartPolicy value is "Always".
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// The only allowed template.spec.restartPolicy value is "Always".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently observed number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

internal/generate/platforms/cue.mod/gen/k8s.io/api/batch/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+#GroupName: "batch"

internal/generate/platforms/cue.mod/gen/k8s.io/api/batch/v1/types_go_gen.cue

@@ -0,0 +1,713 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/batch/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+// All Kubernetes labels need to be prefixed with Kubernetes to distinguish them from end-user labels
+// More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#label-selector-and-annotation-conventions
+_#labelPrefix: "batch.kubernetes.io/"
+
+// CronJobScheduledTimestampAnnotation is the scheduled timestamp annotation for the Job.
+// It records the original/expected scheduled timestamp for the running job, represented in RFC3339.
+// The CronJob controller adds this annotation if the CronJobsScheduledAnnotation feature gate (beta in 1.28) is enabled.
+#CronJobScheduledTimestampAnnotation: "batch.kubernetes.io/cronjob-scheduled-timestamp"
+#JobCompletionIndexAnnotation:        "batch.kubernetes.io/job-completion-index"
+
+// JobTrackingFinalizer is a finalizer for Job's pods. It prevents them from
+// being deleted before being accounted in the Job status.
+//
+// Additionally, the apiserver and job controller use this string as a Job
+// annotation, to mark Jobs that are being tracked using pod finalizers.
+// However, this behavior is deprecated in kubernetes 1.26. This means that, in
+// 1.27+, one release after JobTrackingWithFinalizers graduates to GA, the
+// apiserver and job controller will ignore this annotation and they will
+// always track jobs using finalizers.
+#JobTrackingFinalizer: "batch.kubernetes.io/job-tracking"
+
+// The Job labels will use batch.kubernetes.io as a prefix for all labels
+// Historically the job controller uses unprefixed labels for job-name and controller-uid and
+// Kubernetes continutes to recognize those unprefixed labels for consistency.
+#JobNameLabel: "batch.kubernetes.io/job-name"
+
+// ControllerUid is used to programatically get pods corresponding to a Job.
+// There is a corresponding label without the batch.kubernetes.io that we support for legacy reasons.
+#ControllerUidLabel: "batch.kubernetes.io/controller-uid"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which are counted towards the backoff limit.
+#JobIndexFailureCountAnnotation: "batch.kubernetes.io/job-index-failure-count"
+
+// Annotation indicating the number of failures for the index corresponding
+// to the pod, which don't count towards the backoff limit, according to the
+// pod failure policy. When the annotation is absent zero is implied.
+#JobIndexIgnoredFailureCountAnnotation: "batch.kubernetes.io/job-index-ignored-failure-count"
+
+// Job represents the configuration of a single job.
+#Job: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #JobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// JobList is a collection of jobs.
+#JobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of Jobs.
+	items: [...#Job] @go(Items,[]Job) @protobuf(2,bytes,rep)
+}
+
+// CompletionMode specifies how Pod completions of a Job are tracked.
+// +enum
+#CompletionMode: string // #enumCompletionMode
+
+#enumCompletionMode:
+	#NonIndexedCompletion |
+	#IndexedCompletion
+
+// NonIndexedCompletion is a Job completion mode. In this mode, the Job is
+// considered complete when there have been .spec.completions
+// successfully completed Pods. Pod completions are homologous to each other.
+#NonIndexedCompletion: #CompletionMode & "NonIndexed"
+
+// IndexedCompletion is a Job completion mode. In this mode, the Pods of a
+// Job get an associated completion index from 0 to (.spec.completions - 1).
+// The Job is  considered complete when a Pod completes for each completion
+// index.
+#IndexedCompletion: #CompletionMode & "Indexed"
+
+// PodFailurePolicyAction specifies how a Pod failure is handled.
+// +enum
+#PodFailurePolicyAction: string // #enumPodFailurePolicyAction
+
+#enumPodFailurePolicyAction:
+	#PodFailurePolicyActionFailJob |
+	#PodFailurePolicyActionFailIndex |
+	#PodFailurePolicyActionIgnore |
+	#PodFailurePolicyActionCount
+
+// This is an action which might be taken on a pod failure - mark the
+// pod's job as Failed and terminate all running pods.
+#PodFailurePolicyActionFailJob: #PodFailurePolicyAction & "FailJob"
+
+// This is an action which might be taken on a pod failure - mark the
+// Job's index as failed to avoid restarts within this index. This action
+// can only be used when backoffLimitPerIndex is set.
+// This value is beta-level.
+#PodFailurePolicyActionFailIndex: #PodFailurePolicyAction & "FailIndex"
+
+// This is an action which might be taken on a pod failure - the counter towards
+// .backoffLimit, represented by the job's .status.failed field, is not
+// incremented and a replacement pod is created.
+#PodFailurePolicyActionIgnore: #PodFailurePolicyAction & "Ignore"
+
+// This is an action which might be taken on a pod failure - the pod failure
+// is handled in the default way - the counter towards .backoffLimit,
+// represented by the job's .status.failed field, is incremented.
+#PodFailurePolicyActionCount: #PodFailurePolicyAction & "Count"
+
+// +enum
+#PodFailurePolicyOnExitCodesOperator: string // #enumPodFailurePolicyOnExitCodesOperator
+
+#enumPodFailurePolicyOnExitCodesOperator:
+	#PodFailurePolicyOnExitCodesOpIn |
+	#PodFailurePolicyOnExitCodesOpNotIn
+
+#PodFailurePolicyOnExitCodesOpIn:    #PodFailurePolicyOnExitCodesOperator & "In"
+#PodFailurePolicyOnExitCodesOpNotIn: #PodFailurePolicyOnExitCodesOperator & "NotIn"
+
+// PodReplacementPolicy specifies the policy for creating pod replacements.
+// +enum
+#PodReplacementPolicy: string // #enumPodReplacementPolicy
+
+#enumPodReplacementPolicy:
+	#TerminatingOrFailed |
+	#Failed
+
+// TerminatingOrFailed means that we recreate pods
+// when they are terminating (has a metadata.deletionTimestamp) or failed.
+#TerminatingOrFailed: #PodReplacementPolicy & "TerminatingOrFailed"
+
+// Failed means to wait until a previously created Pod is fully terminated (has phase
+// Failed or Succeeded) before creating a replacement Pod.
+#Failed: #PodReplacementPolicy & "Failed"
+
+// PodFailurePolicyOnExitCodesRequirement describes the requirement for handling
+// a failed pod based on its container exit codes. In particular, it lookups the
+// .state.terminated.exitCode for each app container and init container status,
+// represented by the .status.containerStatuses and .status.initContainerStatuses
+// fields in the Pod status, respectively. Containers completed with success
+// (exit code 0) are excluded from the requirement check.
+#PodFailurePolicyOnExitCodesRequirement: {
+	// Restricts the check for exit codes to the container with the
+	// specified name. When null, the rule applies to all containers.
+	// When specified, it should match one the container or initContainer
+	// names in the pod template.
+	// +optional
+	containerName?: null | string @go(ContainerName,*string) @protobuf(1,bytes,opt)
+
+	// Represents the relationship between the container exit code(s) and the
+	// specified values. Containers completed with success (exit code 0) are
+	// excluded from the requirement check. Possible values are:
+	//
+	// - In: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is in the set of specified values.
+	// - NotIn: the requirement is satisfied if at least one container exit code
+	//   (might be multiple if there are multiple containers not restricted
+	//   by the 'containerName' field) is not in the set of specified values.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown operator by assuming the requirement is not satisfied.
+	operator: #PodFailurePolicyOnExitCodesOperator @go(Operator) @protobuf(2,bytes,req)
+
+	// Specifies the set of values. Each returned container exit code (might be
+	// multiple in case of multiple containers) is checked against this set of
+	// values with respect to the operator. The list of values must be ordered
+	// and must not contain duplicates. Value '0' cannot be used for the In operator.
+	// At least one element is required. At most 255 elements are allowed.
+	// +listType=set
+	values: [...int32] @go(Values,[]int32) @protobuf(3,varint,rep)
+}
+
+// PodFailurePolicyOnPodConditionsPattern describes a pattern for matching
+// an actual pod condition type.
+#PodFailurePolicyOnPodConditionsPattern: {
+	// Specifies the required Pod condition type. To match a pod condition
+	// it is required that specified type equals the pod condition type.
+	type: corev1.#PodConditionType @go(Type) @protobuf(1,bytes,req)
+
+	// Specifies the required Pod condition status. To match a pod condition
+	// it is required that the specified status equals the pod condition status.
+	// Defaults to True.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,req)
+}
+
+// PodFailurePolicyRule describes how a pod failure is handled when the requirements are met.
+// One of onExitCodes and onPodConditions, but not both, can be used in each rule.
+#PodFailurePolicyRule: {
+	// Specifies the action taken on a pod failure when the requirements are satisfied.
+	// Possible values are:
+	//
+	// - FailJob: indicates that the pod's job is marked as Failed and all
+	//   running pods are terminated.
+	// - FailIndex: indicates that the pod's index is marked as Failed and will
+	//   not be restarted.
+	//   This value is beta-level. It can be used when the
+	//   `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default).
+	// - Ignore: indicates that the counter towards the .backoffLimit is not
+	//   incremented and a replacement pod is created.
+	// - Count: indicates that the pod is handled in the default way - the
+	//   counter towards the .backoffLimit is incremented.
+	// Additional values are considered to be added in the future. Clients should
+	// react to an unknown action by skipping the rule.
+	action: #PodFailurePolicyAction @go(Action) @protobuf(1,bytes,req)
+
+	// Represents the requirement on the container exit codes.
+	// +optional
+	onExitCodes?: null | #PodFailurePolicyOnExitCodesRequirement @go(OnExitCodes,*PodFailurePolicyOnExitCodesRequirement) @protobuf(2,bytes,opt)
+
+	// Represents the requirement on the pod conditions. The requirement is represented
+	// as a list of pod condition patterns. The requirement is satisfied if at
+	// least one pattern matches an actual pod condition. At most 20 elements are allowed.
+	// +listType=atomic
+	// +optional
+	onPodConditions?: [...#PodFailurePolicyOnPodConditionsPattern] @go(OnPodConditions,[]PodFailurePolicyOnPodConditionsPattern) @protobuf(3,bytes,opt)
+}
+
+// PodFailurePolicy describes how failed pods influence the backoffLimit.
+#PodFailurePolicy: {
+	// A list of pod failure policy rules. The rules are evaluated in order.
+	// Once a rule matches a Pod failure, the remaining of the rules are ignored.
+	// When no rule matches the Pod failure, the default handling applies - the
+	// counter of pod failures is incremented and it is checked against
+	// the backoffLimit. At most 20 elements are allowed.
+	// +listType=atomic
+	rules: [...#PodFailurePolicyRule] @go(Rules,[]PodFailurePolicyRule) @protobuf(1,bytes,opt)
+}
+
+// JobSpec describes how the job execution will look like.
+#JobSpec: {
+	// Specifies the maximum desired number of pods the job should
+	// run at any given time. The actual number of pods running in steady state will
+	// be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism),
+	// i.e. when the work left to do is less than max parallelism.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	parallelism?: null | int32 @go(Parallelism,*int32) @protobuf(1,varint,opt)
+
+	// Specifies the desired number of successfully finished pods the
+	// job should be run with.  Setting to null means that the success of any
+	// pod signals the success of all pods, and allows parallelism to have any positive
+	// value.  Setting to 1 means that parallelism is limited to 1 and the success of that
+	// pod signals the success of the job.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	completions?: null | int32 @go(Completions,*int32) @protobuf(2,varint,opt)
+
+	// Specifies the duration in seconds relative to the startTime that the job
+	// may be continuously active before the system tries to terminate it; value
+	// must be positive integer. If a Job is suspended (at creation or through an
+	// update), this timer will effectively be stopped and reset when the Job is
+	// resumed again.
+	// +optional
+	activeDeadlineSeconds?: null | int64 @go(ActiveDeadlineSeconds,*int64) @protobuf(3,varint,opt)
+
+	// Specifies the policy of handling failed pods. In particular, it allows to
+	// specify the set of actions and conditions which need to be
+	// satisfied to take the associated action.
+	// If empty, the default behaviour applies - the counter of failed pods,
+	// represented by the jobs's .status.failed field, is incremented and it is
+	// checked against the backoffLimit. This field cannot be used in combination
+	// with restartPolicy=OnFailure.
+	//
+	// This field is beta-level. It can be used when the `JobPodFailurePolicy`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	podFailurePolicy?: null | #PodFailurePolicy @go(PodFailurePolicy,*PodFailurePolicy) @protobuf(11,bytes,opt)
+
+	// Specifies the number of retries before marking this job failed.
+	// Defaults to 6
+	// +optional
+	backoffLimit?: null | int32 @go(BackoffLimit,*int32) @protobuf(7,varint,opt)
+
+	// Specifies the limit for the number of retries within an
+	// index before marking this index as failed. When enabled the number of
+	// failures per index is kept in the pod's
+	// batch.kubernetes.io/job-index-failure-count annotation. It can only
+	// be set when Job's completionMode=Indexed, and the Pod's restart
+	// policy is Never. The field is immutable.
+	// This field is beta-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	backoffLimitPerIndex?: null | int32 @go(BackoffLimitPerIndex,*int32) @protobuf(12,varint,opt)
+
+	// Specifies the maximal number of failed indexes before marking the Job as
+	// failed, when backoffLimitPerIndex is set. Once the number of failed
+	// indexes exceeds this number the entire Job is marked as Failed and its
+	// execution is terminated. When left as null the job continues execution of
+	// all of its indexes and is marked with the `Complete` Job condition.
+	// It can only be specified when backoffLimitPerIndex is set.
+	// It can be null or up to completions. It is required and must be
+	// less than or equal to 10^4 when is completions greater than 10^5.
+	// This field is beta-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	maxFailedIndexes?: null | int32 @go(MaxFailedIndexes,*int32) @protobuf(13,varint,opt)
+
+	// A label query over pods that should match the pod count.
+	// Normally, the system sets this field for you.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(4,bytes,opt)
+
+	// manualSelector controls generation of pod labels and pod selectors.
+	// Leave `manualSelector` unset unless you are certain what you are doing.
+	// When false or unset, the system pick labels unique to this job
+	// and appends those labels to the pod template.  When true,
+	// the user is responsible for picking unique labels and specifying
+	// the selector.  Failure to pick a unique label may cause this
+	// and other jobs to not function correctly.  However, You may see
+	// `manualSelector=true` in jobs that were created with the old `extensions/v1beta1`
+	// API.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector
+	// +optional
+	manualSelector?: null | bool @go(ManualSelector,*bool) @protobuf(5,varint,opt)
+
+	// Describes the pod that will be created when executing a job.
+	// The only allowed template.spec.restartPolicy values are "Never" or "OnFailure".
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	template: corev1.#PodTemplateSpec @go(Template) @protobuf(6,bytes,opt)
+
+	// ttlSecondsAfterFinished limits the lifetime of a Job that has finished
+	// execution (either Complete or Failed). If this field is set,
+	// ttlSecondsAfterFinished after the Job finishes, it is eligible to be
+	// automatically deleted. When the Job is being deleted, its lifecycle
+	// guarantees (e.g. finalizers) will be honored. If this field is unset,
+	// the Job won't be automatically deleted. If this field is set to zero,
+	// the Job becomes eligible to be deleted immediately after it finishes.
+	// +optional
+	ttlSecondsAfterFinished?: null | int32 @go(TTLSecondsAfterFinished,*int32) @protobuf(8,varint,opt)
+
+	// completionMode specifies how Pod completions are tracked. It can be
+	// `NonIndexed` (default) or `Indexed`.
+	//
+	// `NonIndexed` means that the Job is considered complete when there have
+	// been .spec.completions successfully completed Pods. Each Pod completion is
+	// homologous to each other.
+	//
+	// `Indexed` means that the Pods of a
+	// Job get an associated completion index from 0 to (.spec.completions - 1),
+	// available in the annotation batch.kubernetes.io/job-completion-index.
+	// The Job is considered complete when there is one successfully completed Pod
+	// for each index.
+	// When value is `Indexed`, .spec.completions must be specified and
+	// `.spec.parallelism` must be less than or equal to 10^5.
+	// In addition, The Pod name takes the form
+	// `$(job-name)-$(index)-$(random-string)`,
+	// the Pod hostname takes the form `$(job-name)-$(index)`.
+	//
+	// More completion modes can be added in the future.
+	// If the Job controller observes a mode that it doesn't recognize, which
+	// is possible during upgrades due to version skew, the controller
+	// skips updates for the Job.
+	// +optional
+	completionMode?: null | #CompletionMode @go(CompletionMode,*CompletionMode) @protobuf(9,bytes,opt,casttype=CompletionMode)
+
+	// suspend specifies whether the Job controller should create Pods or not. If
+	// a Job is created with suspend set to true, no Pods are created by the Job
+	// controller. If a Job is suspended after creation (i.e. the flag goes from
+	// false to true), the Job controller will delete all active Pods associated
+	// with this Job. Users must design their workload to gracefully handle this.
+	// Suspending a Job will reset the StartTime field of the Job, effectively
+	// resetting the ActiveDeadlineSeconds timer too. Defaults to false.
+	//
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(10,varint,opt)
+
+	// podReplacementPolicy specifies when to create replacement Pods.
+	// Possible values are:
+	// - TerminatingOrFailed means that we recreate pods
+	//   when they are terminating (has a metadata.deletionTimestamp) or failed.
+	// - Failed means to wait until a previously created Pod is fully terminated (has phase
+	//   Failed or Succeeded) before creating a replacement Pod.
+	//
+	// When using podFailurePolicy, Failed is the the only allowed value.
+	// TerminatingOrFailed and Failed are allowed values when podFailurePolicy is not in use.
+	// This is an beta field. To use this, enable the JobPodReplacementPolicy feature toggle.
+	// This is on by default.
+	// +optional
+	podReplacementPolicy?: null | #PodReplacementPolicy @go(PodReplacementPolicy,*PodReplacementPolicy) @protobuf(14,bytes,opt,casttype=podReplacementPolicy)
+}
+
+// JobStatus represents the current state of a Job.
+#JobStatus: {
+	// The latest available observations of an object's current state. When a Job
+	// fails, one of the conditions will have type "Failed" and status true. When
+	// a Job is suspended, one of the conditions will have type "Suspended" and
+	// status true; when the Job is resumed, the status of this condition will
+	// become false. When a Job is completed, one of the conditions will have
+	// type "Complete" and status true.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=atomic
+	conditions?: [...#JobCondition] @go(Conditions,[]JobCondition) @protobuf(1,bytes,rep)
+
+	// Represents time when the job controller started processing a job. When a
+	// Job is created in the suspended state, this field is not set until the
+	// first time it is resumed. This field is reset every time a Job is resumed
+	// from suspension. It is represented in RFC3339 form and is in UTC.
+	// +optional
+	startTime?: null | metav1.#Time @go(StartTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// Represents time when the job was completed. It is not guaranteed to
+	// be set in happens-before order across separate operations.
+	// It is represented in RFC3339 form and is in UTC.
+	// The completion time is only set when the job finishes successfully.
+	// +optional
+	completionTime?: null | metav1.#Time @go(CompletionTime,*metav1.Time) @protobuf(3,bytes,opt)
+
+	// The number of pending and running pods.
+	// +optional
+	active?: int32 @go(Active) @protobuf(4,varint,opt)
+
+	// The number of pods which reached phase Succeeded.
+	// +optional
+	succeeded?: int32 @go(Succeeded) @protobuf(5,varint,opt)
+
+	// The number of pods which reached phase Failed.
+	// +optional
+	failed?: int32 @go(Failed) @protobuf(6,varint,opt)
+
+	// The number of pods which are terminating (in phase Pending or Running
+	// and have a deletionTimestamp).
+	//
+	// This field is beta-level. The job controller populates the field when
+	// the feature gate JobPodReplacementPolicy is enabled (enabled by default).
+	// +optional
+	terminating?: null | int32 @go(Terminating,*int32) @protobuf(11,varint,opt)
+
+	// completedIndexes holds the completed indexes when .spec.completionMode =
+	// "Indexed" in a text format. The indexes are represented as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the completed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// +optional
+	completedIndexes?: string @go(CompletedIndexes) @protobuf(7,bytes,opt)
+
+	// FailedIndexes holds the failed indexes when backoffLimitPerIndex=true.
+	// The indexes are represented in the text format analogous as for the
+	// `completedIndexes` field, ie. they are kept as decimal integers
+	// separated by commas. The numbers are listed in increasing order. Three or
+	// more consecutive numbers are compressed and represented by the first and
+	// last element of the series, separated by a hyphen.
+	// For example, if the failed indexes are 1, 3, 4, 5 and 7, they are
+	// represented as "1,3-5,7".
+	// This field is beta-level. It can be used when the `JobBackoffLimitPerIndex`
+	// feature gate is enabled (enabled by default).
+	// +optional
+	failedIndexes?: null | string @go(FailedIndexes,*string) @protobuf(10,bytes,opt)
+
+	// uncountedTerminatedPods holds the UIDs of Pods that have terminated but
+	// the job controller hasn't yet accounted for in the status counters.
+	//
+	// The job controller creates pods with a finalizer. When a pod terminates
+	// (succeeded or failed), the controller does three steps to account for it
+	// in the job status:
+	//
+	// 1. Add the pod UID to the arrays in this field.
+	// 2. Remove the pod finalizer.
+	// 3. Remove the pod UID from the arrays while increasing the corresponding
+	//     counter.
+	//
+	// Old jobs might not be tracked using this field, in which case the field
+	// remains null.
+	// +optional
+	uncountedTerminatedPods?: null | #UncountedTerminatedPods @go(UncountedTerminatedPods,*UncountedTerminatedPods) @protobuf(8,bytes,opt)
+
+	// The number of pods which have a Ready condition.
+	// +optional
+	ready?: null | int32 @go(Ready,*int32) @protobuf(9,varint,opt)
+}
+
+// UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't
+// been accounted in Job status counters.
+#UncountedTerminatedPods: {
+	// succeeded holds UIDs of succeeded Pods.
+	// +listType=set
+	// +optional
+	succeeded?: [...types.#UID] @go(Succeeded,[]types.UID) @protobuf(1,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+
+	// failed holds UIDs of failed Pods.
+	// +listType=set
+	// +optional
+	failed?: [...types.#UID] @go(Failed,[]types.UID) @protobuf(2,bytes,rep,casttype=k8s.io/apimachinery/pkg/types.UID)
+}
+
+#JobConditionType: string // #enumJobConditionType
+
+#enumJobConditionType:
+	#JobSuspended |
+	#JobComplete |
+	#JobFailed |
+	#JobFailureTarget
+
+// JobSuspended means the job has been suspended.
+#JobSuspended: #JobConditionType & "Suspended"
+
+// JobComplete means the job has completed its execution.
+#JobComplete: #JobConditionType & "Complete"
+
+// JobFailed means the job has failed its execution.
+#JobFailed: #JobConditionType & "Failed"
+
+// FailureTarget means the job is about to fail its execution.
+#JobFailureTarget: #JobConditionType & "FailureTarget"
+
+// JobReasonPodFailurePolicy reason indicates a job failure condition is added due to
+// a failed pod matching a pod failure policy rule
+// https://kep.k8s.io/3329
+// This is currently a beta field.
+#JobReasonPodFailurePolicy: "PodFailurePolicy"
+
+// JobReasonBackOffLimitExceeded reason indicates that pods within a job have failed a number of
+// times higher than backOffLimit times.
+#JobReasonBackoffLimitExceeded: "BackoffLimitExceeded"
+
+// JobReasponDeadlineExceeded means job duration is past ActiveDeadline
+#JobReasonDeadlineExceeded: "DeadlineExceeded"
+
+// JobReasonMaxFailedIndexesExceeded indicates that an indexed of a job failed
+// This const is used in beta-level feature: https://kep.k8s.io/3850.
+#JobReasonMaxFailedIndexesExceeded: "MaxFailedIndexesExceeded"
+
+// JobReasonFailedIndexes means Job has failed indexes.
+// This const is used in beta-level feature: https://kep.k8s.io/3850.
+#JobReasonFailedIndexes: "FailedIndexes"
+
+// JobCondition describes current state of a job.
+#JobCondition: {
+	// Type of job condition, Complete or Failed.
+	type: #JobConditionType @go(Type) @protobuf(1,bytes,opt,casttype=JobConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: corev1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition was checked.
+	// +optional
+	lastProbeTime?: metav1.#Time @go(LastProbeTime) @protobuf(3,bytes,opt)
+
+	// Last time the condition transit from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(4,bytes,opt)
+
+	// (brief) reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(5,bytes,opt)
+
+	// Human readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(6,bytes,opt)
+}
+
+// JobTemplateSpec describes the data a Job should have when created from a template
+#JobTemplateSpec: {
+	// Standard object's metadata of the jobs created from this template.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #JobSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// CronJob represents the configuration of a single cron job.
+#CronJob: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of a cron job, including the schedule.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #CronJobSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Current status of a cron job.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #CronJobStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CronJobList is a collection of cron jobs.
+#CronJobList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of CronJobs.
+	items: [...#CronJob] @go(Items,[]CronJob) @protobuf(2,bytes,rep)
+}
+
+// CronJobSpec describes how the job execution will look like and when it will actually run.
+#CronJobSpec: {
+	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
+	schedule: string @go(Schedule) @protobuf(1,bytes,opt)
+
+	// The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
+	// If not specified, this will default to the time zone of the kube-controller-manager process.
+	// The set of valid time zone names and the time zone offset is loaded from the system-wide time zone
+	// database by the API server during CronJob validation and the controller manager during execution.
+	// If no system-wide time zone database can be found a bundled version of the database is used instead.
+	// If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host
+	// configuration, the controller will stop creating new new Jobs and will create a system event with the
+	// reason UnknownTimeZone.
+	// More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones
+	// +optional
+	timeZone?: null | string @go(TimeZone,*string) @protobuf(8,bytes,opt)
+
+	// Optional deadline in seconds for starting the job if it misses scheduled
+	// time for any reason.  Missed jobs executions will be counted as failed ones.
+	// +optional
+	startingDeadlineSeconds?: null | int64 @go(StartingDeadlineSeconds,*int64) @protobuf(2,varint,opt)
+
+	// Specifies how to treat concurrent executions of a Job.
+	// Valid values are:
+	//
+	// - "Allow" (default): allows CronJobs to run concurrently;
+	// - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet;
+	// - "Replace": cancels currently running job and replaces it with a new one
+	// +optional
+	concurrencyPolicy?: #ConcurrencyPolicy @go(ConcurrencyPolicy) @protobuf(3,bytes,opt,casttype=ConcurrencyPolicy)
+
+	// This flag tells the controller to suspend subsequent executions, it does
+	// not apply to already started executions.  Defaults to false.
+	// +optional
+	suspend?: null | bool @go(Suspend,*bool) @protobuf(4,varint,opt)
+
+	// Specifies the job that will be created when executing a CronJob.
+	jobTemplate: #JobTemplateSpec @go(JobTemplate) @protobuf(5,bytes,opt)
+
+	// The number of successful finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 3.
+	// +optional
+	successfulJobsHistoryLimit?: null | int32 @go(SuccessfulJobsHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// The number of failed finished jobs to retain. Value must be non-negative integer.
+	// Defaults to 1.
+	// +optional
+	failedJobsHistoryLimit?: null | int32 @go(FailedJobsHistoryLimit,*int32) @protobuf(7,varint,opt)
+}
+
+// ConcurrencyPolicy describes how the job will be handled.
+// Only one of the following concurrent policies may be specified.
+// If none of the following policies is specified, the default one
+// is AllowConcurrent.
+// +enum
+#ConcurrencyPolicy: string // #enumConcurrencyPolicy
+
+#enumConcurrencyPolicy:
+	#AllowConcurrent |
+	#ForbidConcurrent |
+	#ReplaceConcurrent
+
+// AllowConcurrent allows CronJobs to run concurrently.
+#AllowConcurrent: #ConcurrencyPolicy & "Allow"
+
+// ForbidConcurrent forbids concurrent runs, skipping next run if previous
+// hasn't finished yet.
+#ForbidConcurrent: #ConcurrencyPolicy & "Forbid"
+
+// ReplaceConcurrent cancels currently running job and replaces it with a new one.
+#ReplaceConcurrent: #ConcurrencyPolicy & "Replace"
+
+// CronJobStatus represents the current state of a cron job.
+#CronJobStatus: {
+	// A list of pointers to currently running jobs.
+	// +optional
+	// +listType=atomic
+	active?: [...corev1.#ObjectReference] @go(Active,[]corev1.ObjectReference) @protobuf(1,bytes,rep)
+
+	// Information when was the last time the job was successfully scheduled.
+	// +optional
+	lastScheduleTime?: null | metav1.#Time @go(LastScheduleTime,*metav1.Time) @protobuf(4,bytes,opt)
+
+	// Information when was the last time the job successfully completed.
+	// +optional
+	lastSuccessfulTime?: null | metav1.#Time @go(LastSuccessfulTime,*metav1.Time) @protobuf(5,bytes,opt)
+}

internal/generate/platforms/cue.mod/gen/k8s.io/api/rbac/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1
+
+package v1
+
+#GroupName: "rbac.authorization.k8s.io"

internal/generate/platforms/cue.mod/gen/k8s.io/api/rbac/v1/types_go_gen.cue

@@ -0,0 +1,207 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1
+
+package v1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+#APIGroupAll:        "*"
+#ResourceAll:        "*"
+#VerbAll:            "*"
+#NonResourceAll:     "*"
+#GroupKind:          "Group"
+#ServiceAccountKind: "ServiceAccount"
+#UserKind:           "User"
+
+// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate"
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+#PolicyRule: {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	// +optional
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to. '*' represents all resources.
+	// +optional
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep)
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+// +structType=atomic
+#Subject: {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	// +optional
+	apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup)
+
+	// Name of the object being referenced.
+	name: string @go(Name) @protobuf(3,bytes,opt)
+
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(4,bytes,opt)
+}
+
+// RoleRef contains information that points to the role being used
+// +structType=atomic
+#RoleRef: {
+	// APIGroup is the group for the resource being referenced
+	apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt)
+
+	// Kind is the type of resource being referenced
+	kind: string @go(Kind) @protobuf(2,bytes,opt)
+
+	// Name is the name of resource being referenced
+	name: string @go(Name) @protobuf(3,bytes,opt)
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+#Role: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this Role
+	// +optional
+	rules?: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+#RoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// RoleBindingList is a collection of RoleBindings
+#RoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of RoleBindings
+	items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep)
+}
+
+// RoleList is a collection of Roles
+#RoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of Roles
+	items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep)
+}
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+#ClusterRole: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	// +optional
+	rules?: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	// +optional
+	aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt)
+}
+
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
+#AggregationRule: {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
+	// +optional
+	clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep)
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+#ClusterRoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	// This field is immutable.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings
+#ClusterRoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoleBindings
+	items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep)
+}
+
+// ClusterRoleList is a collection of ClusterRoles
+#ClusterRoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoles
+	items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep)
+}

internal/generate/platforms/cue.mod/gen/k8s.io/api/rbac/v1beta1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1beta1
+
+package v1beta1
+
+#GroupName: "rbac.authorization.k8s.io"

internal/generate/platforms/cue.mod/gen/k8s.io/api/rbac/v1beta1/types_go_gen.cue

@@ -0,0 +1,212 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/rbac/v1beta1
+
+package v1beta1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+#APIGroupAll:        "*"
+#ResourceAll:        "*"
+#VerbAll:            "*"
+#NonResourceAll:     "*"
+#GroupKind:          "Group"
+#ServiceAccountKind: "ServiceAccount"
+#UserKind:           "User"
+
+// AutoUpdateAnnotationKey is the name of an annotation which prevents reconciliation if set to "false"
+#AutoUpdateAnnotationKey: "rbac.authorization.kubernetes.io/autoupdate"
+
+// PolicyRule holds information that describes a policy rule, but does not contain information
+// about who the rule applies to or which namespace the rule applies to.
+#PolicyRule: {
+	// Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+	verbs: [...string] @go(Verbs,[]string) @protobuf(1,bytes,rep)
+
+	// APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+	// the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+	// +optional
+	apiGroups?: [...string] @go(APIGroups,[]string) @protobuf(2,bytes,rep)
+
+	// Resources is a list of resources this rule applies to.  '*' represents all resources in the specified apiGroups.
+	// '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.
+	// +optional
+	resources?: [...string] @go(Resources,[]string) @protobuf(3,bytes,rep)
+
+	// ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+	// +optional
+	resourceNames?: [...string] @go(ResourceNames,[]string) @protobuf(4,bytes,rep)
+
+	// NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+	// Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+	// Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+	// +optional
+	nonResourceURLs?: [...string] @go(NonResourceURLs,[]string) @protobuf(5,bytes,rep)
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+#Subject: {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// APIGroup holds the API group of the referenced subject.
+	// Defaults to "" for ServiceAccount subjects.
+	// Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+	// +optional
+	apiGroup?: string @go(APIGroup) @protobuf(2,bytes,opt.name=apiGroup)
+
+	// Name of the object being referenced.
+	name: string @go(Name) @protobuf(3,bytes,opt)
+
+	// Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+	// the Authorizer should report an error.
+	// +optional
+	namespace?: string @go(Namespace) @protobuf(4,bytes,opt)
+}
+
+// RoleRef contains information that points to the role being used
+#RoleRef: {
+	// APIGroup is the group for the resource being referenced
+	apiGroup: string @go(APIGroup) @protobuf(1,bytes,opt)
+
+	// Kind is the type of resource being referenced
+	kind: string @go(Kind) @protobuf(2,bytes,opt)
+
+	// Name is the name of resource being referenced
+	name: string @go(Name) @protobuf(3,bytes,opt)
+}
+
+// Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.
+#Role: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this Role
+	// +optional
+	rules?: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+}
+
+// RoleBinding references a role, but does not contain it.  It can reference a Role in the same namespace or a ClusterRole in the global namespace.
+// It adds who information via Subjects and namespace information by which namespace it exists in.  RoleBindings in a given
+// namespace only have effect in that namespace.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.
+#RoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// RoleBindingList is a collection of RoleBindings
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.
+#RoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of RoleBindings
+	items: [...#RoleBinding] @go(Items,[]RoleBinding) @protobuf(2,bytes,rep)
+}
+
+// RoleList is a collection of Roles
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.
+#RoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of Roles
+	items: [...#Role] @go(Items,[]Role) @protobuf(2,bytes,rep)
+}
+
+// ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRole, and will no longer be served in v1.22.
+#ClusterRole: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Rules holds all the PolicyRules for this ClusterRole
+	// +optional
+	rules?: [...#PolicyRule] @go(Rules,[]PolicyRule) @protobuf(2,bytes,rep)
+
+	// AggregationRule is an optional field that describes how to build the Rules for this ClusterRole.
+	// If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be
+	// stomped by the controller.
+	// +optional
+	aggregationRule?: null | #AggregationRule @go(AggregationRule,*AggregationRule) @protobuf(3,bytes,opt)
+}
+
+// AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
+#AggregationRule: {
+	// ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.
+	// If any of the selectors match, then the ClusterRole's permissions will be added
+	// +optional
+	clusterRoleSelectors?: [...metav1.#LabelSelector] @go(ClusterRoleSelectors,[]metav1.LabelSelector) @protobuf(1,bytes,rep)
+}
+
+// ClusterRoleBinding references a ClusterRole, but not contain it.  It can reference a ClusterRole in the global namespace,
+// and adds who information via Subject.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBinding, and will no longer be served in v1.22.
+#ClusterRoleBinding: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Subjects holds references to the objects the role applies to.
+	// +optional
+	subjects?: [...#Subject] @go(Subjects,[]Subject) @protobuf(2,bytes,rep)
+
+	// RoleRef can only reference a ClusterRole in the global namespace.
+	// If the RoleRef cannot be resolved, the Authorizer must return an error.
+	roleRef: #RoleRef @go(RoleRef) @protobuf(3,bytes,opt)
+}
+
+// ClusterRoleBindingList is a collection of ClusterRoleBindings.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindingList, and will no longer be served in v1.22.
+#ClusterRoleBindingList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoleBindings
+	items: [...#ClusterRoleBinding] @go(Items,[]ClusterRoleBinding) @protobuf(2,bytes,rep)
+}
+
+// ClusterRoleList is a collection of ClusterRoles.
+// Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.
+#ClusterRoleList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of ClusterRoles
+	items: [...#ClusterRole] @go(Items,[]ClusterRole) @protobuf(2,bytes,rep)
+}

internal/generate/platforms/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/types_go_gen.cue

@@ -198,7 +198,7 @@ import (
 	// and services.
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
 	// +optional
-	labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(12,bytes,rep)
+	labels?: {[string]: string} @go(Labels,map[string]string) @protobuf(11,bytes,rep)
 
 	// Annotations is an unstructured key value map stored with a resource that may be
 	// set by external tools to store and retrieve arbitrary metadata. They are not

internal/generate/platforms/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue

@@ -0,0 +1,213 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#EnvoyFilter: {
+	// Customizing Envoy configuration generated by Istio. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/envoy-filter.html
+	spec!:      #EnvoyFilterSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "EnvoyFilter"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Customizing Envoy configuration generated by Istio. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/envoy-filter.html
+#EnvoyFilterSpec: {
+	// One or more patches with match conditions.
+	configPatches?: [...{
+		// Specifies where in the Envoy configuration, the patch should be
+		// applied.
+		//
+		// Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER,
+		// HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE,
+		// CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER
+		applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
+
+		// Match on listener/route configuration/cluster.
+		match?: ({} | {
+			listener: _
+		} | {
+			routeConfiguration: _
+		} | {
+			cluster: _
+		}) & {
+			// Match on envoy cluster attributes.
+			cluster?: {
+				// The exact name of the cluster to match.
+				name?: string
+
+				// The service port for which this cluster was generated.
+				portNumber?: uint32
+
+				// The fully qualified service name for this cluster.
+				service?: string
+
+				// The subset associated with the service.
+				subset?: string
+			}
+
+			// The specific config generation context to match on.
+			//
+			// Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY
+			context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
+
+			// Match on envoy listener attributes.
+			listener?: {
+				// Match a specific filter chain in a listener.
+				filterChain?: {
+					// Applies only to sidecars.
+					applicationProtocols?: string
+
+					// The destination_port value used by a filter chain's match
+					// condition.
+					destinationPort?: uint32
+
+					// The name of a specific filter to apply the patch to.
+					filter?: {
+						// The filter name to match on.
+						name?: string
+						subFilter?: {
+							// The filter name to match on.
+							name?: string
+						}
+					}
+
+					// The name assigned to the filter chain.
+					name?: string
+
+					// The SNI value used by a filter chain's match condition.
+					sni?: string
+
+					// Applies only to `SIDECAR_INBOUND` context.
+					transportProtocol?: string
+				}
+
+				// Match a specific listener filter.
+				listenerFilter?: string
+
+				// Match a specific listener by its name.
+				name?:     string
+				portName?: string
+
+				// The service port/gateway port to which traffic is being
+				// sent/received.
+				portNumber?: uint32
+			}
+
+			// Match on properties associated with a proxy.
+			proxy?: {
+				// Match on the node metadata supplied by a proxy when connecting
+				// to Istio Pilot.
+				metadata?: {
+					[string]: string
+				}
+
+				// A regular expression in golang regex format (RE2) that can be
+				// used to select proxies using a specific version of istio
+				// proxy.
+				proxyVersion?: string
+			}
+
+			// Match on envoy HTTP route configuration attributes.
+			routeConfiguration?: {
+				// The Istio gateway config's namespace/name for which this route
+				// configuration was generated.
+				gateway?: string
+
+				// Route configuration name to match on.
+				name?: string
+
+				// Applicable only for GATEWAY context.
+				portName?: string
+
+				// The service port number or gateway server port number for which
+				// this route configuration was generated.
+				portNumber?: uint32
+
+				// Match a specific virtual host in a route configuration and
+				// apply the patch to the virtual host.
+				vhost?: {
+					// The VirtualHosts objects generated by Istio are named as
+					// host:port, where the host typically corresponds to the
+					// VirtualService's host field or the hostname of a service in
+					// the registry.
+					name?: string
+
+					// Match a specific route within the virtual host.
+					route?: {
+						// Match a route with specific action type.
+						//
+						// Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE
+						action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
+
+						// The Route objects generated by default are named as default.
+						name?: string
+					}
+				}
+			}
+		}
+
+		// The patch to apply along with the operation.
+		patch?: {
+			// Determines the filter insertion order.
+			//
+			// Valid Options: AUTHN, AUTHZ, STATS
+			filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
+
+			// Determines how the patch should be applied.
+			//
+			// Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER,
+			// INSERT_FIRST, REPLACE
+			operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
+
+			// The JSON config of the object being patched.
+			value?: {}
+		}
+	}]
+
+	// Priority defines the order in which patch sets are applied
+	// within a context.
+	priority?: int
+
+	// Optional.
+	targetRefs?: [...{
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/gateway/v1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: uint32
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: uint32
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue

@@ -0,0 +1,127 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Gateway: {
+	// Configuration affecting edge load balancer. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/gateway.html
+	spec!:      #GatewaySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Gateway"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting edge load balancer. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/gateway.html
+#GatewaySpec: {
+	// One or more labels that indicate a specific set of pods/VMs on
+	// which this gateway configuration should be applied.
+	selector?: {
+		[string]: string
+	}
+
+	// A list of server specifications.
+	servers?: [...{
+		// The ip or the Unix domain socket to which the listener should
+		// be bound to.
+		bind?:            string
+		defaultEndpoint?: string
+
+		// One or more hosts exposed by this gateway.
+		hosts: [...string]
+
+		// An optional name of the server, when set must be unique across
+		// all servers.
+		name?: string
+
+		// The Port on which the proxy should listen for incoming
+		// connections.
+		port: {
+			// Label assigned to the port.
+			name: string
+
+			// A valid non-negative integer port number.
+			number: uint32
+
+			// The protocol exposed on the port.
+			protocol:    string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that govern the server's behavior.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue

@@ -0,0 +1,54 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ProxyConfig: {
+	// Provides configuration for individual workloads. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/proxy-config.html
+	spec!:      #ProxyConfigSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ProxyConfig"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Provides configuration for individual workloads. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/proxy-config.html
+#ProxyConfigSpec: {
+	// The number of worker threads to run.
+	concurrency?: null | int
+
+	// Additional environment variables for the proxy.
+	environmentVariables?: {
+		[string]: string
+	}
+	image?: {
+		// The image type of the image.
+		imageType?: string
+	}
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/serviceentry/v1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	//
+	// Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: uint32
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: uint32
+	}]
+
+	// Service resolution mode for the hosts.
+	//
+	// Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	//
+	// Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: uint32
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: uint32
+	}]
+
+	// Service resolution mode for the hosts.
+	//
+	// Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue

@@ -0,0 +1,111 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#ServiceEntry: {
+	// Configuration affecting service registry. See more details at:
+	// https://istio.io/docs/reference/config/networking/service-entry.html
+	spec!:      #ServiceEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "ServiceEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting service registry. See more details at:
+// https://istio.io/docs/reference/config/networking/service-entry.html
+#ServiceEntrySpec: {
+	// The virtual IP addresses associated with the service.
+	addresses?: [...string]
+
+	// One or more endpoints associated with the service.
+	endpoints?: [...{
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}]
+
+	// A list of namespaces to which this service is exported.
+	exportTo?: [...string]
+
+	// The hosts associated with the ServiceEntry.
+	hosts: [...string]
+
+	// Specify whether the service should be considered external to
+	// the mesh or part of the mesh.
+	//
+	// Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+	location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
+
+	// The ports associated with the external service.
+	ports?: [...{
+		// Label assigned to the port.
+		name: string
+
+		// A valid non-negative integer port number.
+		number: uint32
+
+		// The protocol exposed on the port.
+		protocol?: string
+
+		// The port number on the endpoint where the traffic will be
+		// received.
+		targetPort?: uint32
+	}]
+
+	// Service resolution mode for the hosts.
+	//
+	// Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+	resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
+
+	// If specified, the proxy will verify that the server
+	// certificate's subject alternate name matches one of the
+	// specified values.
+	subjectAltNames?: [...string]
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/sidecar/v1/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			//
+			// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// The maximum number of concurrent streams allowed for a peer on
+			// one HTTP/2 connection.
+			maxConcurrentStreams?: int
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The idle timeout for TCP connections.
+			idleTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: uint32
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				//
+				// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// The maximum number of concurrent streams allowed for a peer on
+				// one HTTP/2 connection.
+				maxConcurrentStreams?: int
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The idle timeout for TCP connections.
+				idleTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: uint32
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+
+		// Valid Options: REGISTRY_ONLY, ALLOW_ANY
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			//
+			// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// The maximum number of concurrent streams allowed for a peer on
+			// one HTTP/2 connection.
+			maxConcurrentStreams?: int
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The idle timeout for TCP connections.
+			idleTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: uint32
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				//
+				// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// The maximum number of concurrent streams allowed for a peer on
+				// one HTTP/2 connection.
+				maxConcurrentStreams?: int
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The idle timeout for TCP connections.
+				idleTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: uint32
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+
+		// Valid Options: REGISTRY_ONLY, ALLOW_ANY
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#Sidecar: {
+	// Configuration affecting network reachability of a sidecar. See
+	// more details at:
+	// https://istio.io/docs/reference/config/networking/sidecar.html
+	spec!:      #SidecarSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "Sidecar"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting network reachability of a sidecar. See
+// more details at:
+// https://istio.io/docs/reference/config/networking/sidecar.html
+#SidecarSpec: {
+	// Egress specifies the configuration of the sidecar for
+	// processing outbound traffic from the attached workload
+	// instance to other services in the mesh.
+	egress?: [...{
+		// The IP(IPv4 or IPv6) or the Unix domain socket to which the
+		// listener should be bound to.
+		bind?: string
+
+		// When the bind address is an IP, the captureMode option dictates
+		// how traffic to the listener is expected to be captured (or
+		// not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// One or more service hosts exposed by the listener in
+		// `namespace/dnsName` format.
+		hosts: [...string]
+
+		// The port associated with the listener.
+		port?: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+	}]
+
+	// Settings controlling the volume of connections Envoy will
+	// accept from the network.
+	inboundConnectionPool?: {
+		// HTTP connection pool settings.
+		http?: {
+			// Specify if http1.1 connection should be upgraded to http2 for
+			// the associated destination.
+			//
+			// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+			h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+			// Maximum number of requests that will be queued while waiting
+			// for a ready connection pool connection.
+			http1MaxPendingRequests?: int
+
+			// Maximum number of active requests to a destination.
+			http2MaxRequests?: int
+
+			// The idle timeout for upstream connection pool connections.
+			idleTimeout?: string
+
+			// The maximum number of concurrent streams allowed for a peer on
+			// one HTTP/2 connection.
+			maxConcurrentStreams?: int
+
+			// Maximum number of requests per connection to a backend.
+			maxRequestsPerConnection?: int
+
+			// Maximum number of retries that can be outstanding to all hosts
+			// in a cluster at a given time.
+			maxRetries?: int
+
+			// If set to true, client protocol will be preserved while
+			// initiating connection to backend.
+			useClientProtocol?: bool
+		}
+
+		// Settings common to both HTTP and TCP upstream connections.
+		tcp?: {
+			// TCP connection timeout.
+			connectTimeout?: string
+
+			// The idle timeout for TCP connections.
+			idleTimeout?: string
+
+			// The maximum duration of a connection.
+			maxConnectionDuration?: string
+
+			// Maximum number of HTTP1 /TCP connections to a destination host.
+			maxConnections?: int
+
+			// If set then set SO_KEEPALIVE on the socket to enable TCP
+			// Keepalives.
+			tcpKeepalive?: {
+				// The time duration between keep-alive probes.
+				interval?: string
+
+				// Maximum number of keepalive probes to send without response
+				// before deciding the connection is dead.
+				probes?: uint32
+
+				// The time duration a connection needs to be idle before
+				// keep-alive probes start being sent.
+				time?: string
+			}
+		}
+	}
+
+	// Ingress specifies the configuration of the sidecar for
+	// processing inbound traffic to the attached workload instance.
+	ingress?: [...{
+		// The IP(IPv4 or IPv6) to which the listener should be bound.
+		bind?: string
+
+		// The captureMode option dictates how traffic to the listener is
+		// expected to be captured (or not).
+		//
+		// Valid Options: DEFAULT, IPTABLES, NONE
+		captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
+
+		// Settings controlling the volume of connections Envoy will
+		// accept from the network.
+		connectionPool?: {
+			// HTTP connection pool settings.
+			http?: {
+				// Specify if http1.1 connection should be upgraded to http2 for
+				// the associated destination.
+				//
+				// Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+				h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
+
+				// Maximum number of requests that will be queued while waiting
+				// for a ready connection pool connection.
+				http1MaxPendingRequests?: int
+
+				// Maximum number of active requests to a destination.
+				http2MaxRequests?: int
+
+				// The idle timeout for upstream connection pool connections.
+				idleTimeout?: string
+
+				// The maximum number of concurrent streams allowed for a peer on
+				// one HTTP/2 connection.
+				maxConcurrentStreams?: int
+
+				// Maximum number of requests per connection to a backend.
+				maxRequestsPerConnection?: int
+
+				// Maximum number of retries that can be outstanding to all hosts
+				// in a cluster at a given time.
+				maxRetries?: int
+
+				// If set to true, client protocol will be preserved while
+				// initiating connection to backend.
+				useClientProtocol?: bool
+			}
+
+			// Settings common to both HTTP and TCP upstream connections.
+			tcp?: {
+				// TCP connection timeout.
+				connectTimeout?: string
+
+				// The idle timeout for TCP connections.
+				idleTimeout?: string
+
+				// The maximum duration of a connection.
+				maxConnectionDuration?: string
+
+				// Maximum number of HTTP1 /TCP connections to a destination host.
+				maxConnections?: int
+
+				// If set then set SO_KEEPALIVE on the socket to enable TCP
+				// Keepalives.
+				tcpKeepalive?: {
+					// The time duration between keep-alive probes.
+					interval?: string
+
+					// Maximum number of keepalive probes to send without response
+					// before deciding the connection is dead.
+					probes?: uint32
+
+					// The time duration a connection needs to be idle before
+					// keep-alive probes start being sent.
+					time?: string
+				}
+			}
+		}
+
+		// The IP endpoint or Unix domain socket to which traffic should
+		// be forwarded to.
+		defaultEndpoint?: string
+
+		// The port associated with the listener.
+		port: {
+			// Label assigned to the port.
+			name?: string
+
+			// A valid non-negative integer port number.
+			number?: uint32
+
+			// The protocol exposed on the port.
+			protocol?:   string
+			targetPort?: uint32
+		}
+
+		// Set of TLS related options that will enable TLS termination on
+		// the sidecar for requests originating from outside the mesh.
+		tls?: {
+			// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+			caCertificates?: string
+
+			// OPTIONAL: The path to the file containing the certificate
+			// revocation list (CRL) to use in verifying a presented client
+			// side certificate.
+			caCrl?: string
+
+			// Optional: If specified, only support the specified cipher list.
+			cipherSuites?: [...string]
+
+			// For gateways running on Kubernetes, the name of the secret that
+			// holds the TLS certs including the CA certificates.
+			credentialName?: string
+
+			// If set to true, the load balancer will send a 301 redirect for
+			// all http connections, asking the clients to use HTTPS.
+			httpsRedirect?: bool
+
+			// Optional: Maximum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Minimum TLS protocol version.
+			//
+			// Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+			minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
+
+			// Optional: Indicates whether connections to this port should be
+			// secured using TLS.
+			//
+			// Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH,
+			// ISTIO_MUTUAL, OPTIONAL_MUTUAL
+			mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			privateKey?: string
+
+			// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+			serverCertificate?: string
+
+			// A list of alternate names to verify the subject identity in the
+			// certificate presented by the client.
+			subjectAltNames?: [...string]
+
+			// An optional list of hex-encoded SHA-256 hashes of the
+			// authorized client certificates.
+			verifyCertificateHash?: [...string]
+
+			// An optional list of base64-encoded SHA-256 hashes of the SPKIs
+			// of authorized client certificates.
+			verifyCertificateSpki?: [...string]
+		}
+	}]
+
+	// Configuration for the outbound traffic policy.
+	outboundTrafficPolicy?: {
+		egressProxy?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+
+		// Valid Options: REGISTRY_ONLY, ALLOW_ANY
+		mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
+	}
+	workloadSelector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which the configuration should be applied.
+		labels?: {
+			[string]: string
+		}
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/virtualservice/v1/types_gen.cue

@@ -0,0 +1,596 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: uint32
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: uint32
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int & <=4294967295 & >=0
+		mirrorPercent?:  null | int & <=4294967295 & >=0
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			//
+			// Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: uint32
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: uint32
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue

@@ -0,0 +1,596 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: uint32
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: uint32
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int & <=4294967295 & >=0
+		mirrorPercent?:  null | int & <=4294967295 & >=0
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			//
+			// Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: uint32
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: uint32
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue

@@ -0,0 +1,596 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#VirtualService: {
+	// Configuration affecting label/content routing, sni routing,
+	// etc. See more details at:
+	// https://istio.io/docs/reference/config/networking/virtual-service.html
+	spec!:      #VirtualServiceSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "VirtualService"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting label/content routing, sni routing,
+// etc. See more details at:
+// https://istio.io/docs/reference/config/networking/virtual-service.html
+#VirtualServiceSpec: {
+	// A list of namespaces to which this virtual service is exported.
+	exportTo?: [...string]
+
+	// The names of gateways and sidecars that should apply these
+	// routes.
+	gateways?: [...string]
+
+	// The destination hosts to which traffic is being sent.
+	hosts?: [...string]
+
+	// An ordered list of route rules for HTTP traffic.
+	http?: [...{
+		// Cross-Origin Resource Sharing policy (CORS).
+		corsPolicy?: {
+			// Indicates whether the caller is allowed to send the actual
+			// request (not the preflight) using credentials.
+			allowCredentials?: null | bool
+
+			// List of HTTP headers that can be used when requesting the
+			// resource.
+			allowHeaders?: [...string]
+
+			// List of HTTP methods allowed to access the resource.
+			allowMethods?: [...string]
+			allowOrigin?: [...string]
+
+			// String patterns that match allowed origins.
+			allowOrigins?: [...({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}]
+
+			// A list of HTTP headers that the browsers are allowed to access.
+			exposeHeaders?: [...string]
+
+			// Specifies how long the results of a preflight request can be
+			// cached.
+			maxAge?: string
+		}
+
+		// Delegate is used to specify the particular VirtualService which
+		// can be used to define delegate HTTPRoute.
+		delegate?: {
+			// Name specifies the name of the delegate VirtualService.
+			name?: string
+
+			// Namespace specifies the namespace where the delegate
+			// VirtualService resides.
+			namespace?: string
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		directResponse?: {
+			// Specifies the content of the response body.
+			body?: ({} | {
+				string: _
+			} | {
+				bytes: _
+			}) & {
+				// response body as base64 encoded bytes.
+				bytes?:  string
+				string?: string
+			}
+
+			// Specifies the HTTP response status to be returned.
+			status: uint32
+		}
+
+		// Fault injection policy to apply on HTTP traffic at the client
+		// side.
+		fault?: {
+			// Abort Http request attempts and return error codes back to
+			// downstream service, giving the impression that the upstream
+			// service is faulty.
+			abort?: ({} | {
+				httpStatus: _
+			} | {
+				grpcStatus: _
+			} | {
+				http2Error: _
+			}) & {
+				// GRPC status code to use to abort the request.
+				grpcStatus?: string
+				http2Error?: string
+
+				// HTTP status code to use to abort the Http request.
+				httpStatus?: int
+				percentage?: {
+					value?: number
+				}
+			}
+
+			// Delay requests before forwarding, emulating various failures
+			// such as network issues, overloaded upstream service, etc.
+			delay?: ({} | {
+				fixedDelay: _
+			} | {
+				exponentialDelay: _
+			}) & {
+				exponentialDelay?: string
+
+				// Add a fixed delay before forwarding the request.
+				fixedDelay?: string
+
+				// Percentage of requests on which the delay will be injected
+				// (0-100).
+				percent?: int
+				percentage?: {
+					value?: number
+				}
+			}
+		}
+		headers?: {
+			request?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+			response?: {
+				add?: {
+					[string]: string
+				}
+				remove?: [...string]
+				set?: {
+					[string]: string
+				}
+			}
+		}
+
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// HTTP Authority values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			authority?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// The header keys must be lowercase and use hyphen as the
+			// separator, e.g.
+			headers?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// Flag to specify whether the URI matching should be
+			// case-insensitive.
+			ignoreUriCase?: bool
+
+			// HTTP Method values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			method?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// The name assigned to a match.
+			name?: string
+
+			// Specifies the ports on the host that is being addressed.
+			port?: uint32
+
+			// Query parameters for matching.
+			queryParams?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+
+			// URI Scheme values are case-sensitive and formatted as follows:
+			// - `exact: "value"` for exact string match - `prefix: "value"`
+			// for prefix-based match - `regex: "value"` for RE2 style
+			// regex-based match (https://github.com/google/re2/wiki/Syntax).
+			scheme?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// One or more labels that constrain the applicability of a rule
+			// to source (client) workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+
+			// The human readable prefix to use when emitting statistics for
+			// this route.
+			statPrefix?: string
+
+			// URI to match values are case-sensitive and formatted as
+			// follows: - `exact: "value"` for exact string match - `prefix:
+			// "value"` for prefix-based match - `regex: "value"` for RE2
+			// style regex-based match
+			// (https://github.com/google/re2/wiki/Syntax).
+			uri?: ({} | {
+				exact: _
+			} | {
+				prefix: _
+			} | {
+				regex: _
+			}) & {
+				exact?:  string
+				prefix?: string
+
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				regex?: string
+			}
+
+			// withoutHeader has the same syntax with the header, but has
+			// opposite meaning.
+			withoutHeaders?: {
+				[string]: ({} | {
+					exact: _
+				} | {
+					prefix: _
+				} | {
+					regex: _
+				}) & {
+					exact?:  string
+					prefix?: string
+
+					// RE2 style regex-based match
+					// (https://github.com/google/re2/wiki/Syntax).
+					regex?: string
+				}
+			}
+		}]
+
+		// Mirror HTTP traffic to a another destination in addition to
+		// forwarding the requests to the intended destination.
+		mirror?: {
+			// The name of a service from the service registry.
+			host: string
+			port?: {
+				number?: uint32
+			}
+
+			// The name of a subset within the service.
+			subset?: string
+		}
+		mirror_percent?: null | int & <=4294967295 & >=0
+		mirrorPercent?:  null | int & <=4294967295 & >=0
+		mirrorPercentage?: {
+			value?: number
+		}
+
+		// Specifies the destinations to mirror HTTP traffic in addition
+		// to the original destination.
+		mirrors?: [...{
+			// Destination specifies the target of the mirror operation.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			percentage?: {
+				value?: number
+			}
+		}]
+
+		// The name assigned to the route for debugging purposes.
+		name?: string
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		redirect?: ({} | {
+			port: _
+		} | {
+			derivePort: _
+		}) & {
+			// On a redirect, overwrite the Authority/Host portion of the URL
+			// with this value.
+			authority?: string
+
+			// On a redirect, dynamically set the port: *
+			// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
+			// 443 for HTTPS.
+			//
+			// Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+			derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
+
+			// On a redirect, overwrite the port portion of the URL with this
+			// value.
+			port?: uint32
+
+			// On a redirect, Specifies the HTTP status code to use in the
+			// redirect response.
+			redirectCode?: uint32
+
+			// On a redirect, overwrite the scheme portion of the URL with
+			// this value.
+			scheme?: string
+
+			// On a redirect, overwrite the Path portion of the URL with this
+			// value.
+			uri?: string
+		}
+
+		// Retry policy for HTTP requests.
+		retries?: {
+			// Number of retries to be allowed for a given request.
+			attempts?: int
+
+			// Timeout per attempt for a given request, including the initial
+			// call and any retries.
+			perTryTimeout?: string
+
+			// Specifies the conditions under which retry takes place.
+			retryOn?: string
+
+			// Flag to specify whether the retries should retry to other
+			// localities.
+			retryRemoteLocalities?: null | bool
+		}
+
+		// Rewrite HTTP URIs and Authority headers.
+		rewrite?: {
+			// rewrite the Authority/Host header with this value.
+			authority?: string
+
+			// rewrite the path (or the prefix) portion of the URI with this
+			// value.
+			uri?: string
+
+			// rewrite the path portion of the URI with the specified regex.
+			uriRegexRewrite?: {
+				// RE2 style regex-based match
+				// (https://github.com/google/re2/wiki/Syntax).
+				match?: string
+
+				// The string that should replace into matching portions of
+				// original URI.
+				rewrite?: string
+			}
+		}
+
+		// A HTTP rule can either return a direct_response, redirect or
+		// forward (default) traffic.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+			headers?: {
+				request?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+				response?: {
+					add?: {
+						[string]: string
+					}
+					remove?: [...string]
+					set?: {
+						[string]: string
+					}
+				}
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+
+		// Timeout for HTTP requests, default is disabled.
+		timeout?: string
+	}]
+
+	// An ordered list of route rules for opaque TCP traffic.
+	tcp?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match?: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+			sourceSubnet?:    string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+
+	// An ordered list of route rule for non-terminated TLS & HTTPS
+	// traffic.
+	tls?: [...{
+		// Match conditions to be satisfied for the rule to be activated.
+		match: [...{
+			// IPv4 or IPv6 ip addresses of destination with optional subnet.
+			destinationSubnets?: [...string]
+
+			// Names of gateways where the rule should be applied.
+			gateways?: [...string]
+
+			// Specifies the port on the host that is being addressed.
+			port?: uint32
+
+			// SNI (server name indicator) to match on.
+			sniHosts: [...string]
+
+			// One or more labels that constrain the applicability of a rule
+			// to workloads with the given labels.
+			sourceLabels?: {
+				[string]: string
+			}
+
+			// Source namespace constraining the applicability of a rule to
+			// workloads in that namespace.
+			sourceNamespace?: string
+		}]
+
+		// The destination to which the connection should be forwarded to.
+		route?: [...{
+			// Destination uniquely identifies the instances of a service to
+			// which the request/connection should be forwarded to.
+			destination: {
+				// The name of a service from the service registry.
+				host: string
+				port?: {
+					number?: uint32
+				}
+
+				// The name of a subset within the service.
+				subset?: string
+			}
+
+			// Weight specifies the relative proportion of traffic to be
+			// forwarded to the destination.
+			weight?: int
+		}]
+	}]
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadentry/v1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int & <=4294967295 & >=0
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: uint32
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int & <=4294967295 & >=0
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: uint32
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadEntry: {
+	// Configuration affecting VMs onboarded into the mesh. See more
+	// details at:
+	// https://istio.io/docs/reference/config/networking/workload-entry.html
+	spec!:      #WorkloadEntrySpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadEntry"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration affecting VMs onboarded into the mesh. See more
+// details at:
+// https://istio.io/docs/reference/config/networking/workload-entry.html
+#WorkloadEntrySpec: {
+	// Address associated with the network endpoint without the port.
+	address?: string
+
+	// One or more labels associated with the endpoint.
+	labels?: {
+		[string]: string
+	}
+
+	// The locality associated with the endpoint.
+	locality?: string
+
+	// Network enables Istio to group endpoints resident in the same
+	// L3 domain/network.
+	network?: string
+
+	// Set of ports associated with the endpoint.
+	ports?: {
+		[string]: int & <=4294967295 & >=0
+	}
+
+	// The service account associated with the workload if a sidecar
+	// is present in the workload.
+	serviceAccount?: string
+
+	// The load balancing weight associated with the endpoint.
+	weight?: uint32
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadgroup/v1/types_gen.cue

@@ -0,0 +1,138 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#WorkloadGroup: {
+	// `WorkloadGroup` enables specifying the properties of a single
+	// workload for bootstrap and provides a template for
+	// `WorkloadEntry`, similar to how `Deployment` specifies
+	// properties of workloads via `Pod` templates.
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// `WorkloadGroup` enables specifying the properties of a single
+// workload for bootstrap and provides a template for
+// `WorkloadEntry`, similar to how `Deployment` specifies
+// properties of workloads via `Pod` templates.
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    uint32
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  uint32
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1alpha3
+
+import "strings"
+
+#WorkloadGroup: {
+	// Describes a collection of workload instances. See more details
+	// at:
+	// https://istio.io/docs/reference/config/networking/workload-group.html
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1alpha3"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Describes a collection of workload instances. See more details
+// at:
+// https://istio.io/docs/reference/config/networking/workload-group.html
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    uint32
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  uint32
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}
+}

internal/generate/platforms/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue

@@ -0,0 +1,138 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#WorkloadGroup: {
+	// `WorkloadGroup` enables specifying the properties of a single
+	// workload for bootstrap and provides a template for
+	// `WorkloadEntry`, similar to how `Deployment` specifies
+	// properties of workloads via `Pod` templates.
+	spec!:      #WorkloadGroupSpec
+	apiVersion: "networking.istio.io/v1beta1"
+	kind:       "WorkloadGroup"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// `WorkloadGroup` enables specifying the properties of a single
+// workload for bootstrap and provides a template for
+// `WorkloadEntry`, similar to how `Deployment` specifies
+// properties of workloads via `Pod` templates.
+#WorkloadGroupSpec: {
+	// Metadata that will be used for all corresponding
+	// `WorkloadEntries`.
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// `ReadinessProbe` describes the configuration the user must
+	// provide for healthchecking on their workload.
+	probe?: ({} | {
+		httpGet: _
+	} | {
+		tcpSocket: _
+	} | {
+		exec: _
+	}) & {
+		exec?: {
+			// Command to run.
+			command?: [...string]
+		}
+
+		// Minimum consecutive failures for the probe to be considered
+		// failed after having succeeded.
+		failureThreshold?: int
+
+		// `httpGet` is performed to a given endpoint and the status/able
+		// to connect determines health.
+		httpGet?: {
+			// Host name to connect to, defaults to the pod IP.
+			host?: string
+
+			// Headers the proxy will pass on to make the request.
+			httpHeaders?: [...{
+				name?:  string
+				value?: string
+			}]
+
+			// Path to access on the HTTP server.
+			path?: string
+
+			// Port on which the endpoint lives.
+			port:    uint32
+			scheme?: string
+		}
+
+		// Number of seconds after the container has started before
+		// readiness probes are initiated.
+		initialDelaySeconds?: int
+
+		// How often (in seconds) to perform the probe.
+		periodSeconds?: int
+
+		// Minimum consecutive successes for the probe to be considered
+		// successful after having failed.
+		successThreshold?: int
+
+		// Health is determined by if the proxy is able to connect.
+		tcpSocket?: {
+			host?: string
+			port:  uint32
+		}
+
+		// Number of seconds after which the probe times out.
+		timeoutSeconds?: int
+	}
+
+	// Template to be used for the generation of `WorkloadEntry`
+	// resources that belong to this `WorkloadGroup`.
+	template: {
+		// Address associated with the network endpoint without the port.
+		address?: string
+
+		// One or more labels associated with the endpoint.
+		labels?: {
+			[string]: string
+		}
+
+		// The locality associated with the endpoint.
+		locality?: string
+
+		// Network enables Istio to group endpoints resident in the same
+		// L3 domain/network.
+		network?: string
+
+		// Set of ports associated with the endpoint.
+		ports?: {
+			[string]: int & <=4294967295 & >=0
+		}
+
+		// The service account associated with the workload if a sidecar
+		// is present in the workload.
+		serviceAccount?: string
+
+		// The load balancing weight associated with the endpoint.
+		weight?: uint32
+	}
+}

internal/generate/platforms/cue.mod/gen/pkg.crossplane.io/function/v1beta1/types_gen.cue

@@ -0,0 +1,132 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/crossplane/crossplane/v1.16.0/cluster/crds/pkg.crossplane.io_functions.yaml
+
+package v1beta1
+
+import "strings"
+
+// A Function installs an OCI compatible Crossplane package,
+// extending
+// Crossplane with support for a new kind of composition function.
+//
+//
+// Read the Crossplane documentation for
+// [more information about
+// Functions](https://docs.crossplane.io/latest/concepts/composition-functions).
+#Function: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "pkg.crossplane.io/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Function"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// FunctionSpec specifies the configuration of a Function.
+	spec!: #FunctionSpec
+}
+
+// FunctionSpec specifies the configuration of a Function.
+#FunctionSpec: {
+	// Map of string keys and values that can be used to organize and
+	// categorize
+	// (scope and select) objects. May match selectors of replication
+	// controllers
+	// and services.
+	// More info:
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	commonLabels?: {
+		[string]: string
+	}
+	controllerConfigRef?: {
+		// Name of the ControllerConfig.
+		name: string
+	}
+
+	// IgnoreCrossplaneConstraints indicates to the package manager
+	// whether to
+	// honor Crossplane version constrains specified by the package.
+	// Default is false.
+	ignoreCrossplaneConstraints?: bool | *false
+
+	// Package is the name of the package that is being requested.
+	package: string
+
+	// PackagePullPolicy defines the pull policy for the package.
+	// Default is IfNotPresent.
+	packagePullPolicy?: string | *"IfNotPresent"
+
+	// PackagePullSecrets are named secrets in the same namespace that
+	// can be used
+	// to fetch packages from private registries.
+	packagePullSecrets?: [...{
+		// Name of the referent.
+		// More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		// TODO: Add other useful fields. apiVersion, kind, uid?
+		name?: string
+	}]
+
+	// RevisionActivationPolicy specifies how the package controller
+	// should
+	// update from one revision to the next. Options are Automatic or
+	// Manual.
+	// Default is Automatic.
+	revisionActivationPolicy?: string | *"Automatic"
+
+	// RevisionHistoryLimit dictates how the package controller cleans
+	// up old
+	// inactive package revisions.
+	// Defaults to 1. Can be disabled by explicitly setting to 0.
+	revisionHistoryLimit?: int | *1
+
+	// RuntimeConfigRef references a RuntimeConfig resource that will
+	// be used
+	// to configure the package runtime.
+	runtimeConfigRef?: {
+		// API version of the referent.
+		apiVersion?: string | *"pkg.crossplane.io/v1beta1"
+
+		// Kind of the referent.
+		kind?: string | *"DeploymentRuntimeConfig"
+
+		// Name of the RuntimeConfig.
+		name: string
+	} | *{
+		name: "default"
+	}
+
+	// SkipDependencyResolution indicates to the package manager
+	// whether to skip
+	// resolving dependencies for a package. Setting this value to
+	// true may have
+	// unintended consequences.
+	// Default is false.
+	skipDependencyResolution?: bool | *false
+}

internal/generate/platforms/cue.mod/gen/pkg.crossplane.io/provider/v1/types_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/crossplane/crossplane/v1.16.0/cluster/crds/pkg.crossplane.io_providers.yaml
+
+package v1
+
+import "strings"
+
+// A Provider installs an OCI compatible Crossplane package,
+// extending
+// Crossplane with support for new kinds of managed resources.
+//
+//
+// Read the Crossplane documentation for
+// [more information about
+// Providers](https://docs.crossplane.io/latest/concepts/providers).
+#Provider: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "pkg.crossplane.io/v1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Provider"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ProviderSpec specifies details about a request to install a
+	// provider to
+	// Crossplane.
+	spec!: #ProviderSpec
+}
+
+// ProviderSpec specifies details about a request to install a
+// provider to
+// Crossplane.
+#ProviderSpec: {
+	// Map of string keys and values that can be used to organize and
+	// categorize
+	// (scope and select) objects. May match selectors of replication
+	// controllers
+	// and services.
+	// More info:
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	commonLabels?: {
+		[string]: string
+	}
+	controllerConfigRef?: {
+		// Name of the ControllerConfig.
+		name: string
+	}
+
+	// IgnoreCrossplaneConstraints indicates to the package manager
+	// whether to
+	// honor Crossplane version constrains specified by the package.
+	// Default is false.
+	ignoreCrossplaneConstraints?: bool | *false
+
+	// Package is the name of the package that is being requested.
+	package: string
+
+	// PackagePullPolicy defines the pull policy for the package.
+	// Default is IfNotPresent.
+	packagePullPolicy?: string | *"IfNotPresent"
+
+	// PackagePullSecrets are named secrets in the same namespace that
+	// can be used
+	// to fetch packages from private registries.
+	packagePullSecrets?: [...{
+		// Name of the referent.
+		// More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		// TODO: Add other useful fields. apiVersion, kind, uid?
+		name?: string
+	}]
+
+	// RevisionActivationPolicy specifies how the package controller
+	// should
+	// update from one revision to the next. Options are Automatic or
+	// Manual.
+	// Default is Automatic.
+	revisionActivationPolicy?: string | *"Automatic"
+
+	// RevisionHistoryLimit dictates how the package controller cleans
+	// up old
+	// inactive package revisions.
+	// Defaults to 1. Can be disabled by explicitly setting to 0.
+	revisionHistoryLimit?: int | *1
+
+	// RuntimeConfigRef references a RuntimeConfig resource that will
+	// be used
+	// to configure the package runtime.
+	runtimeConfigRef?: {
+		// API version of the referent.
+		apiVersion?: string | *"pkg.crossplane.io/v1beta1"
+
+		// Kind of the referent.
+		kind?: string | *"DeploymentRuntimeConfig"
+
+		// Name of the RuntimeConfig.
+		name: string
+	} | *{
+		name: "default"
+	}
+
+	// SkipDependencyResolution indicates to the package manager
+	// whether to skip
+	// resolving dependencies for a package. Setting this value to
+	// true may have
+	// unintended consequences.
+	// Default is false.
+	skipDependencyResolution?: bool | *false
+}

internal/generate/platforms/cue.mod/gen/postgres-operator.crunchydata.com/pgadmin/v1beta1/types_gen.cue

@@ -0,0 +1,975 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/postgres-crds/postgres-crds.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+// PGAdmin is the Schema for the pgadmins API
+#PGAdmin: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PGAdmin"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PGAdminSpec defines the desired state of PGAdmin
+	spec!: #PGAdminSpec
+}
+
+// PGAdminSpec defines the desired state of PGAdmin
+#PGAdminSpec: {
+	// Scheduling constraints of the PGAdmin pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node
+	affinity?: {
+		// Describes node affinity scheduling rules for the pod.
+		nodeAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node matches the
+			// corresponding matchExpressions; the node(s) with the highest
+			// sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A node selector term, associated with the corresponding weight.
+				preference: {
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}
+
+				// Weight associated with matching the corresponding
+				// nodeSelectorTerm, in the range 1-100.
+				weight: int
+			}]
+			requiredDuringSchedulingIgnoredDuringExecution?: {
+				// Required. A list of node selector terms. The terms are ORed.
+				nodeSelectorTerms: [...{
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}]
+			}
+		}
+
+		// Describes pod affinity scheduling rules (e.g. co-locate this
+		// pod in the same node, zone, etc. as some other pod(s)).
+		podAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node has pods which matches
+			// the corresponding podAffinityTerm; the node(s) with the
+			// highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the affinity requirements specified by this field are not
+			// met at scheduling time, the pod will not be scheduled onto the
+			// node. If the affinity requirements specified by this field
+			// cease to be met at some point during pod execution (e.g. due
+			// to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+
+		// Describes pod anti-affinity scheduling rules (e.g. avoid
+		// putting this pod in the same node, zone, etc. as some other
+		// pod(s)).
+		podAntiAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the anti-affinity expressions specified by this field,
+			// but it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling anti-affinity expressions, etc.),
+			// compute a sum by iterating through the elements of this field
+			// and adding "weight" to the sum if the node has pods which
+			// matches the corresponding podAffinityTerm; the node(s) with
+			// the highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the anti-affinity requirements specified by this field are
+			// not met at scheduling time, the pod will not be scheduled onto
+			// the node. If the anti-affinity requirements specified by this
+			// field cease to be met at some point during pod execution (e.g.
+			// due to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+	}
+
+	// Configuration settings for the pgAdmin process. Changes to any
+	// of these values will be loaded without validation. Be careful,
+	// as you may put pgAdmin into an unusable state.
+	config?: {
+		// Files allows the user to mount projected volumes into the
+		// pgAdmin container so that files can be referenced by pgAdmin
+		// as needed.
+		files?: [...{
+			// configMap information about the configMap data to project
+			configMap?: {
+				// items if unspecified, each key-value pair in the Data field of
+				// the referenced ConfigMap will be projected into the volume as
+				// a file whose name is the key and content is the value. If
+				// specified, the listed keys will be projected into the
+				// specified paths, and unlisted keys will not be present. If a
+				// key is specified which is not present in the ConfigMap, the
+				// volume setup will error unless it is marked optional. Paths
+				// must be relative and may not contain the '..' path or start
+				// with '..'.
+				items?: [...{
+					// key is the key to project.
+					key: string
+
+					// mode is Optional: mode bits used to set permissions on this
+					// file. Must be an octal value between 0000 and 0777 or a
+					// decimal value between 0 and 511. YAML accepts both octal and
+					// decimal values, JSON requires decimal values for mode bits. If
+					// not specified, the volume defaultMode will be used. This might
+					// be in conflict with other options that affect the file mode,
+					// like fsGroup, and the result can be other mode bits set.
+					mode?: int
+
+					// path is the relative path of the file to map the key to. May
+					// not be an absolute path. May not contain the path element
+					// '..'. May not start with the string '..'.
+					path: string
+				}]
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name?: string
+
+				// optional specify whether the ConfigMap or its keys must be
+				// defined
+				optional?: bool
+			}
+			downwardAPI?: {
+				// Items is a list of DownwardAPIVolume file
+				items?: [...{
+					// Required: Selects a field of the pod: only annotations, labels,
+					// name and namespace are supported.
+					fieldRef?: {
+						// Version of the schema the FieldPath is written in terms of,
+						// defaults to "v1".
+						apiVersion?: string
+
+						// Path of the field to select in the specified API version.
+						fieldPath: string
+					}
+
+					// Optional: mode bits used to set permissions on this file, must
+					// be an octal value between 0000 and 0777 or a decimal value
+					// between 0 and 511. YAML accepts both octal and decimal values,
+					// JSON requires decimal values for mode bits. If not specified,
+					// the volume defaultMode will be used. This might be in conflict
+					// with other options that affect the file mode, like fsGroup,
+					// and the result can be other mode bits set.
+					mode?: int
+
+					// Required: Path is the relative path name of the file to be
+					// created. Must not be absolute or contain the '..' path. Must
+					// be utf-8 encoded. The first item of the relative path must not
+					// start with '..'
+					path: string
+
+					// Selects a resource of the container: only resources limits and
+					// requests (limits.cpu, limits.memory, requests.cpu and
+					// requests.memory) are currently supported.
+					resourceFieldRef?: {
+						// Container name: required for volumes, optional for env vars
+						containerName?: string
+
+						// Specifies the output format of the exposed resources, defaults
+						// to "1"
+						divisor?: (int | string) & {
+							=~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+						}
+
+						// Required: resource to select
+						resource: string
+					}
+				}]
+			}
+
+			// secret information about the secret data to project
+			secret?: {
+				// items if unspecified, each key-value pair in the Data field of
+				// the referenced Secret will be projected into the volume as a
+				// file whose name is the key and content is the value. If
+				// specified, the listed keys will be projected into the
+				// specified paths, and unlisted keys will not be present. If a
+				// key is specified which is not present in the Secret, the
+				// volume setup will error unless it is marked optional. Paths
+				// must be relative and may not contain the '..' path or start
+				// with '..'.
+				items?: [...{
+					// key is the key to project.
+					key: string
+
+					// mode is Optional: mode bits used to set permissions on this
+					// file. Must be an octal value between 0000 and 0777 or a
+					// decimal value between 0 and 511. YAML accepts both octal and
+					// decimal values, JSON requires decimal values for mode bits. If
+					// not specified, the volume defaultMode will be used. This might
+					// be in conflict with other options that affect the file mode,
+					// like fsGroup, and the result can be other mode bits set.
+					mode?: int
+
+					// path is the relative path of the file to map the key to. May
+					// not be an absolute path. May not contain the path element
+					// '..'. May not start with the string '..'.
+					path: string
+				}]
+
+				// Name of the referent. More info:
+				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+				name?: string
+
+				// optional field specify whether the Secret or its key must be
+				// defined
+				optional?: bool
+			}
+
+			// serviceAccountToken is information about the
+			// serviceAccountToken data to project
+			serviceAccountToken?: {
+				// audience is the intended audience of the token. A recipient of
+				// a token must identify itself with an identifier specified in
+				// the audience of the token, and otherwise should reject the
+				// token. The audience defaults to the identifier of the
+				// apiserver.
+				audience?: string
+
+				// expirationSeconds is the requested duration of validity of the
+				// service account token. As the token approaches expiration, the
+				// kubelet volume plugin will proactively rotate the service
+				// account token. The kubelet will start trying to rotate the
+				// token if the token is older than 80 percent of its time to
+				// live or if the token is older than 24 hours.Defaults to 1 hour
+				// and must be at least 10 minutes.
+				expirationSeconds?: int
+
+				// path is the path relative to the mount point of the file to
+				// project the token into.
+				path: string
+			}
+		}]
+
+		// A Secret containing the value for the LDAP_BIND_PASSWORD
+		// setting. More info:
+		// https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
+		ldapBindPassword?: {
+			// The key of the secret to select from. Must be a valid secret
+			// key.
+			key: string
+
+			// Name of the referent. More info:
+			// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+			name?: string
+
+			// Specify whether the Secret or its key must be defined
+			optional?: bool
+		}
+
+		// Settings for the pgAdmin server process. Keys should be
+		// uppercase and values must be constants. More info:
+		// https://www.pgadmin.org/docs/pgadmin4/latest/config_py.html
+		settings?: {
+			...
+		}
+	}
+
+	// Defines a PersistentVolumeClaim for pgAdmin data. More info:
+	// https://kubernetes.io/docs/concepts/storage/persistent-volumes
+	dataVolumeClaimSpec: {
+		// accessModes contains the desired access modes the volume should
+		// have. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+		accessModes?: [...string]
+
+		// dataSource field can be used to specify either: * An existing
+		// VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+		// * An existing PVC (PersistentVolumeClaim) If the provisioner
+		// or an external controller can support the specified data
+		// source, it will create a new volume based on the contents of
+		// the specified data source. If the AnyVolumeDataSource feature
+		// gate is enabled, this field will always have the same contents
+		// as the DataSourceRef field.
+		dataSource?: {
+			// APIGroup is the group for the resource being referenced. If
+			// APIGroup is not specified, the specified Kind must be in the
+			// core API group. For any other third-party types, APIGroup is
+			// required.
+			apiGroup?: string
+
+			// Kind is the type of resource being referenced
+			kind: string
+
+			// Name is the name of resource being referenced
+			name: string
+		}
+
+		// dataSourceRef specifies the object from which to populate the
+		// volume with data, if a non-empty volume is desired. This may
+		// be any local object from a non-empty API group (non core
+		// object) or a PersistentVolumeClaim object. When this field is
+		// specified, volume binding will only succeed if the type of the
+		// specified object matches some installed volume populator or
+		// dynamic provisioner. This field will replace the functionality
+		// of the DataSource field and as such if both fields are
+		// non-empty, they must have the same value. For backwards
+		// compatibility, both fields (DataSource and DataSourceRef) will
+		// be set to the same value automatically if one of them is empty
+		// and the other is non-empty. There are two important
+		// differences between DataSource and DataSourceRef: * While
+		// DataSource only allows two specific types of objects,
+		// DataSourceRef allows any non-core object, as well as
+		// PersistentVolumeClaim objects. * While DataSource ignores
+		// disallowed values (dropping them), DataSourceRef preserves all
+		// values, and generates an error if a disallowed value is
+		// specified. (Beta) Using this field requires the
+		// AnyVolumeDataSource feature gate to be enabled.
+		dataSourceRef?: {
+			// APIGroup is the group for the resource being referenced. If
+			// APIGroup is not specified, the specified Kind must be in the
+			// core API group. For any other third-party types, APIGroup is
+			// required.
+			apiGroup?: string
+
+			// Kind is the type of resource being referenced
+			kind: string
+
+			// Name is the name of resource being referenced
+			name: string
+		}
+
+		// resources represents the minimum resources the volume should
+		// have. If RecoverVolumeExpansionFailure feature is enabled
+		// users are allowed to specify resource requirements that are
+		// lower than previous value but must still be higher than
+		// capacity recorded in the status field of the claim. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+		resources?: {
+			// Limits describes the maximum amount of compute resources
+			// allowed. More info:
+			// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+			limits?: {
+				[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+			}
+
+			// Requests describes the minimum amount of compute resources
+			// required. If Requests is omitted for a container, it defaults
+			// to Limits if that is explicitly specified, otherwise to an
+			// implementation-defined value. More info:
+			// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+			requests?: {
+				[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+			}
+		}
+
+		// selector is a label query over volumes to consider for binding.
+		selector?: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn, the values array must be non-empty. If the operator is
+				// Exists or DoesNotExist, the values array must be empty. This
+				// array is replaced during a strategic merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+
+		// storageClassName is the name of the StorageClass required by
+		// the claim. More info:
+		// https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+		storageClassName?: string
+
+		// volumeMode defines what type of volume is required by the
+		// claim. Value of Filesystem is implied when not included in
+		// claim spec.
+		volumeMode?: string
+
+		// volumeName is the binding reference to the PersistentVolume
+		// backing this claim.
+		volumeName?: string
+	}
+
+	// The image name to use for pgAdmin instance.
+	image?: string
+
+	// ImagePullPolicy is used to determine when Kubernetes will
+	// attempt to pull (download) container images. More info:
+	// https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+	// The image pull secrets used to pull from a private registry.
+	// Changing this value causes all running PGAdmin pods to
+	// restart.
+	// https://k8s.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+	imagePullSecrets?: [...{
+		// Name of the referent. More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		name?: string
+	}]
+
+	// Metadata contains metadata for custom resources
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// Priority class name for the PGAdmin pod. Changing this value
+	// causes PGAdmin pod to restart. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+	priorityClassName?: string
+
+	// Resource requirements for the PGAdmin container.
+	resources?: {
+		// Limits describes the maximum amount of compute resources
+		// allowed. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		limits?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+
+		// Requests describes the minimum amount of compute resources
+		// required. If Requests is omitted for a container, it defaults
+		// to Limits if that is explicitly specified, otherwise to an
+		// implementation-defined value. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		requests?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+	}
+
+	// ServerGroups for importing PostgresClusters to pgAdmin. To
+	// create a pgAdmin with no selectors, leave this field empty. A
+	// pgAdmin created with no `ServerGroups` will not automatically
+	// add any servers through discovery. PostgresClusters can still
+	// be added manually.
+	serverGroups?: [...{
+		// The name for the ServerGroup in pgAdmin. Must be unique in the
+		// pgAdmin's ServerGroups since it becomes the ServerGroup name
+		// in pgAdmin.
+		name: string
+
+		// PostgresClusterSelector selects clusters to dynamically add to
+		// pgAdmin by matching labels. An empty selector like `{}` will
+		// select ALL clusters in the namespace.
+		postgresClusterSelector: {
+			// matchExpressions is a list of label selector requirements. The
+			// requirements are ANDed.
+			matchExpressions?: [...{
+				// key is the label key that the selector applies to.
+				key: string
+
+				// operator represents a key's relationship to a set of values.
+				// Valid operators are In, NotIn, Exists and DoesNotExist.
+				operator: string
+
+				// values is an array of string values. If the operator is In or
+				// NotIn, the values array must be non-empty. If the operator is
+				// Exists or DoesNotExist, the values array must be empty. This
+				// array is replaced during a strategic merge patch.
+				values?: [...string]
+			}]
+
+			// matchLabels is a map of {key,value} pairs. A single {key,value}
+			// in the matchLabels map is equivalent to an element of
+			// matchExpressions, whose key field is "key", the operator is
+			// "In", and the values array contains only "value". The
+			// requirements are ANDed.
+			matchLabels?: {
+				[string]: string
+			}
+		}
+	}]
+
+	// Tolerations of the PGAdmin pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
+	tolerations?: [...{
+		// Effect indicates the taint effect to match. Empty means match
+		// all taint effects. When specified, allowed values are
+		// NoSchedule, PreferNoSchedule and NoExecute.
+		effect?: string
+
+		// Key is the taint key that the toleration applies to. Empty
+		// means match all taint keys. If the key is empty, operator must
+		// be Exists; this combination means to match all values and all
+		// keys.
+		key?: string
+
+		// Operator represents a key's relationship to the value. Valid
+		// operators are Exists and Equal. Defaults to Equal. Exists is
+		// equivalent to wildcard for value, so that a pod can tolerate
+		// all taints of a particular category.
+		operator?: string
+
+		// TolerationSeconds represents the period of time the toleration
+		// (which must be of effect NoExecute, otherwise this field is
+		// ignored) tolerates the taint. By default, it is not set, which
+		// means tolerate the taint forever (do not evict). Zero and
+		// negative values will be treated as 0 (evict immediately) by
+		// the system.
+		tolerationSeconds?: int
+
+		// Value is the taint value the toleration matches to. If the
+		// operator is Exists, the value should be empty, otherwise just
+		// a regular string.
+		value?: string
+	}]
+}

internal/generate/platforms/cue.mod/gen/postgres-operator.crunchydata.com/pgupgrade/v1beta1/types_gen.cue

@@ -0,0 +1,632 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws1/components/postgres-crds/postgres-crds.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+// PGUpgrade is the Schema for the pgupgrades API
+#PGUpgrade: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object. Servers should convert recognized schemas to the
+	// latest internal value, and may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "postgres-operator.crunchydata.com/v1beta1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents. Servers may infer this from the endpoint
+	// the client submits requests to. Cannot be updated. In
+	// CamelCase. More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "PGUpgrade"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PGUpgradeSpec defines the desired state of PGUpgrade
+	spec!: #PGUpgradeSpec
+}
+
+// PGUpgradeSpec defines the desired state of PGUpgrade
+#PGUpgradeSpec: {
+	// Scheduling constraints of the PGUpgrade pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node
+	affinity?: {
+		// Describes node affinity scheduling rules for the pod.
+		nodeAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node matches the
+			// corresponding matchExpressions; the node(s) with the highest
+			// sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A node selector term, associated with the corresponding weight.
+				preference: {
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}
+
+				// Weight associated with matching the corresponding
+				// nodeSelectorTerm, in the range 1-100.
+				weight: int
+			}]
+			requiredDuringSchedulingIgnoredDuringExecution?: {
+				// Required. A list of node selector terms. The terms are ORed.
+				nodeSelectorTerms: [...{
+					// A list of node selector requirements by node's labels.
+					matchExpressions?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// A list of node selector requirements by node's fields.
+					matchFields?: [...{
+						// The label key that the selector applies to.
+						key: string
+
+						// Represents a key's relationship to a set of values. Valid
+						// operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+						operator: string
+
+						// An array of string values. If the operator is In or NotIn, the
+						// values array must be non-empty. If the operator is Exists or
+						// DoesNotExist, the values array must be empty. If the operator
+						// is Gt or Lt, the values array must have a single element,
+						// which will be interpreted as an integer. This array is
+						// replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+				}]
+			}
+		}
+
+		// Describes pod affinity scheduling rules (e.g. co-locate this
+		// pod in the same node, zone, etc. as some other pod(s)).
+		podAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the affinity expressions specified by this field, but
+			// it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling affinity expressions, etc.), compute
+			// a sum by iterating through the elements of this field and
+			// adding "weight" to the sum if the node has pods which matches
+			// the corresponding podAffinityTerm; the node(s) with the
+			// highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the affinity requirements specified by this field are not
+			// met at scheduling time, the pod will not be scheduled onto the
+			// node. If the affinity requirements specified by this field
+			// cease to be met at some point during pod execution (e.g. due
+			// to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+
+		// Describes pod anti-affinity scheduling rules (e.g. avoid
+		// putting this pod in the same node, zone, etc. as some other
+		// pod(s)).
+		podAntiAffinity?: {
+			// The scheduler will prefer to schedule pods to nodes that
+			// satisfy the anti-affinity expressions specified by this field,
+			// but it may choose a node that violates one or more of the
+			// expressions. The node that is most preferred is the one with
+			// the greatest sum of weights, i.e. for each node that meets all
+			// of the scheduling requirements (resource request,
+			// requiredDuringScheduling anti-affinity expressions, etc.),
+			// compute a sum by iterating through the elements of this field
+			// and adding "weight" to the sum if the node has pods which
+			// matches the corresponding podAffinityTerm; the node(s) with
+			// the highest sum are the most preferred.
+			preferredDuringSchedulingIgnoredDuringExecution?: [...{
+				// Required. A pod affinity term, associated with the
+				// corresponding weight.
+				podAffinityTerm: {
+					// A label query over a set of resources, in this case pods.
+					labelSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// A label query over the set of namespaces that the term applies
+					// to. The term is applied to the union of the namespaces
+					// selected by this field and the ones listed in the namespaces
+					// field. null selector and null or empty namespaces list means
+					// "this pod's namespace". An empty selector ({}) matches all
+					// namespaces.
+					namespaceSelector?: {
+						// matchExpressions is a list of label selector requirements. The
+						// requirements are ANDed.
+						matchExpressions?: [...{
+							// key is the label key that the selector applies to.
+							key: string
+
+							// operator represents a key's relationship to a set of values.
+							// Valid operators are In, NotIn, Exists and DoesNotExist.
+							operator: string
+
+							// values is an array of string values. If the operator is In or
+							// NotIn, the values array must be non-empty. If the operator is
+							// Exists or DoesNotExist, the values array must be empty. This
+							// array is replaced during a strategic merge patch.
+							values?: [...string]
+						}]
+
+						// matchLabels is a map of {key,value} pairs. A single {key,value}
+						// in the matchLabels map is equivalent to an element of
+						// matchExpressions, whose key field is "key", the operator is
+						// "In", and the values array contains only "value". The
+						// requirements are ANDed.
+						matchLabels?: {
+							[string]: string
+						}
+					}
+
+					// namespaces specifies a static list of namespace names that the
+					// term applies to. The term is applied to the union of the
+					// namespaces listed in this field and the ones selected by
+					// namespaceSelector. null or empty namespaces list and null
+					// namespaceSelector means "this pod's namespace".
+					namespaces?: [...string]
+
+					// This pod should be co-located (affinity) or not co-located
+					// (anti-affinity) with the pods matching the labelSelector in
+					// the specified namespaces, where co-located is defined as
+					// running on a node whose value of the label with key
+					// topologyKey matches that of any node on which any of the
+					// selected pods is running. Empty topologyKey is not allowed.
+					topologyKey: string
+				}
+
+				// weight associated with matching the corresponding
+				// podAffinityTerm, in the range 1-100.
+				weight: int
+			}]
+
+			// If the anti-affinity requirements specified by this field are
+			// not met at scheduling time, the pod will not be scheduled onto
+			// the node. If the anti-affinity requirements specified by this
+			// field cease to be met at some point during pod execution (e.g.
+			// due to a pod label update), the system may or may not try to
+			// eventually evict the pod from its node. When there are
+			// multiple elements, the lists of nodes corresponding to each
+			// podAffinityTerm are intersected, i.e. all terms must be
+			// satisfied.
+			requiredDuringSchedulingIgnoredDuringExecution?: [...{
+				// A label query over a set of resources, in this case pods.
+				labelSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// A label query over the set of namespaces that the term applies
+				// to. The term is applied to the union of the namespaces
+				// selected by this field and the ones listed in the namespaces
+				// field. null selector and null or empty namespaces list means
+				// "this pod's namespace". An empty selector ({}) matches all
+				// namespaces.
+				namespaceSelector?: {
+					// matchExpressions is a list of label selector requirements. The
+					// requirements are ANDed.
+					matchExpressions?: [...{
+						// key is the label key that the selector applies to.
+						key: string
+
+						// operator represents a key's relationship to a set of values.
+						// Valid operators are In, NotIn, Exists and DoesNotExist.
+						operator: string
+
+						// values is an array of string values. If the operator is In or
+						// NotIn, the values array must be non-empty. If the operator is
+						// Exists or DoesNotExist, the values array must be empty. This
+						// array is replaced during a strategic merge patch.
+						values?: [...string]
+					}]
+
+					// matchLabels is a map of {key,value} pairs. A single {key,value}
+					// in the matchLabels map is equivalent to an element of
+					// matchExpressions, whose key field is "key", the operator is
+					// "In", and the values array contains only "value". The
+					// requirements are ANDed.
+					matchLabels?: {
+						[string]: string
+					}
+				}
+
+				// namespaces specifies a static list of namespace names that the
+				// term applies to. The term is applied to the union of the
+				// namespaces listed in this field and the ones selected by
+				// namespaceSelector. null or empty namespaces list and null
+				// namespaceSelector means "this pod's namespace".
+				namespaces?: [...string]
+
+				// This pod should be co-located (affinity) or not co-located
+				// (anti-affinity) with the pods matching the labelSelector in
+				// the specified namespaces, where co-located is defined as
+				// running on a node whose value of the label with key
+				// topologyKey matches that of any node on which any of the
+				// selected pods is running. Empty topologyKey is not allowed.
+				topologyKey: string
+			}]
+		}
+	}
+
+	// The major version of PostgreSQL before the upgrade.
+	fromPostgresVersion: uint & >=10 & <=16
+
+	// The image name to use for major PostgreSQL upgrades.
+	image?: string
+
+	// ImagePullPolicy is used to determine when Kubernetes will
+	// attempt to pull (download) container images. More info:
+	// https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
+	imagePullPolicy?: "Always" | "Never" | "IfNotPresent"
+
+	// The image pull secrets used to pull from a private registry.
+	// Changing this value causes all running PGUpgrade pods to
+	// restart.
+	// https://k8s.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+	imagePullSecrets?: [...{
+		// Name of the referent. More info:
+		// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+		name?: string
+	}]
+
+	// Metadata contains metadata for custom resources
+	metadata?: {
+		annotations?: {
+			[string]: string
+		}
+		labels?: {
+			[string]: string
+		}
+	}
+
+	// The name of the cluster to be updated
+	postgresClusterName: strings.MinRunes(1)
+
+	// Priority class name for the PGUpgrade pod. Changing this value
+	// causes PGUpgrade pod to restart. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+	priorityClassName?: string
+
+	// Resource requirements for the PGUpgrade container.
+	resources?: {
+		// Limits describes the maximum amount of compute resources
+		// allowed. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		limits?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+
+		// Requests describes the minimum amount of compute resources
+		// required. If Requests is omitted for a container, it defaults
+		// to Limits if that is explicitly specified, otherwise to an
+		// implementation-defined value. More info:
+		// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+		requests?: {
+			[string]: (int | string) & =~"^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$"
+		}
+	}
+
+	// The image name to use for PostgreSQL containers after upgrade.
+	// When omitted, the value comes from an operator environment
+	// variable.
+	toPostgresImage?: string
+
+	// The major version of PostgreSQL to be upgraded to.
+	toPostgresVersion: uint & >=10 & <=16
+
+	// Tolerations of the PGUpgrade pod. More info:
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
+	tolerations?: [...{
+		// Effect indicates the taint effect to match. Empty means match
+		// all taint effects. When specified, allowed values are
+		// NoSchedule, PreferNoSchedule and NoExecute.
+		effect?: string
+
+		// Key is the taint key that the toleration applies to. Empty
+		// means match all taint keys. If the key is empty, operator must
+		// be Exists; this combination means to match all values and all
+		// keys.
+		key?: string
+
+		// Operator represents a key's relationship to the value. Valid
+		// operators are Exists and Equal. Defaults to Equal. Exists is
+		// equivalent to wildcard for value, so that a pod can tolerate
+		// all taints of a particular category.
+		operator?: string
+
+		// TolerationSeconds represents the period of time the toleration
+		// (which must be of effect NoExecute, otherwise this field is
+		// ignored) tolerates the taint. By default, it is not set, which
+		// means tolerate the taint forever (do not evict). Zero and
+		// negative values will be treated as 0 (evict immediately) by
+		// the system.
+		tolerationSeconds?: int
+
+		// Value is the taint value the toleration matches to. If the
+		// operator is Exists, the value should be empty, otherwise just
+		// a regular string.
+		value?: string
+	}]
+}

internal/generate/platforms/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue

@@ -0,0 +1,160 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: {
+	// Optional.
+	//
+	// Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	targetRefs?: [...{
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}]
+}

internal/generate/platforms/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue

@@ -0,0 +1,162 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f deploy/clusters/aws2/components/istio-base/istio-base.gen.yaml
+
+package v1beta1
+
+import "strings"
+
+#AuthorizationPolicy: {
+	// Configuration for access control on workloads. See more details
+	// at:
+	// https://istio.io/docs/reference/config/security/authorization-policy.html
+	spec!:      #AuthorizationPolicySpec
+	apiVersion: "security.istio.io/v1beta1"
+	kind:       "AuthorizationPolicy"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+}
+
+// Configuration for access control on workloads. See more details
+// at:
+// https://istio.io/docs/reference/config/security/authorization-policy.html
+#AuthorizationPolicySpec: ({} | {
+	provider: _
+}) & {
+	// Optional.
+	//
+	// Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+	action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
+	provider?: {
+		// Specifies the name of the extension provider.
+		name?: string
+	}
+
+	// Optional.
+	rules?: [...{
+		// Optional.
+		from?: [...{
+			// Source specifies the source of a request.
+			source?: {
+				// Optional.
+				ipBlocks?: [...string]
+
+				// Optional.
+				namespaces?: [...string]
+
+				// Optional.
+				notIpBlocks?: [...string]
+
+				// Optional.
+				notNamespaces?: [...string]
+
+				// Optional.
+				notPrincipals?: [...string]
+
+				// Optional.
+				notRemoteIpBlocks?: [...string]
+
+				// Optional.
+				notRequestPrincipals?: [...string]
+
+				// Optional.
+				principals?: [...string]
+
+				// Optional.
+				remoteIpBlocks?: [...string]
+
+				// Optional.
+				requestPrincipals?: [...string]
+			}
+		}]
+
+		// Optional.
+		to?: [...{
+			// Operation specifies the operation of a request.
+			operation?: {
+				// Optional.
+				hosts?: [...string]
+
+				// Optional.
+				methods?: [...string]
+
+				// Optional.
+				notHosts?: [...string]
+
+				// Optional.
+				notMethods?: [...string]
+
+				// Optional.
+				notPaths?: [...string]
+
+				// Optional.
+				notPorts?: [...string]
+
+				// Optional.
+				paths?: [...string]
+
+				// Optional.
+				ports?: [...string]
+			}
+		}]
+
+		// Optional.
+		when?: [...{
+			// The name of an Istio attribute.
+			key: string
+
+			// Optional.
+			notValues?: [...string]
+
+			// Optional.
+			values?: [...string]
+		}]
+	}]
+	selector?: {
+		// One or more labels that indicate a specific set of pods/VMs on
+		// which a policy should be applied.
+		matchLabels?: {
+			[string]: string
+		}
+	}
+	targetRef?: {
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}
+
+	// Optional.
+	targetRefs?: [...{
+		// group is the group of the target resource.
+		group?: string
+
+		// kind is kind of the target resource.
+		kind?: string
+
+		// name is the name of the target resource.
+		name?: string
+
+		// namespace is the namespace of the referent.
+		namespace?: string
+	}]
+}