make: fix latest connect tools installed

On a release, make tools is run which pulls in the latest connect tools
for angular.  This is a problem because it makes the git tree dirty.

The packages should be in the package.json file and the lock file so
these additional steps should not be necessary.

Remove them.

Desired result is make tools is idempotent and installs the correct
pinned versions necessary to build and release the container image.

.cspell.json

@@ -0,0 +1,88 @@
+{
+  "version": "0.2",
+  "language": "en",
+  "enableFiletypes": [
+    "mdx"
+  ],
+  "words": [
+    "applicationset",
+    "argoproj",
+    "authcode",
+    "authpolicy",
+    "authproxy",
+    "authroutes",
+    "buildplan",
+    "cainjector",
+    "clusterissuer",
+    "cookiesecret",
+    "coredns",
+    "crds",
+    "crossplane",
+    "cuecontext",
+    "cuelang",
+    "devicecode",
+    "dnsmasq",
+    "dscacheutil",
+    "entgo",
+    "errgroup",
+    "fieldmaskpb",
+    "flushcache",
+    "gitops",
+    "grpcreflect",
+    "grpcurl",
+    "holos",
+    "holoslogger",
+    "httpbin",
+    "Infima",
+    "isatty",
+    "istiod",
+    "jetstack",
+    "killall",
+    "kubeadm",
+    "kubeconfig",
+    "kubelogin",
+    "Kustomization",
+    "kustomize",
+    "ldflags",
+    "libnss",
+    "loadbalancer",
+    "mattn",
+    "mxcl",
+    "myhostname",
+    "nameserver",
+    "organizationconnect",
+    "orgid",
+    "otelconnect",
+    "Parentspanid",
+    "pflag",
+    "PKCE",
+    "platformconnect",
+    "promhttp",
+    "protojson",
+    "putenv",
+    "quickstart",
+    "retryable",
+    "ropc",
+    "spanid",
+    "spiffe",
+    "startupapicheck",
+    "structpb",
+    "systemconnect",
+    "tablewriter",
+    "Tiltfile",
+    "timestamppb",
+    "tlsclientconfig",
+    "tokencache",
+    "Tokener",
+    "Traceid",
+    "traefik",
+    "uibutton",
+    "Upsert",
+    "urandom",
+    "usecases",
+    "userconnect",
+    "userdata",
+    "zerolog",
+    "zitadel"
+  ]
+}

.gitignore

@@ -7,3 +7,9 @@ coverage.out
 /deploy/
 .vscode/
 tmp/
+.DS_*
+
+# In case we run through the tutorial in this directory.
+/holos-k3d/
+/holos-infra/
+node_modules/

.ko.yaml

@@ -0,0 +1,13 @@
+# Refer to https://ko.build/configuration/#overriding-go-build-settings
+builds:
+- id: holos
+  dir: .
+  main: ./cmd/holos
+  env:
+  - GOPRIVATE=github.com/holos-run/\*
+  ldflags:
+  - -s
+  - -w
+  - -X
+  # Makefile provides GIT_DETAIL and GIT_SUFFIX.
+  - github.com/holos-run/holos/version.GitDescribe={{.Env.GIT_DETAIL}}{{.Env.GIT_SUFFIX}}

Makefile

@@ -48,6 +48,10 @@ bumpmajor: ## Bump the major version.
 show-version: ## Print the full version.
 	@echo $(VERSION)
 
+.PHONY: tag
+tag: ## Tag a release
+	git tag v$(VERSION)
+
 .PHONY: tidy
 tidy: ## Tidy go module.
 	go mod tidy
@@ -72,6 +76,11 @@ build: ## Build holos executable.
 	@echo "GOPATH=${GOPATH}"
 	go build -trimpath -o bin/$(BIN_NAME) -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
 
+linux: ## Build holos executable for tilt.
+	@echo "building ${BIN_NAME}.linux ${VERSION}"
+	@echo "GOPATH=${GOPATH}"
+	GOOS=linux go build -trimpath -o bin/$(BIN_NAME).linux -ldflags $(LD_FLAGS) $(REPO_PATH)/cmd/$(BIN_NAME)
+
 .PHONY: install
 install: build ## Install holos to GOPATH/bin
 	install bin/$(BIN_NAME) $(shell go env GOPATH)/bin/$(BIN_NAME)
@@ -89,6 +98,7 @@ lint: ## Run linters.
 	buf lint
 	cd internal/frontend/holos && ng lint
 	golangci-lint run
+	./hack/cspell
 
 .PHONY: coverage
 coverage: test  ## Test coverage profile.
@@ -111,25 +121,24 @@ go-deps: ## tool versions pinned in tools.go
 	go install honnef.co/go/tools/cmd/staticcheck
 	go install golang.org/x/tools/cmd/godoc
 	go install github.com/princjef/gomarkdoc/cmd/gomarkdoc
+	go install github.com/google/ko
 	# curl https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | bash
 
 .PHONY: frontend-deps
 frontend-deps: ## Install Angular deps for go generate
 	cd internal/frontend/holos && npm install
-	cd internal/frontend/holos && npm install --save-dev @bufbuild/buf @connectrpc/protoc-gen-connect-es
-	cd internal/frontend/holos && npm install @connectrpc/connect @connectrpc/connect-web @bufbuild/protobuf
-	# https://github.com/connectrpc/connect-query-es/blob/1350b6f07b6aead81793917954bdb1cc3ce09df9/packages/protoc-gen-connect-query/README.md?plain=1#L23
-	cd internal/frontend/holos && npm install --save-dev @connectrpc/protoc-gen-connect-query @bufbuild/protoc-gen-es
-	cd internal/frontend/holos && npm install @connectrpc/connect-query @bufbuild/protobuf
 
 .PHONY: website-deps
 website-deps: ## Install Docusaurus deps for go generate
 	cd doc/website && npm install
 
-.PHONY: image
-image: build ## Docker image build
-	docker build . -t ${DOCKER_REPO}:v$(shell ./bin/holos --version)
-	docker push ${DOCKER_REPO}:v$(shell ./bin/holos --version)
+.PHONY: image # refer to .ko.yaml as well
+image:  ## Container image build
+	KO_DOCKER_REPO=$(DOCKER_REPO) GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) ko build --platform=all --bare ./cmd/holos --tags $(GIT_DETAIL)$(GIT_SUFFIX)
+
+.PHONY: deploy
+deploy: image  ## DEPLOY TO PROD
+	GIT_DETAIL=$(GIT_DETAIL) GIT_SUFFIX=$(GIT_SUFFIX) bash ./hack/deploy
 
 .PHONY: website
 website: ## Build website

README.md

@@ -1,32 +1,3 @@
-## Holos - A Holostic Development Platform
+# k3d Platform
 
-<img width="50%"
-align="right"
-style="display: block; margin: 40px auto;"
-src="https://openinfrastructure.co/blog/2016/02/27/logo/logorectangle.png">
-
-Building and maintaining a software development platform is a complex and time
-consuming endeavour.  Organizations often dedicate a team of 3-4 who need 6-12
-months to build the platform.
-
-Holos is a tool and a reference platform to reduce the compexity and speed up
-the process of building a modern, cloud native software development platform.
-
- - **Accelerate new projects** - Reduce time to market and operational complexity by starting your new project on top of the Holos reference platform.
- - **Modernize existing projects** - Incrementally incorporate your existing platform services into Holos for simpler integration.
- - **Unified configuration model** - Increase safety and reduce the risk of config changes with CUE.
- - **First class Helm and Kustomize support** - Leverage and reuse your existing investment in existing configuration tools such as Helm and Kustomize.
- - **Modern Authentication and Authorization** - Holos seamlessly integrates platform identity and access mangement with zero-trust beyond corp style authorization policy.
-
-## Quick Installation
-```console
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
-## Docs and Support
-The documentation for developing and using Holos is avaialble at: https://holos.run
-
-For discussion and support, [open a discussion](https://github.com/orgs/holos-run/discussions/new/choose).
-
-## License
-Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).
+Refer to https://holos.run/docs/tutorial/local/k3d

Tiltfile

@@ -1,5 +1,5 @@
 # -*- mode: Python -*-
-# This Tiltfile manages a Go project with live leload in Kubernetes
+# This Tiltfile manages a Go project with live reload in Kubernetes
 
 listen_port = 3000
 metrics_port = 9090
@@ -8,56 +8,21 @@ metrics_port = 9090
 if os.getenv('TILT_WRAPPER') != '1':
     fail("could not run, ./hack/tilt/bin/tilt was not used to start tilt")
 
-# AWS Account to work in
-aws_account = '271053619184'
-aws_region = 'us-east-2'
-
 # Resource ids
-holos_backend = 'Holos Backend'
-pg_admin = 'pgAdmin'
-pg_cluster = 'PostgresCluster'
-pg_svc = 'Database Pod'
+holos_backend = 'Holos Server'
 compile_id = 'Go Build'
-auth_id = 'Auth Policy'
-lint_id = 'Run Linters'
-tests_id = 'Run Tests'
-
-# PostgresCluster resource name in k8s
-pg_cluster_name = 'holos'
-# Database name inside the PostgresCluster
-pg_database_name = 'holos'
-# PGAdmin name
-pg_admin_name = 'pgadmin'
 
 # Default Registry.
 # See: https://github.com/tilt-dev/tilt.build/blob/master/docs/choosing_clusters.md#manual-configuration
 # Note, Tilt will append the image name to the registry uri path
-default_registry('{account}.dkr.ecr.{region}.amazonaws.com/holos-run/holos-server'.format(account=aws_account, region=aws_region))
+# default_registry('{account}.dkr.ecr.{region}.amazonaws.com/holos-run/holos'.format(account=aws_account, region=aws_region))
 
 # Set a name prefix specific to the user.  Multiple developers share the tilt-holos namespace.
 developer = os.getenv('USER')
 holos_server = 'holos'
-# See ./hack/tilt/bin/tilt
-namespace = os.getenv('NAMESPACE')
-# We always develop against the k1 cluster.
+
+# We always develop against the k3d-workload cluster
 os.putenv('KUBECONFIG', os.path.abspath('./hack/tilt/kubeconfig'))
-# The context defined in ./hack/tilt/kubeconfig
-allow_k8s_contexts('sso@k1')
-allow_k8s_contexts('sso@k2')
-allow_k8s_contexts('sso@k3')
-allow_k8s_contexts('sso@k4')
-allow_k8s_contexts('sso@k5')
-# PG db connection for localhost -> k8s port-forward
-os.putenv('PGHOST', 'localhost')
-os.putenv('PGPORT', '15432')
-# We always develop in the dev aws account.
-os.putenv('AWS_CONFIG_FILE', os.path.abspath('./hack/tilt/aws.config'))
-os.putenv('AWS_ACCOUNT', aws_account)
-os.putenv('AWS_DEFAULT_REGION', aws_region)
-os.putenv('AWS_PROFILE', 'dev-holos')
-os.putenv('AWS_SDK_LOAD_CONFIG', '1')
-# Authenticate to AWS ECR when tilt up is run by the developer
-local_resource('AWS Credentials', './hack/tilt/aws-login.sh', auto_init=True)
 
 # Extensions are open-source, pre-packaged functions that extend Tilt
 #
@@ -81,8 +46,8 @@ developer_paths = [
     './service/holos',
 ]
 
-# Builds the holos-server executable
-local_resource(compile_id, 'make build', deps=developer_paths)
+# Builds the holos executable GOOS=linux
+local_resource(compile_id, 'make linux', deps=developer_paths)
 
 # Build Docker image
 #   Tilt will automatically associate image builds with the resource(s)
@@ -91,84 +56,33 @@ local_resource(compile_id, 'make build', deps=developer_paths)
 #   More info: https://docs.tilt.dev/api.html#api.docker_build
 #
 docker_build_with_restart(
-    'holos',
+    'k3d-registry.holos.localhost:5100/holos',
     context='.',
     entrypoint=[
-        '/app/bin/holos',
+        '/app/bin/holos.linux',
         'server',
-        '--listen-port={}'.format(listen_port),
-        '--oidc-issuer=https://login.ois.run',
-        '--oidc-audience=262096764402729854@holos_platform',
-        '--log-level=debug',
-        '--metrics-port={}'.format(metrics_port),
+        '--log-format=text',
+        '--oidc-issuer=https://login.holos.run',
+        '--oidc-audience=275804490387516853@holos_quickstart', # auth proxy
+        '--oidc-audience=270319630705329162@holos_platform', # holos cli
     ],
-    dockerfile='./hack/tilt/Dockerfile',
+    dockerfile='./Dockerfile',
     only=['./bin'],
     # (Recommended) Updating a running container in-place
     # https://docs.tilt.dev/live_update_reference.html
     live_update=[
         # Sync files from host to container
-        sync('./bin', '/app/bin'),
-        # Wait for aws-login https://github.com/tilt-dev/tilt/issues/3048
-        sync('./tilt/aws-login.last', '/dev/null'),
-        # Execute commands in the container when paths change
-        # run('/app/hack/codegen.sh', trigger=['./app/api'])
+        sync('./bin/', '/app/bin/'),
     ],
 )
 
-
-# Run local commands
-#   Local commands can be helpful for one-time tasks like installing
-#   project prerequisites. They can also manage long-lived processes
-#   for non-containerized services or dependencies.
-#
-#   More info: https://docs.tilt.dev/local_resource.html
-#
-# local_resource('install-helm',
-#                cmd='which helm > /dev/null || brew install helm',
-#                # `cmd_bat`, when present, is used instead of `cmd` on Windows.
-#                cmd_bat=[
-#                    'powershell.exe',
-#                    '-Noninteractive',
-#                    '-Command',
-#                    '& {if (!(Get-Command helm -ErrorAction SilentlyContinue)) {scoop install helm}}'
-#                ]
-# )
-
-# Teach tilt about our custom resources (Note, this may be intended for workloads)
-# k8s_kind('authorizationpolicy')
-# k8s_kind('requestauthentication')
-# k8s_kind('virtualservice')
-k8s_kind('pgadmin')
-
-
 # Troubleshooting
 def resource_name(id):
     print('resource: {}'.format(id))
     return id.name
 
-
 workload_to_resource_function(resource_name)
 
-# Apply Kubernetes manifests
-#   Tilt will build & push any necessary images, re-deploying your
-#   resources as they change.
-#
-#   More info: https://docs.tilt.dev/api.html#api.k8s_yaml
-#
-
-def holos_yaml():
-    """Return a k8s Deployment personalized for the developer."""
-    k8s_yaml_template = str(read_file('./hack/tilt/k8s.yaml'))
-    return k8s_yaml_template.format(
-        name=holos_server,
-        developer=developer,
-        namespace=namespace,
-        listen_port=listen_port,
-        metrics_port=metrics_port,
-        tz=os.getenv('TZ'),
-    )
-
 # Customize a Kubernetes resource
 #   By default, Kubernetes resource names are automatically assigned
 #   based on objects in the YAML manifests, e.g. Deployment name.
@@ -179,133 +93,18 @@ def holos_yaml():
 #
 #   More info: https://docs.tilt.dev/api.html#api.k8s_resource
 #
-k8s_yaml(blob(holos_yaml()))
+k8s_yaml(blob(str(read_file('./hack/tilt/k8s/dev-holos-app/deployment.yaml'))))
 
 # Backend server process
 k8s_resource(
     workload=holos_server,
     new_name=holos_backend,
-    objects=[
-        '{}:serviceaccount'.format(holos_server),
-        '{}:servicemonitor'.format(holos_server),
-    ],
+    objects=[],
     resource_deps=[compile_id],
     links=[
-        link('https://{}.app.dev.k2.holos.run/ui/'.format(developer), "Holos Web UI")
-    ],
-)
-
-
-# AuthorizationPolicy - Beyond Corp functionality
-k8s_resource(
-    new_name=auth_id,
-    objects=[
-      '{}:virtualservice'.format(holos_server),
+        link('https://app.holos.localhost/ui/'.format(developer), "Holos Web UI")
     ],
 )
 
 # Database
-# Note: Tilt confuses the backup pods with the database server pods, so this code is careful to tease the pods
-# apart so logs are streamed correctly.
-# See: https://github.com/tilt-dev/tilt.specs/blob/master/resource_assembly.md
-
-# pgAdmin Web UI
-k8s_resource(
-    workload=pg_admin_name,
-    new_name=pg_admin,
-    port_forwards=[
-        port_forward(15050, 5050, pg_admin),
-    ],
-)
-
-# Disabled because these don't group resources nicely
-# k8s_kind('postgrescluster')
-
-# Postgres database in-cluster
-k8s_resource(
-    new_name=pg_cluster,
-    objects=['holos:postgrescluster'],
-)
-
-# Needed to select the database by label
-# https://docs.tilt.dev/api.html#api.k8s_custom_deploy
-k8s_custom_deploy(
-    pg_svc,
-    apply_cmd=['./hack/tilt/k8s-get-db-sts', pg_cluster_name],
-    delete_cmd=['echo', 'Skipping delete.  Object managed by custom resource.'],
-    deps=[],
-)
-k8s_resource(
-    pg_svc,
-    port_forwards=[
-        port_forward(15432, 5432, 'psql'),
-    ],
-    resource_deps=[pg_cluster]
-)
-
-
-# Run tests
-local_resource(
-    tests_id,
-    'make test',
-    allow_parallel=True,
-    auto_init=False,
-    deps=developer_paths,
-)
-
-# Run linter
-local_resource(
-    lint_id,
-    'make lint',
-    allow_parallel=True,
-    auto_init=False,
-    deps=developer_paths,
-)
-
-# UI Buttons for helpful things.
-# Icons: https://fonts.google.com/icons
-os.putenv("GH_FORCE_TTY", "80%")
-cmd_button(
-    '{}:go-test-failfast'.format(tests_id),
-    argv=['./hack/tilt/go-test-failfast'],
-    resource=tests_id,
-    icon_name='quiz',
-    text='Fail Fast',
-)
-cmd_button(
-    '{}:issues'.format(holos_server),
-    argv=['./hack/tilt/gh-issues'],
-    resource=holos_backend,
-    icon_name='folder_data',
-    text='Issues',
-)
-cmd_button(
-    '{}:gh-issue-view'.format(holos_server),
-    argv=['./hack/tilt/gh-issue-view'],
-    resource=holos_backend,
-    icon_name='task',
-    text='View Issue',
-)
-cmd_button(
-    '{}:get-pgdb-creds'.format(holos_server),
-    argv=['./hack/tilt/get-pgdb-creds', pg_cluster_name, pg_database_name],
-    resource=pg_svc,
-    icon_name='lock_open_right',
-    text='DB Creds',
-)
-cmd_button(
-    '{}:get-pgdb-creds'.format(pg_admin_name),
-    argv=['./hack/tilt/get-pgdb-creds', pg_cluster_name, pg_database_name],
-    resource=pg_admin,
-    icon_name='lock_open_right',
-    text='DB Creds',
-)
-cmd_button(
-    '{}:get-pgadmin-creds'.format(pg_admin_name),
-    argv=['./hack/tilt/get-pgadmin-creds', pg_admin_name],
-    resource=pg_admin,
-    icon_name='lock_open_right',
-    text='pgAdmin Login',
-)
-
 print("✨ Tiltfile evaluated")

cue.mod/module.cue

@@ -1 +0,0 @@
-module: "github.com/holos-run/holos"

doc/md/api/core/v1alpha2.md.11584

@@ -1,403 +0,0 @@
-<!-- Code generated by gomarkdoc. DO NOT EDIT -->
-
-# v1alpha2
-
-```go
-import "github.com/holos-run/holos/api/core/v1alpha2"
-```
-
-Package v1alpha2 contains the core API contract between the holos cli and CUE configuration code. Platform designers, operators, and software developers use this API to write configuration in CUE which \`holos\` loads. The overall shape of the API defines imperative actions \`holos\` should carry out to render the complete yaml that represents a Platform.
-
-[Platform](<#Platform>) defines the complete configuration of a platform. With the holos reference platform this takes the shape of one management cluster and at least two workload cluster. Each cluster has multiple [HolosComponent](<#HolosComponent>) resources applied to it.
-
-Each holos component path, e.g. \`components/namespaces\` produces exactly one [BuildPlan](<#BuildPlan>) which in turn contains a set of [HolosComponent](<#HolosComponent>) kinds.
-
-The primary kinds of [HolosComponent](<#HolosComponent>) are:
-
-1. [HelmChart](<#HelmChart>) to render config from a helm chart.
-2. [KustomizeBuild](<#KustomizeBuild>) to render config from [Kustomize](<#Kustomize>)
-3. [KubernetesObjects](<#KubernetesObjects>) to render [APIObjects](<#APIObjects>) defined directly in CUE configuration.
-
-Note that Holos operates as a data pipeline, so the output of a [HelmChart](<#HelmChart>) may be provided to [Kustomize](<#Kustomize>) for post\-processing.
-
-## Index
-
-- [Constants](<#constants>)
-- [type APIObject](<#APIObject>)
-- [type APIObjectMap](<#APIObjectMap>)
-- [type APIObjects](<#APIObjects>)
-- [type BuildPlan](<#BuildPlan>)
-- [type BuildPlanComponents](<#BuildPlanComponents>)
-- [type BuildPlanSpec](<#BuildPlanSpec>)
-- [type Chart](<#Chart>)
-- [type FileContent](<#FileContent>)
-- [type FileContentMap](<#FileContentMap>)
-- [type FilePath](<#FilePath>)
-- [type HelmChart](<#HelmChart>)
-- [type HolosComponent](<#HolosComponent>)
-- [type Kind](<#Kind>)
-- [type KubernetesObjects](<#KubernetesObjects>)
-- [type Kustomize](<#Kustomize>)
-- [type KustomizeBuild](<#KustomizeBuild>)
-- [type Label](<#Label>)
-- [type Metadata](<#Metadata>)
-- [type Platform](<#Platform>)
-- [type PlatformMetadata](<#PlatformMetadata>)
-- [type PlatformSpec](<#PlatformSpec>)
-- [type PlatformSpecComponent](<#PlatformSpecComponent>)
-- [type Repository](<#Repository>)
-
-
-## Constants
-
-<a name="APIVersion"></a>
-
-```go
-const (
-    APIVersion    = "v1alpha2"
-    BuildPlanKind = "BuildPlan"
-    HelmChartKind = "HelmChart"
-    // ChartDir is the directory name created in the holos component directory to cache a chart.
-    ChartDir = "vendor"
-    // ResourcesFile is the file name used to store component output when post-processing with kustomize.
-    ResourcesFile = "resources.yaml"
-)
-```
-
-<a name="KubernetesObjectsKind"></a>
-
-```go
-const KubernetesObjectsKind = "KubernetesObjects"
-```
-
-<a name="APIObject"></a>
-## APIObject
-
-APIObject represents the most basic generic form of a single kubernetes api object. Represented as a JSON object internally for compatibility between tools, for example loading from CUE.
-
-```go
-type APIObject structpb.Struct
-```
-
-<a name="APIObjectMap"></a>
-## APIObjectMap
-
-APIObjectMap represents the marshalled yaml representation of kubernetes api objects. Do not produce an APIObjectMap directly, instead use [APIObjects](<#APIObjects>) to produce the marshalled yaml representation from CUE data, then provide the result to [HolosComponent](<#HolosComponent>).
-
-```go
-type APIObjectMap map[Kind]map[Label]string
-```
-
-<a name="APIObjects"></a>
-## APIObjects
-
-APIObjects represents Kubernetes API objects defined directly from CUE code. Useful to mix in resources to any kind of [HolosComponent](<#HolosComponent>), for example adding an ExternalSecret resource to a [HelmChart](<#HelmChart>).
-
-[Kind](<#Kind>) must be the resource kind, e.g. Deployment or Service.
-
-[Label](<#Label>) is an arbitrary internal identifier to uniquely identify the resource within the context of a \`holos\` command. Holos will never write the intermediate label to rendered output.
-
-Refer to [HolosComponent](<#HolosComponent>) which accepts an [APIObjectMap](<#APIObjectMap>) field provided by [APIObjects](<#APIObjects>).
-
-```go
-type APIObjects struct {
-    APIObjects   map[Kind]map[Label]APIObject `json:"apiObjects"`
-    APIObjectMap APIObjectMap                 `json:"apiObjectMap"`
-}
-```
-
-<a name="BuildPlan"></a>
-## BuildPlan
-
-BuildPlan represents a build plan for the holos cli to execute. The purpose of a BuildPlan is to define one or more [HolosComponent](<#HolosComponent>) kinds. For example a [HelmChart](<#HelmChart>), [KustomizeBuild](<#KustomizeBuild>), or [KubernetesObjects](<#KubernetesObjects>).
-
-A BuildPlan usually has an additional empty [KubernetesObjects](<#KubernetesObjects>) for the purpose of using the [HolosComponent](<#HolosComponent>) DeployFiles field to deploy an ArgoCD or Flux gitops resource for the holos component.
-
-```go
-type BuildPlan struct {
-    Kind       string        `json:"kind" cue:"\"BuildPlan\""`
-    APIVersion string        `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    Spec       BuildPlanSpec `json:"spec"`
-}
-```
-
-<a name="BuildPlanComponents"></a>
-## BuildPlanComponents
-
-
-
-```go
-type BuildPlanComponents struct {
-    Resources             map[Label]KubernetesObjects `json:"resources,omitempty"`
-    KubernetesObjectsList []KubernetesObjects         `json:"kubernetesObjectsList,omitempty"`
-    HelmChartList         []HelmChart                 `json:"helmChartList,omitempty"`
-    KustomizeBuildList    []KustomizeBuild            `json:"kustomizeBuildList,omitempty"`
-}
-```
-
-<a name="BuildPlanSpec"></a>
-## BuildPlanSpec
-
-BuildPlanSpec represents the specification of the build plan.
-
-```go
-type BuildPlanSpec struct {
-    // Disabled causes the holos cli to take no action over the [BuildPlan].
-    Disabled bool `json:"disabled,omitempty"`
-    // Components represents multiple [HolosComponent] kinds to manage.
-    Components BuildPlanComponents `json:"components,omitempty"`
-}
-```
-
-<a name="Chart"></a>
-## Chart
-
-Chart represents a helm chart.
-
-```go
-type Chart struct {
-    // Name represents the chart name.
-    Name string `json:"name"`
-    // Version represents the chart version.
-    Version string `json:"version"`
-    // Release represents the chart release when executing helm template.
-    Release string `json:"release"`
-    // Repository represents the repository to fetch the chart from.
-    Repository Repository `json:"repository,omitempty"`
-}
-```
-
-<a name="FileContent"></a>
-## FileContent
-
-FileContent represents file contents.
-
-```go
-type FileContent string
-```
-
-<a name="FileContentMap"></a>
-## FileContentMap
-
-FileContentMap represents a mapping of file paths to file contents. Paths are relative to the \`holos\` output "deploy" directory, and may contain sub\-directories.
-
-```go
-type FileContentMap map[FilePath]FileContent
-```
-
-<a name="FilePath"></a>
-## FilePath
-
-FilePath represents a file path.
-
-```go
-type FilePath string
-```
-
-<a name="HelmChart"></a>
-## HelmChart
-
-HelmChart represents a holos component which wraps around an upstream helm chart. Holos orchestrates helm by providing values obtained from CUE, renders the output using \`helm template\`, then post\-processes the helm output yaml using the general functionality provided by [HolosComponent](<#HolosComponent>), for example [Kustomize](<#Kustomize>) post\-rendering and mixing in additional kubernetes api objects.
-
-```go
-type HelmChart struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"HelmChart\""`
-
-    // Chart represents a helm chart to manage.
-    Chart Chart `json:"chart"`
-    // ValuesContent represents the values.yaml file holos passes to the `helm
-    // template` command.
-    ValuesContent string `json:"valuesContent"`
-    // EnableHooks enables helm hooks when executing the `helm template` command.
-    EnableHooks bool `json:"enableHooks" cue:"bool | *false"`
-}
-```
-
-<a name="HolosComponent"></a>
-## HolosComponent
-
-HolosComponent defines the fields common to all holos component kinds. Every holos component kind should embed HolosComponent.
-
-```go
-type HolosComponent struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind"`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    // Metadata represents data about the holos component such as the Name.
-    Metadata Metadata `json:"metadata"`
-
-    // APIObjectMap holds the marshalled representation of api objects.  Useful to
-    // mix in resources to each HolosComponent type, for example adding an
-    // ExternalSecret to a HelmChart HolosComponent.  Refer to [APIObjects].
-    APIObjectMap APIObjectMap `json:"apiObjectMap,omitempty"`
-
-    // DeployFiles represents file paths relative to the cluster deploy directory
-    // with the value representing the file content.  Intended for defining the
-    // ArgoCD Application resource or Flux Kustomization resource from within CUE,
-    // but may be used to render any file related to the build plan from CUE.
-    DeployFiles FileContentMap `json:"deployFiles,omitempty"`
-
-    // Kustomize represents a kubectl kustomize build post-processing step.
-    Kustomize `json:"kustomize,omitempty"`
-
-    // Skip causes holos to take no action regarding this component.
-    Skip bool `json:"skip" cue:"bool | *false"`
-}
-```
-
-<a name="Kind"></a>
-## Kind
-
-Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-
-```go
-type Kind string
-```
-
-<a name="KubernetesObjects"></a>
-## KubernetesObjects
-
-KubernetesObjects represents a [HolosComponent](<#HolosComponent>) composed of Kubernetes API objects provided directly from CUE using [APIObjects](<#APIObjects>).
-
-```go
-type KubernetesObjects struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"KubernetesObjects\""`
-}
-```
-
-<a name="Kustomize"></a>
-## Kustomize
-
-Kustomize represents resources necessary to execute a kustomize build. Intended for at least two use cases:
-
-1. Process a [KustomizeBuild](<#KustomizeBuild>) [HolosComponent](<#HolosComponent>) which represents raw yaml file resources in a holos component directory.
-2. Post process a [HelmChart](<#HelmChart>) [HolosComponent](<#HolosComponent>) to inject istio, patch jobs, add custom labels, etc...
-
-```go
-type Kustomize struct {
-    // KustomizeFiles holds file contents for kustomize, e.g. patch files.
-    KustomizeFiles FileContentMap `json:"kustomizeFiles,omitempty"`
-    // ResourcesFile is the file name used for api objects in kustomization.yaml
-    ResourcesFile string `json:"resourcesFile,omitempty"`
-}
-```
-
-<a name="KustomizeBuild"></a>
-## KustomizeBuild
-
-KustomizeBuild represents a [HolosComponent](<#HolosComponent>) that renders plain yaml files in the holos component directory using \`kubectl kustomize build\`.
-
-```go
-type KustomizeBuild struct {
-    HolosComponent `json:",inline"`
-    Kind           string `json:"kind" cue:"\"KustomizeBuild\""`
-}
-```
-
-<a name="Label"></a>
-## Label
-
-Label is an arbitrary unique identifier internal to holos itself. The holos cli is expected to never write a Label value to rendered output files, therefore use a [Label](<#Label>) then the identifier must be unique and internal. Defined as a type for clarity and type checking.
-
-A Label is useful to convert a CUE struct to a list, for example producing a list of [APIObject](<#APIObject>) resources from an [APIObjectMap](<#APIObjectMap>). A CUE struct using Label keys is guaranteed to not lose data when rendering output because a Label is expected to never be written to the final output.
-
-```go
-type Label string
-```
-
-<a name="Metadata"></a>
-## Metadata
-
-Metadata represents data about the holos component such as the Name.
-
-```go
-type Metadata struct {
-    // Name represents the name of the holos component.
-    Name string `json:"name"`
-    // Namespace is the primary namespace of the holos component.  A holos
-    // component may manage resources in multiple namespaces, in this case
-    // consider setting the component namespace to default.
-    //
-    // This field is optional because not all resources require a namespace,
-    // particularly CRD's and DeployFiles functionality.
-    // +optional
-    Namespace string `json:"namespace,omitempty"`
-}
-```
-
-<a name="Platform"></a>
-## Platform
-
-Platform represents a platform to manage. A Platform resource informs holos which components to build. The platform resource also acts as a container for the platform model form values provided by the PlatformService. The primary use case is to collect the cluster names, cluster types, platform model, and holos components to build into one resource.
-
-```go
-type Platform struct {
-    // Kind is a string value representing the resource this object represents.
-    Kind string `json:"kind" cue:"\"Platform\""`
-    // APIVersion represents the versioned schema of this representation of an object.
-    APIVersion string `json:"apiVersion" cue:"string | *\"v1alpha2\""`
-    // Metadata represents data about the object such as the Name.
-    Metadata PlatformMetadata `json:"metadata"`
-
-    // Spec represents the specification.
-    Spec PlatformSpec `json:"spec"`
-}
-```
-
-<a name="PlatformMetadata"></a>
-## PlatformMetadata
-
-
-
-```go
-type PlatformMetadata struct {
-    // Name represents the Platform name.
-    Name string `json:"name"`
-}
-```
-
-<a name="PlatformSpec"></a>
-## PlatformSpec
-
-PlatformSpec represents the specification of a Platform. Think of a platform specification as a list of platform components to apply to a list of kubernetes clusters combined with the user\-specified Platform Model.
-
-```go
-type PlatformSpec struct {
-    // Model represents the platform model holos gets from from the
-    // PlatformService.GetPlatform rpc method and provides to CUE using a tag.
-    Model structpb.Struct `json:"model"`
-    // Components represents a list of holos components to manage.
-    Components []PlatformSpecComponent `json:"components"`
-}
-```
-
-<a name="PlatformSpecComponent"></a>
-## PlatformSpecComponent
-
-PlatformSpecComponent represents a holos component to build or render.
-
-```go
-type PlatformSpecComponent struct {
-    // Path is the path of the component relative to the platform root.
-    Path string `json:"path"`
-    // Cluster is the cluster name to provide when rendering the component.
-    Cluster string `json:"cluster"`
-}
-```
-
-<a name="Repository"></a>
-## Repository
-
-Repository represents a helm chart repository.
-
-```go
-type Repository struct {
-    Name string `json:"name"`
-    URL  string `json:"url"`
-}
-```
-
-Generated by [gomarkdoc](<https://github.com/princjef/gomarkdoc>)

doc/md/design/rendering.md

@@ -0,0 +1,47 @@
+# Rendering
+
+:::tip
+
+This document provides a brief overview of the rendering process, a core design
+element in Holos.
+
+:::
+
+Holos uses the Kubernetes resource model to manage configuration.  The `holos`
+command line interface is the primary method you'll use to manage your platform.
+Holos uses CUE to provide a unified configuration model of the platform.  This
+unified configuration is built up from components packaged with Helm, Kustomize,
+CUE, or any other tool that can produce Kubernetes resource manifests as output.
+
+This process can be thought of as a data **rendering pipeline**.  The key
+concept is that `holos` will always produce fully rendered output, but delegates
+the _application_ of the configuration to other tools like `kubectl apply`,
+ArgoCD, or Flux.
+
+```mermaid
+---
+title: Figure 2 - Render Pipeline
+---
+graph LR
+    PS[<a href="/docs/api/core/v1alpha2#PlatformSpec">PlatformSpec</a>]
+    BP[<a href="/docs/api/core/v1alpha2#BuildPlan">BuildPlan</a>]
+    HC[<a href="/docs/api/core/v1alpha2#HolosComponent">HolosComponent</a>]
+
+    H[<a href="/docs/api/core/v1alpha2#HelmChart">HelmChart</a>]
+    K[<a href="/docs/api/core/v1alpha2#KustomizeBuild">KustomizeBuild</a>]
+    O[<a href="/docs/api/core/v1alpha2#KubernetesObjects">KubernetesObjects</a>]
+
+    P[<a href="/docs/api/core/v1alpha2#Kustomize">Kustomize</a>]
+    Y[Kubernetes <br>Resources]
+    G[GitOps <br>Resource]
+
+    C[Kube API Server]
+
+    PS --> BP --> HC
+    HC --> H --> P
+    HC --> K --> P
+    HC --> O --> P
+
+    P --> Y --> C
+    P --> G --> C
+```

doc/md/glossary.md

@@ -0,0 +1,88 @@
+# Glossary
+
+This page describes the terms used within the context of Holos.
+
+## Platform
+
+In Holos, a Platform is a comprehensive environment configured using the
+Kubernetes resource model. It extends beyond traditional Kubernetes
+functionality by integrating cloud resources through Crossplane, allowing for a
+unified management approach across both Kubernetes and cloud infrastructure. A
+Platform typically consists of one Management Cluster, which handles control and
+secret management, and one or more Workload Clusters, where application
+workloads are deployed and run. This architecture enables a consistent and
+scalable approach to managing diverse resources and services within the
+cloud-native ecosystem.
+
+## Management Cluster
+
+In the context of Holos, a Management Cluster is a special Kubernetes cluster
+that hosts Kubernetes controllers.  For example, cert-manager, Cluster api, and
+Crossplane.  A management cluster manages a single platform.  The primary
+function of this cluster is to securely store and manage secrets, ensuring the
+secure handling of sensitive information such as credentials, API keys, and
+other confidential data. The Management Cluster serves as a centralized and
+secure control plane for the platform, facilitating the orchestration and
+management of other components.
+
+## Workload Cluster
+
+In Holos, a Workload Cluster is a Kubernetes cluster designed to host and run
+application workloads. Unlike the Management Cluster, which focuses on control
+and secret management, Workload Clusters are dedicated to executing the actual
+applications and services. These clusters can vary in size and configuration
+based on the specific needs of the applications they support. Workload Clusters
+leverage Kubernetes' orchestration capabilities to manage the deployment,
+scaling, and operation of containerized applications, providing a flexible and
+scalable environment for running production workloads within the platform.
+
+## Platform Form
+
+In Holos, a Platform Form is a customizable web form defined by JSON data. Each
+platform within Holos has a unique Platform Form, which serves as an interface
+for configuring and managing the platform's settings and resources. Platform
+engineers can customize the Platform Form by modifying the underlying CUE
+(Configuration Unified Engine) code, allowing for tailored configurations that
+meet specific requirements. This flexibility enables platform engineers to
+create a user-friendly and specific interface for managing the platform's
+components and operations.
+
+## Platform Model
+
+In Holos, the Platform Model represents the collection of values submitted
+through the Platform Form. It encapsulates the specific configuration details
+and settings defined by the platform engineers, serving as the blueprint for the
+platform's setup and operation. The Platform Model is essential for translating
+the customized options and parameters from the Platform Form into actionable
+configurations within the Holos ecosystem, ensuring that the platform operates
+according to the specified requirements and guidelines.
+
+## Secret Store
+
+In Holos, a SecretStore is a repository for securely storing and managing
+sensitive data such as passwords, API keys, and other confidential information.
+It is compatible with any secret store supported by the External Secrets
+Operator. By default, the management cluster serves as the SecretStore to
+minimize dependencies and simplify the architecture. This setup ensures that
+secrets are managed in a secure and centralized manner, aligning with the
+overall security framework of the platform.
+
+## Service Mesh
+
+In Holos, a Service Mesh is a dedicated infrastructure layer for managing,
+observing, and securing service-to-service communications within a microservices
+architecture. It typically includes features such as load balancing, traffic
+routing, service discovery, and security policies like mutual TLS and access
+control. The Service Mesh abstracts these functionalities away from the
+application code, providing a centralized control plane for managing the
+interactions between microservices. This facilitates better observability,
+resilience, and security in complex, distributed environments.
+
+## Zero Trust
+
+In the context of Holos and broader security practices, Zero Trust is a security
+model that assumes no implicit trust is granted to any user, system, or
+component inside or outside the network. Instead, every request for access is
+treated as potentially malicious, and verification is required at every stage.
+This model enforces strict identity verification, continuous monitoring, and
+least-privilege access policies.

doc/md/guides/argocd/index.mdx

@@ -0,0 +1,6 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# ArgoCD
+
+Coming soon.

doc/md/guides/backstage/index.md

@@ -0,0 +1,3 @@
+# Backstage
+
+Coming soon.

doc/md/guides/observability/index.md

@@ -0,0 +1,3 @@
+# Observability
+
+Coming soon.

doc/md/guides/overview.md

@@ -0,0 +1,17 @@
+# Overview
+
+<!-- https://kubernetes.io/docs/contribute/style/diagram-guide/ -->
+
+This tutorial covers the following process of getting started with Holos.
+
+```mermaid
+graph LR
+    A[1. Install <br>holos] -->
+    B[2. Register <br>account] -->
+    C[3. Generate <br>platform] -->
+    D[4. Render <br>platform] -->
+    E[5. Apply <br>config]
+ 
+    classDef box fill:#fff,stroke:#000,stroke-width:1px,color:#000;
+    class A,B,C,D,E box
+```

doc/md/guides/try-holos/index.mdx

@@ -0,0 +1,657 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Try Holos Locally
+
+This guide walks through the process of building and managing a software
+development platform with Holos.  The k3d platform built in this guide is a
+slimmed down version of the larger, more holistic, Holos reference platform.
+
+Holos is different from existing tools in a few important ways.
+
+ 1. Holos provides a **unified configuration model** purpose built to improve on
+ unmodified Helm charts, Kustomize bases, or anything else that produces
+ structured configuration data.
+ 2. Holos all but **eliminates the need to template yaml**, a common source of
+ frustration and errors in production.
+ 3. Holos platforms are **composable** and have breadth.  The toolchain and
+ techniques scale down to one machine and up to multiple clusters across
+ multiple regions.
+ 4. The unified configuration model is well suited to a **Zero Trust security
+ model**.  Platform wide policy configuration is easier to manage with Holos.
+
+---
+
+This guide assumes commands are run locally.  Capitalized terms have specific
+definitions described in the [Glossary](/docs/glossary).
+
+## What you'll need {#Requirements}
+
+You'll need the following tools installed to complete this guide.
+
+1. [holos](/docs/guides/install) - to build the platform.
+2. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that wrap upstream Helm charts.
+3. [k3d](https://k3d.io/#installation) - to provide a k8s api server.
+4. [OrbStack](https://docs.orbstack.dev/install) or [Docker](https://docs.docker.com/get-docker/) - to use k3d.
+5. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to interact with the k8s api server.
+6. [mkcert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) - to make trusted TLS certificates.
+7. [jq](https://jqlang.github.io/jq/download/) - to fiddle with JSON output.
+
+:::note
+
+Registering an account **is recommended** to try out proper authentication and
+authorization in Holos, but you can complete this guide without signing up.
+
+:::
+
+## Goal {#Goal}
+
+By the end of this guide you'll have built the foundation of a software
+development platform.  The foundation provides Zero Trust security by
+holistically integrating off-the-shelf open source software.
+
+  1. Istio is configured to authenticate and authorize requests using an OIDC
+  ID-Token issued by ZITADEL before requests reach backend services.
+  2. The platform provides single sign-on and role based access control for all
+  services running on the platform.
+
+This guide strives to keep things neat and tidy.  All of the resources are
+located in one k3d cluster and one local Git repository.  If you want to clean
+up at any point, do so with:
+
+```bash
+k3d cluster delete workload
+rm -rf holos-k3d
+```
+
+## Sign In or Out {#Sign-In}
+
+Holos provides integrated authentication and authorization which we'll use in
+this guide to protect a service.  We recommend registering an account to see
+this in action.  Registration also enables you to explore the customizable web
+form that simplifies complex configuration.
+
+If you opt-out, the platform will be configured to use a fake identity in place
+of real id tokens.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Sign In">
+    ```bash
+    holos register user
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Opt Out">
+    ```bash
+    holos logout
+    ```
+  </TabItem>
+</Tabs>
+
+## Create the Platform {#Create-Platform}
+
+A server-side platform resource in Holos stores the web form used to simplify
+platform wide configuration.
+
+First, initialize an empty Git repository:
+
+```bash
+mkdir holos-k3d
+cd holos-k3d
+git init
+```
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Use `holos` to make the rpc call to create the server-side platform
+    resource.
+
+    ```bash
+    holos create platform --name k3d --display-name "Try Holos Locally"
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    Create a blank `platform.metadata.json` file so subsequent holos commands
+    skip rpc calls.
+
+    ```bash
+    touch platform.metadata.json
+    ```
+  </TabItem>
+</Tabs>
+
+### Generate the Platform {#Generate-Platform}
+
+Generate the platform code in the repository root.
+
+```bash
+holos generate platform k3d
+```
+
+Commit the generated platform config to the repository.
+
+```bash
+git add .
+git commit -m "holos generate platform k3d - $(holos --version)"
+```
+
+### Push the Platform Form
+
+Each Holos platform has a Platform Form used to submit top level, platform-wide
+configuration values.  The purpose of the form is to validate configuration
+values and simplify complicated configurations and integrations.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Push the Platform Form to publish it.  Browse to the printed URL to view the
+    form.
+
+    ```bash
+    holos push platform form .
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    You will update the Platform Model locally in a later step so there's
+    nothing to do in this step.  Only signed-in users can push a Platform Form
+    to the Holos web server.
+
+    ```bash
+    # holos push platform form .
+    ```
+  </TabItem>
+</Tabs>
+
+The Platform Form is defined locally in `forms/platform/platform-form.cue`.
+
+On the web it looks like:
+![Platform Form Default Values](./form-pushed.png)
+
+### Update the Platform Model {#Platform-Model}
+
+Holos needs initial, top level configuration values to render the platform.  The
+Platform Model is the term we use for these values.  In this section you will
+configure role based access control by way of updating the Platform Model.
+
+In the k3d platform you're building now, role based access control is
+implemented by asserting against the oidc id token subject.  Update the form
+with the `sub` claim value from your id token.  This will ensure only you have
+access to platform services.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Copy and paste the `sub` value into your Platform Form's Subject field.
+
+    ```bash
+    holos login --print-claims --log-level=error | jq -r .sub
+    ```
+
+    After pasting the `sub` value, click Submit on the form.
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    You don't have an id token when you're signed out, so there's nothing for
+    you to do in this step.
+
+    ```bash
+    # holos login --print-claims --log-level=error | jq -r .sub
+    ```
+
+    The platform will be configured to assert against the User-Agent header
+    instead.
+  </TabItem>
+</Tabs>
+
+### Pull the Platform Model {#Pull-the-Platform-Model}
+
+The Platform Model needs to be pulled into the local Git repository after the
+form has been submitted. Next, we'll run `holos render` which operates
+exclusively on local files.
+
+Holos stores the Platform Model in the `platform.config.json` file. Holos
+provides this file as input to CUE when rendering the platform.  This file is
+intended to be added to version control.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Pull the updated Platform Model into the local repository.
+
+    ```bash
+    holos pull platform model .
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The `holos generate platform k3d` command should have created a default Platform
+    Model in `platform.config.json`.  As a result there's nothing to do in this
+    step.
+
+    ```bash
+    # holos pull platform model .
+    ```
+  </TabItem>
+</Tabs>
+
+```bash
+git add platform.config.json
+git commit -m "Add platform model"
+```
+
+## Render the Platform {#Render-the-Platform}
+
+Holos has everything necessary to render the platform once the
+`platform.config.json` file and the code from `holos generate` are in the
+current directory.
+
+Rendering a platform is the process of iterating over each platform component
+and rendering it into plain yaml. Holos does not apply the resulting manifests.
+Other tools like kubectl, ArgoCD, or Flux are responsible for applying the
+manifests.
+
+```bash
+holos render platform ./platform
+```
+
+The render command writes the manifest files to the `deploy/` directory.  Commit
+the files so they can be applied via GitOps later.
+
+```bash
+git add deploy
+git commit -m "holos render platform ./platform"
+```
+
+:::important
+
+⚡ Don't blink, this is where Holos actually builds the platform.  It usually
+takes no more than a few seconds.
+
+Rendering the holos reference platform currently results in about 500K lines of
+yaml.  In contrast, roughly 80K lines are produced by this slimmed down k3d
+platform.
+
+We mention this because the scale doesn't matter as much as it does with other
+tools.  Manage millions of lines of configuration with Holos the same way this
+guide manages thousands.  This is made possible by the unique way CUE unifies
+all configuration into one single model.
+
+:::
+
+## Create the Cluster {#Create-Cluster}
+
+The Workload Cluster is where your applications and services will be deployed.
+In production this is usually an EKS, GKE, or AKS cluster.
+
+:::tip
+
+Holos supports all compliant Kubernetes clusters. Holos was developed and tested
+on GKE, EKS, Talos, k3s, and Kubeadm clusters.
+
+:::
+
+<Tabs>
+  <TabItem value="evaluate" label="Try Holos" default>
+  Use this command when exploring Holos.
+
+  ```bash
+  k3d cluster create workload \
+    --port "443:443@loadbalancer" \
+    --k3s-arg "--disable=traefik@server:0"
+  ```
+
+  </TabItem>
+  <TabItem value="develop" label="Develop Holos">
+  Use this command when developing Holos.
+
+  ```bash
+  k3d registry create registry.holos.localhost --port 5100
+  ```
+
+  ```bash
+  k3d cluster create workload \
+    --registry-use k3d-registry.holos.localhost:5100 \
+    --port "443:443@loadbalancer" \
+    --k3s-arg "--disable=traefik@server:0"
+  ```
+
+  </TabItem>
+</Tabs>
+
+Traefik is disabled because Istio provides the same functionality.
+
+### Local CA {#Local-CA}
+
+Holos platforms use cert manager to issue tls certificates.  The browser and
+tools we're using need to trust these certificates to work together.  In this
+section we'll create a local trusted certificate authority.
+
+Admin access is necessary for `mkcert` to install the certificate into your
+trust stores.
+
+```bash
+sudo -v
+```
+
+```bash
+bash ./scripts/local-ca
+```
+
+### DNS Setup {#DNS}
+
+Configure your machine to resolve `*.holos.localhost` to your loopback
+interface.  This is necessary for requests to reach the workload cluster.
+
+<Tabs>
+  <TabItem value="macos" label="macOS" default>
+  Cache sudo credentials.
+
+  Admin access is necessary to setup a local dnsmasq instance and configure
+  macOS's DNS resolver.
+
+  ```bash
+  sudo -v
+  ```
+
+  Resolve *.holos.localhost DNS queries to 127.0.0.1.
+
+  ```bash
+  bash ./scripts/local-dns
+  ```
+
+  </TabItem>
+  <TabItem value="linux" label="Linux">
+    [NSS-myhostname](http://man7.org/linux/man-pages/man8/nss-myhostname.8.html)
+    ships with many Linux distributions and should resolve *.localhost
+    automatically to 127.0.0.1.
+
+    Otherwise it is installable with:
+
+    ```bash
+    sudo apt install libnss-myhostname
+    ```
+  </TabItem>
+  <TabItem value="windows" label="Windows">
+    Ensure the loopback interface has at least the following names in `C:\windows\system32\drivers\etc\hosts`
+
+    ```
+    127.0.0.1 httpbin.holos.localhost app.holos.localhost
+    ```
+  </TabItem>
+</Tabs>
+
+## Apply the Platform Components {#Apply-Platform-Components}
+
+Use `kubectl` to apply each platform component.  In production, it's common to
+fully automate this process with ArgoCD, but we use `kubectl` to the same
+effect.
+
+### Service Mesh
+
+The platform service mesh provides an ingress gateway and connectivity useful
+for observability, reliability, and security.
+
+#### Namespaces
+
+With Holos, components are automatically added to the namespaces component,
+useful for centrally managed policies.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/namespaces
+```
+
+#### Custom Resource Definitions
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway-api
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-base
+```
+
+#### Cert Manager {#cert-manager}
+
+Apply the cert-manager controller.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/cert-manager
+```
+
+Apply the ClusterIssuer which issues Certificate resources using the local
+certificate authority.
+
+```bash
+kubectl -n cert-manager wait pod -l app.kubernetes.io/component=webhook --for=condition=Ready
+kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca
+kubectl apply --server-side=true -f deploy/clusters/workload/components/certificates
+```
+
+#### Istio {#Istio}
+
+Istio implements the Service Mesh.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-cni
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istiod
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway
+```
+
+Verify the Gateway is programmed and the listeners have been accepted:
+
+```bash
+kubectl -n istio-gateways wait gateway default --for=condition=Accepted
+```
+
+#### httpbin {#httpbin}
+
+httpbin is a simple backend service useful for end-to-end testing.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-backend
+kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-routes
+kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
+```
+
+:::important
+
+Browse to [https://httpbin.holos.localhost/](https://httpbin.holos.localhost/)
+to verify end to end connectivity.  You should see the httpbin index page.
+
+:::
+
+### Authenticating Proxy
+
+The auth proxy is responsible for authenticating browser requests, handling the
+oidc authentication flow, and providing a signed id token to the rest of the
+services in the mesh.
+
+#### Cookie Secret
+
+The auth proxy stores session information in an encrypted cookie.  Generate a
+random cookie encryption Secret and apply.
+
+```bash
+LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom \
+  | head -c 32 \
+  | kubectl create secret generic "authproxy" \
+    --from-file=cookiesecret=/dev/stdin \
+    --dry-run=client -o yaml \
+  | kubectl apply -n istio-gateways -f-
+```
+
+#### Deployment
+
+The auth proxy Deployment receives requests from web browsers and responds with
+an authentication decision.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authproxy
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authroutes
+```
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Verify authentication is working by visiting
+    [https://httpbin.holos.localhost/holos/authproxy](https://httpbin.holos.localhost/holos/authproxy).
+    The auth proxy should respond with a simple `Authenticated` response.
+
+    Istio will respond with `no healthy upstream` until the pod becomes ready.
+    Wait for the pod to become ready with:
+
+    ```bash
+    kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
+    ```
+
+    Once authenticated, visit
+    [https://httpbin.holos.localhost/holos/authproxy/userinfo](https://httpbin.holos.localhost/holos/authproxy/userinfo)
+    which returns a subset of claims from your id token:
+
+    ```json
+    {
+      "user": "275552236589843464",
+      "email": "demo@holos.run",
+      "preferredUsername": "demo"
+    }
+    ```
+
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The auth proxy will always try to sign you in when you are signed out, so
+    there isn't much to do here.  Please do take a moment to glance at the
+    Signed In tab to see how this would work if you were signed in.
+
+    The `k3d` platform relies on `https://login.holos.run` to issue id tokens.
+    Authorization has been configured against fake request headers instead of
+    the real `x-oidc-id-token` header.
+  </TabItem>
+</Tabs>
+
+### Authorization Policy
+
+Configure authorization policies using attributes of the authenticated request.
+Authorization policies route web requests through the auth proxy and then
+validate all requests against the `x-oidc-id-token` header.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authpolicy
+```
+
+Istio make take a few seconds to program the Gateway with the
+AuthorizationPolicy resources.
+
+## Try out Zero Trust
+
+A basic Zero Trust security model is now in place.  The platform authenticates
+and authorizes requests before they reach the backend service.
+
+### Browser
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    The platform has been configured to authorize requests with a `x-oidc-id-token` header.
+
+    1. Verify authentication is working by browsing to [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
+        - Refresh the page a few times.
+        - The `httpbin` backend pods should echo back the `x-oidc-id-token`
+        header injected by the auth proxy.
+    2. Note the `x-oidc-id-token` header is not sent by your browser but is
+    received by the backend service.
+        - This design reduces the risk of exposing id tokens in the browser.
+        - Browser request size remains constant as more claims are added to id
+        tokens.
+        - Reliability improves because id tokens often overflow request header
+        buffers when they pass through middle boxes across the internet.
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The platform has been configured to authorize requests with a `User-Agent: anonymous` header.
+
+    1. Open an incognito window (Cmd+Shift+N) to verify the platform is
+    enforcing the authorization policy.
+    2. Browse to
+    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request)
+    you should be redirected to the sign in page by the auth proxy.
+        - You **do not** need to register or sign in.
+        - This step verifies the platform is redirecting unauthenticated
+        requests to the identity provider.
+        - Navigate back or close and re-open an incognito window.
+    3. Set your `User-Agent` header to `anonymous` using your browser developer tools.
+        - For Chrome the process is described
+        [here](https://developer.chrome.com/docs/devtools/device-mode/override-user-agent#override_the_user_agent_string).
+        - The purpose is to simulate an authenticated request.
+    4. Browse to
+    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
+        - The platform should allow the request through to the backend pod.
+        - `httpbin` should echo back your request which should contain `User-Agent: anonymous`.
+  </TabItem>
+</Tabs>
+
+### Command Line
+
+Verify unauthenticated requests are blocked by default outside the browser.
+
+```bash
+curl -I https://httpbin.holos.localhost/dump/request
+```
+
+You should receive a `HTTP/2 302` response that redirects to `location:
+https://login.holos.run` to start the oauth login flow.
+
+Next, verify authenticated requests are allowed.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    The platform is configured to authenticate the id token present in the
+    `x-oidc-id-token` header.
+
+    💡 It also works with `grpcurl`.
+
+    ```bash
+    curl -H x-oidc-id-token:$(holos token) https://httpbin.holos.localhost/dump/request
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The platform is configured to authorize any request with `User-Agent:
+    anonymous` in place of validating the oidc id token.
+
+    💡 Take a moment to click the Signed In tab, I don't want you to miss how
+    cool `$(holos token)` is.
+
+    ```bash
+    curl -A anonymous https://httpbin.holos.localhost/dump/request
+    ```
+  </TabItem>
+</Tabs>
+
+You should receive a response showing the request headers the backend received.
+
+:::tip
+
+Note how the platform secures both web browser and command line api access to
+the backend httpbin service.  httpbin itself has no authentication or
+authorization functionality.
+
+:::
+
+## Summary
+
+Thank you for taking the time to try out Holos.  In this guide, you built the
+foundation of a software development platform that:
+
+ 1. Provides a unified configuration model with CUE that
+    - Supports unmodified Helm Charts, Kustomize Kustomizations, plain YAML.
+    - Provides a web form to pass top level parameters.
+ 2. Reduces errors by eliminating the need to template unstructured text.
+ 3. Is composable and scales down to a local machine.
+ 4. Provides an way to safely configure broad authentication and authorization
+ policy.
+
+## Next Steps
+
+Dive deeper with the following resources that build on the foundation you have now.
+
+ 1. Explore the [Rendering Process](/docs/design/rendering) in Holos.
+ 2. Dive deeper into the [Platform Manifests](./platform-manifests) rendered in this guide.
+ 3. Deploy [ArgoCD](/docs/guides/argocd) onto the foundation you built.
+ 4. Deploy [Backstage](/docs/guides/backstage) as a portal to the integrated platform components.
+
+## Clean-Up
+
+If you'd like to clean up the resources you created in this guide, remove them
+with:
+
+```bash
+k3d cluster delete workload
+rm -rf holos-k3d
+```

doc/md/guides/try-holos/platform-manifests.md

@@ -0,0 +1,137 @@
+# Platform Manifests
+
+This document provides an example of how Holos uses CUE and Helm to unify and
+render the platform configuration.  It refers to the manifests rendered in the
+[Try Holos Locally](/docs/guides/try-holos/) guide.
+
+Take a moment to review the manifests `holos` rendered to build the platform.
+
+### ArgoCD Application
+
+Note the Git URL in the Platform Model is used to derive the ArgoCD
+`Application` resource for all of the platform components.
+
+```yaml
+# deploy/clusters/workload/gitops/namespaces.application.gen.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: namespaces
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    # highlight-next-line
+    path: /deploy/clusters/workload/components/namespaces
+    # highlight-next-line
+    repoURL: https://github.com/holos-run/holos-k3d.git
+    # highlight-next-line
+    targetRevision: HEAD
+```
+
+One ArgoCD `Application` resource is produced for each Holos component by
+default.  The CUE definition which produces the rendered output is defined in
+`buildplan.cue` around line 222.
+
+:::tip
+
+Note how CUE does not use error-prone text templates, the language is well
+specified and typed which reduces errors when unifying the configuration with
+the Platform Model in the following `#Argo` definition.
+
+:::
+
+```cue
+// buildplan.cue
+
+// #Argo represents an argocd Application resource for each component, written
+// using the #HolosComponent.deployFiles field.
+#Argo: {
+	ComponentName: string
+
+	Application: app.#Application & {
+		metadata: name:      ComponentName
+		metadata: namespace: "argocd"
+		spec: {
+			destination: server: "https://kubernetes.default.svc"
+			project: "default"
+			source: {
+        // highlight-next-line
+				path:           "\(_Platform.Model.argocd.deployRoot)/deploy/clusters/\(_ClusterName)/components/\(ComponentName)"
+        // highlight-next-line
+				repoURL:        _Platform.Model.argocd.repoURL
+        // highlight-next-line
+				targetRevision: _Platform.Model.argocd.targetRevision
+			}
+		}
+	}
+
+	// deployFiles represents the output files to write along side the component.
+	deployFiles: "clusters/\(_ClusterName)/gitops/\(ComponentName).application.gen.yaml": yaml.Marshal(Application)
+}
+```
+
+### Helm Chart
+
+The `cert-manger` component renders using the upstream Helm chart.  The build
+plan that defines the helm chart to use along with the values to provide looks
+like the following.
+
+:::tip
+
+Holos fully supports your existing Helm charts.  Consider leveraging `holos` as
+an alternative to umbrella charts.
+
+:::
+
+```cue
+// components/cert-manager/cert-manager.cue
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).Output
+
+let Chart = {
+	Name:      "cert-manager"
+	Version:   "1.14.5"
+	Namespace: "cert-manager"
+
+	Repo: name: "jetstack"
+	Repo: url:  "https://charts.jetstack.io"
+
+  // highlight-next-line
+	Values: {
+		installCRDs: true
+		startupapicheck: enabled: false
+		// Must not use kube-system on gke autopilot.  GKE Warden blocks access.
+    // highlight-next-line
+		global: leaderElection: namespace: Namespace
+
+		// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
+		resources: requests: {
+			cpu:                 "250m"
+			memory:              "512Mi"
+			"ephemeral-storage": "100Mi"
+		}
+    // highlight-next-line
+		webhook: resources:        Values.resources
+    // highlight-next-line
+		cainjector: resources:     Values.resources
+    // highlight-next-line
+		startupapicheck: resource: Values.resources
+
+		// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
+		nodeSelector: {
+			"kubernetes.io/os": "linux"
+			if _ClusterName == "management" {
+				"cloud.google.com/gke-spot": "true"
+			}
+		}
+		webhook: nodeSelector:         Values.nodeSelector
+		cainjector: nodeSelector:      Values.nodeSelector
+		startupapicheck: nodeSelector: Values.nodeSelector
+	}
+}
+```

doc/md/local-development.md

@@ -0,0 +1,28 @@
+# Local Development
+
+This document captures notes on locally developing Holos.
+
+Follow the steps in [Try Holos Locally](/docs/guides/try-holos), but take care
+to select `Develop` tabs when creating the k3d cluster so you have a local
+registry to push to.
+
+## Apply Resources
+
+Work will be done in the `dev-holos` namespace.
+
+Apply the infrastructure, which should persist when tilt is started / stopped.
+
+```bash
+kubectl apply --server-side=true -f ./hack/tilt/k8s/dev-holos-infra
+```
+
+This creates the PostgresCluster, service account, etc...
+
+## Start tilt
+
+Tilt will build the go executable, build the container, then push it to the
+local repository associated with k3d.
+
+```bash
+./hack/tilt/bin/tilt up
+```

doc/md/reference-platform/architecture.md

@@ -0,0 +1,3 @@
+# Architecture
+
+Coming soon.

doc/md/runbooks/login/backups.md

@@ -0,0 +1,10 @@
+# ZITADEL Backups
+
+Refer to [Schedule backups](https://cloudnative-pg.io/documentation/1.23/backup/#scheduled-backups)
+
+By default ZITADEL is backed up daily to S3.  When restoring into a new cluster
+of the same name, increment the revision variable to create a new blank folder
+for the new cluster WAL.  The cluster will not initialize unless the WAL
+directory is empty.
+
+The cluster will recovery from the previous rev.

doc/md/runbooks/login/failover.md

@@ -0,0 +1,3 @@
+## Overview
+
+TODO: This runbook needs to be updated to reflect the switch from PGO to CNPG.

doc/md/runbooks/postgres-backup.md

@@ -0,0 +1,3 @@
+# Postgres Full Backup
+
+Refer to [On-demand backups](https://cloudnative-pg.io/documentation/1.23/backup/#on-demand-backups)

doc/website/README.md

@@ -1,41 +1,34 @@
 # Website
 
-This website is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.
+This website is built using [Docusaurus](https://docusaurus.io/), a modern
+static website generator.
 
-### Installation
+## Installation
 
-```
-$ yarn
+```shell
+npm install
 ```
 
 ### Local Development
 
-```
-$ yarn start
+```shell
+npm run start
 ```
 
-This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+This command starts a local development server and opens up a browser window.
+Most changes are reflected live without having to restart the server.
 
 ### Build
 
-```
-$ yarn build
+```shell
+npm run build
 ```
 
-This command generates static content into the `build` directory and can be served using any static contents hosting service.
+This command generates static content into the `build` directory and can be
+served using any static contents hosting service.
 
 ### Deployment
 
-Using SSH:
-
-```
-$ USE_SSH=true yarn deploy
-```
-
-Not using SSH:
-
-```
-$ GIT_USER=<Your GitHub username> yarn deploy
-```
-
-If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
+Deployments are made with Cloudflare Pages. Cloudflare deploys on changes to
+the main branch, and Pull Requests get comments with links to preview
+environments.

doc/website/blog/tags.yml

@@ -1,16 +1,4 @@
-facebook:
-  label: Facebook
-  permalink: /facebook
-  description: Facebook tag description
-hello:
-  label: Hello
-  permalink: /hello
-  description: Hello tag description
-docusaurus:
-  label: Docusaurus
-  permalink: /docusaurus
-  description: Docusaurus tag description
-hola:
-  label: Hola
-  permalink: /hola
-  description: Hola tag description
+holos:
+  label: Holos
+  permalink: /holos
+  description: Holos Platform

doc/website/docusaurus.config.ts

@@ -4,7 +4,7 @@ import type * as Preset from '@docusaurus/preset-classic';
 
 const config: Config = {
   title: 'Holos',
-  tagline: 'The Cloud Native Platform Distribution',
+  tagline: 'The Platform Operating System',
   favicon: 'img/favicon.ico',
 
   // Set the production url of your site here
@@ -12,6 +12,7 @@ const config: Config = {
   // Set the /<baseUrl>/ pathname under which your site is served
   // For GitHub pages deployment, it is often '/<projectName>/'
   baseUrl: '/',
+  trailingSlash: true,
 
   // GitHub pages deployment config.
   // If you aren't using GitHub pages, you don't need these.
@@ -29,6 +30,26 @@ const config: Config = {
     locales: ['en'],
   },
 
+  // https://docusaurus.io/docs/markdown-features/diagrams
+  markdown: {
+    mermaid: true
+  },
+
+  plugins: [
+    [
+      '@docusaurus/plugin-client-redirects',
+      {
+        redirects: [
+          {
+            to: "/docs/guides/try-holos/",
+            from: "/docs/tutorial/local/k3d/"
+          }
+        ],
+      },
+    ],
+  ],
+
+  themes: ['@docusaurus/theme-mermaid'],
   presets: [
     [
       'classic',
@@ -60,7 +81,12 @@ const config: Config = {
 
   themeConfig: {
     // Replace with your project's social card
-    image: 'img/docusaurus-social-card.jpg',
+    image: 'img/holos-social-card.png',
+    docs: {
+      sidebar: {
+        autoCollapseCategories: false,
+      }
+    },
     navbar: {
       title: '',
       logo: {
@@ -68,6 +94,12 @@ const config: Config = {
         srcDark: 'img/logo-dark.svg',
       },
       items: [
+        {
+          type: 'doc',
+          docId: 'guides/try-holos/index',
+          position: 'left',
+          label: 'Try Holos',
+        },
         {
           type: 'doc',
           docId: 'intro',
@@ -101,9 +133,17 @@ const config: Config = {
           title: 'Docs',
           items: [
             {
-              label: 'Tutorial',
+              label: 'Try Holos Locally',
+              to: '/docs/guides/try-holos',
+            },
+            {
+              label: 'Documentation',
               to: '/docs/intro',
             },
+            {
+              label: 'API Reference',
+              to: '/docs/api/core/v1alpha2',
+            },
           ],
         },
         {
@@ -154,6 +194,10 @@ const config: Config = {
         },
       ],
     },
+    mermaid: {
+      // Refer to https://mermaid.js.org/config/theming.html
+      theme: { light: 'neutral', dark: 'dark' },
+    },
   } satisfies Preset.ThemeConfig,
 };
 

doc/website/package.json

@@ -16,7 +16,9 @@
   },
   "dependencies": {
     "@docusaurus/core": "3.4.0",
+    "@docusaurus/plugin-client-redirects": "^3.4.0",
     "@docusaurus/preset-classic": "3.4.0",
+    "@docusaurus/theme-mermaid": "^3.4.0",
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.3.0",
@@ -28,6 +30,7 @@
     "@docusaurus/tsconfig": "^3.4.0",
     "@docusaurus/types": "^3.4.0",
     "@wcj/html-to-markdown-cli": "^2.1.1",
+    "cspell": "^8.10.4",
     "html-to-markdown": "^1.0.0",
     "typescript": "~5.2.2"
   },

doc/website/sidebars.ts

@@ -15,16 +15,38 @@ const sidebars: SidebarsConfig = {
     'intro',
     {
       type: 'category',
-      label: 'Tutorial',
+      label: 'Guides',
+      collapsed: false,
       items: [
-        'tutorial/start',
-        'tutorial/register',
+        'guides/install',
+        'guides/try-holos/index',
+        'guides/try-holos/platform-manifests',
+        'guides/argocd/index',
+        'guides/backstage/index',
+        'guides/observability/index',
       ],
     },
+    {
+      type: 'category',
+      label: 'Design',
+      collapsed: false,
+      items: [
+        'design/rendering',
+      ],
+    },
+    {
+      type: 'category',
+      label: 'Reference Platform',
+      collapsed: false,
+      items: [
+        'reference-platform/architecture',
+      ],
+    },
+    'glossary',
   ],
   api: [
+    'api/core/v1alpha2',
     'cli',
-    'api/core/v1alpha2'
   ],
 };
 

doc/website/src/components/HomepageFeatures/index.tsx

@@ -10,38 +10,40 @@ type FeatureItem = {
 
 const FeatureList: FeatureItem[] = [
   {
-    title: 'Easy to Use',
-    Svg: require('@site/static/img/undraw_docusaurus_mountain.svg').default,
+    title: 'Zero Trust Security',
+    Svg: require('@site/static/img/base00/undraw_security_on_re_e491.svg').default,
     description: (
       <>
-        Docusaurus was designed from the ground up to be easily installed and
-        used to get your website up and running quickly.
+        Spend more time on your business features and less time rebuilding
+        authentication and authorization.  Holos provides zero trust security
+        with no code needed to protect your services.
       </>
     ),
   },
   {
-    title: 'Focus on What Matters',
-    Svg: require('@site/static/img/undraw_docusaurus_tree.svg').default,
+    title: 'Multi-Cloud',
+    Svg: require('@site/static/img/base00/undraw_cloud_hosting_7xb1.svg').default,
     description: (
       <>
-        Docusaurus lets you focus on your docs, and we&apos;ll do the chores. Go
-        ahead and move your docs into the <code>docs</code> directory.
+        Avoid vendor lock in, downtime, and price hikes.  Holos is designed to
+        easily deploy workloads into multiple clouds and multiple regions.
       </>
     ),
   },
   {
-    title: 'Powered by React',
-    Svg: require('@site/static/img/undraw_docusaurus_react.svg').default,
+    title: 'Developer Portal',
+    Svg: require('@site/static/img/base00/undraw_data_trends_re_2cdy.svg').default,
     description: (
       <>
-        Extend or customize your website layout by reusing React. Docusaurus can
-        be extended while reusing the same header and footer.
+        Ship high quality code quickly, provide a great developer experience,
+        and maintain control over your infrastructure with the integrated
+        Backstage developer portal.
       </>
     ),
   },
 ];
 
-function Feature({title, Svg, description}: FeatureItem) {
+function Feature({ title, Svg, description }: FeatureItem) {
   return (
     <div className={clsx('col col--4')}>
       <div className="text--center">

doc/website/src/css/custom.css

@@ -6,29 +6,34 @@
 
 /* You can override the default Infima variables here. */
 :root {
+  --ifm-link-color: #268bd2;
+  --docusaurus-highlighted-code-line-bg: #eee8d5;
+
   /* Solarized Base03 */
   --ifm-color-primary: #002b36;
   /* Solarized Base3 */
   --ifm-color-primary-light-background: #fdf6e3;
 
-  /* Solarized Base02 */
-  --ifm-color-primary-dark: #073642;
+  /* Solarized Base00 */
+  --ifm-color-primary-dark: #657b83;
   /* Solarized Base01 */
   --ifm-color-primary-darker: #586e75;
-  /* Solarized Base00 */
-  --ifm-color-primary-darkest: #657b83;
-  /* Solarized Base2 */
-  --ifm-color-primary-light: #eee8d5;
+  /* Solarized Base02 */
+  --ifm-color-primary-darkest: #073642;
+  /* Solarized Base0 */
+  --ifm-color-primary-light: #839496;
   /* Solarized Base1 */
   --ifm-color-primary-lighter: #93a1a1;
-  /* Solarized Base0 */
-  --ifm-color-primary-lightest: #839496;
+  /* Solarized Base2 */
+  --ifm-color-primary-lightest: #eee8d5;
   --ifm-code-font-size: 95%;
-  --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.1);
 }
 
 /* For readability concerns, you should choose a lighter palette in dark mode. */
 [data-theme='dark'] {
+  --ifm-link-color: #268bd2;
+  --docusaurus-highlighted-code-line-bg: #073642;
+
   /* Solarized Base3 */
   --ifm-color-primary: #fdf6e3;
   /* Solarized Base03 */
@@ -47,5 +52,4 @@
   /* Solarized Base0 */
   --ifm-color-primary-lightest: #839496;
   --ifm-code-font-size: 95%;
-  --docusaurus-highlighted-code-line-bg: rgba(0, 0, 0, 0.3);
 }

doc/website/src/pages/index.tsx

@@ -16,6 +16,11 @@ function HomepageHeader() {
           {siteConfig.title}
         </Heading>
         <p className="hero__subtitle">{siteConfig.tagline}</p>
+        <p className="projectDesc">
+          Holos is a holistic software development platform built from the most
+          popular open source projects.<br /> Build your developer platform in
+          no time.
+        </p>
         <div className={styles.buttons}>
           <Link
             className="button button--secondary button--lg"

doc/website/website.go

@@ -1,29 +0,0 @@
-// Package website embeds the docs website for the server subcommand.  Docs are
-// served at /docs similar to how the ui is served at /ui.
-package website
-
-// DISABLED go:generate rm -rf build
-// DISABLED go:generate mkdir build
-// DISABLED go:generate npm run build
-// DISABLED go:generate touch $GOFILE
-
-import (
-	"embed"
-	"io/fs"
-)
-
-// Output must be the relative path to where the build tool places the static
-// site index.html file.
-const OutputPath = "build"
-
-//go:embed all:build
-var Dist embed.FS
-
-// Root returns the static site root directory.
-func Root() fs.FS {
-	sub, err := fs.Sub(Dist, OutputPath)
-	if err != nil {
-		panic(err)
-	}
-	return sub
-}

docs/examples/api/ListPlatform/listplatform.json

@@ -1,10 +0,0 @@
-{
-  "org_id": "018f36fb-e3f7-7f7f-a1c5-c85fb735d215",
-  "field_mask": {
-    "paths": [
-      "id",
-      "name",
-      "displayName"
-    ]
-  }
-}

docs/examples/api/UpdatePlatform/clearform.json

@@ -1,8 +0,0 @@
-{
-  "update_mask": {
-    "paths": ["form"]
-  },
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
-  }
-}

docs/examples/api/UpdatePlatform/model.json

@@ -1,11 +0,0 @@
-{
-  "update_mask": {
-    "paths": ["model","name","display_name"]
-  },
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
-    "name": "bareplatform",
-    "display_name": "Bare Platform",
-    "model": {}
-  }
-}

docs/examples/api/UpdatePlatform/nomask.json

@@ -1,6 +0,0 @@
-{
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
-    "model": {}
-  }
-}

docs/examples/authpolicy.cue

@@ -1,45 +0,0 @@
-package holos
-
-import ap "security.istio.io/authorizationpolicy/v1"
-
-// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need
-// specialized treatment.  Entries in this struct are excluded from
-// AuthorizationPolicy/authproxy-custom in the istio-ingress namespace.  Entries
-// are added to their own AuthorizationPolicy.
-#AuthPolicyRules: {
-	// AuthProxySpec represents the identity provider configuration
-	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
-
-	// Hosts are hosts that need specialized treatment
-	hosts: {
-		[Name=_]: {
-			// name is the fully qualifed hostname, a Host: header value.
-			name: Name
-			// slug is the resource name prefix
-			slug: string
-			// NoAuthorizationPolicy disables an AuthorizationPolicy for the host
-			NoAuthorizationPolicy: true | *false
-
-			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
-			spec: ap.#AuthorizationPolicySpec & {
-				action: "CUSTOM"
-				provider: name: AuthProxySpec.provider
-				selector: matchLabels: istio: "ingressgateway"
-			}
-		}
-	}
-
-	objects: #APIObjects & {
-		for Host in hosts {
-			if Host.NoAuthorizationPolicy == false {
-				apiObjects: {
-					AuthorizationPolicy: "\(Host.slug)-custom": {
-						metadata: namespace: "istio-ingress"
-						metadata: name:      "\(Host.slug)-custom"
-						spec: Host.spec
-					}
-				}
-			}
-		}
-	}
-}

docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue

@@ -1,82 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
-
-package v1
-
-import "strings"
-
-// Order is a type to represent an Order with an ACME server
-#Order: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "acme.cert-manager.io/v1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Order"
-	metadata: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-	spec!: #OrderSpec
-}
-#OrderSpec: {
-	// CommonName is the common name as specified on the DER encoded
-	// CSR. If specified, this value must also be present in
-	// `dnsNames` or `ipAddresses`. This field must match the
-	// corresponding field on the DER encoded CSR.
-	commonName?: string
-
-	// DNSNames is a list of DNS names that should be included as part
-	// of the Order validation process. This field must match the
-	// corresponding field on the DER encoded CSR.
-	dnsNames?: [...string]
-
-	// Duration is the duration for the not after date for the
-	// requested certificate. this is set on order creation as pe the
-	// ACME spec.
-	duration?: string
-
-	// IPAddresses is a list of IP addresses that should be included
-	// as part of the Order validation process. This field must match
-	// the corresponding field on the DER encoded CSR.
-	ipAddresses?: [...string]
-
-	// IssuerRef references a properly configured ACME-type Issuer
-	// which should be used to create this Order. If the Issuer does
-	// not exist, processing will be retried. If the Issuer is not an
-	// 'ACME' Issuer, an error will be returned and the Order will be
-	// marked as failed.
-	issuerRef: {
-		// Group of the resource being referred to.
-		group?: string
-
-		// Kind of the resource being referred to.
-		kind?: string
-
-		// Name of the resource being referred to.
-		name: string
-	}
-
-	// Certificate signing request bytes in DER encoding. This will be
-	// used when finalizing the order. This field must be set on the
-	// order.
-	request: string
-}

docs/examples/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -1,189 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-argocd/prod-platform-argocd.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// AppProject provides a logical grouping of applications,
-// providing controls for: * where the apps may deploy to
-// (cluster whitelist) * what may be deployed (repository
-// whitelist, resource whitelist/blacklist) * who can access
-// these applications (roles, OIDC group claims bindings) * and
-// what they can do (RBAC policies) * automation access to these
-// roles (JWT tokens)
-#AppProject: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "argoproj.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "AppProject"
-	metadata: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// AppProjectSpec is the specification of an AppProject
-	spec!: #AppProjectSpec
-}
-
-// AppProjectSpec is the specification of an AppProject
-#AppProjectSpec: {
-	// ClusterResourceBlacklist contains list of blacklisted cluster
-	// level resources
-	clusterResourceBlacklist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// ClusterResourceWhitelist contains list of whitelisted cluster
-	// level resources
-	clusterResourceWhitelist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// Description contains optional project description
-	description?: string
-
-	// Destinations contains list of destinations available for
-	// deployment
-	destinations?: [...{
-		// Name is an alternate way of specifying the target cluster by
-		// its symbolic name. This must be set if Server is not set.
-		name?: string
-
-		// Namespace specifies the target namespace for the application's
-		// resources. The namespace will only be set for namespace-scoped
-		// resources that have not set a value for .metadata.namespace
-		namespace?: string
-
-		// Server specifies the URL of the target cluster's Kubernetes
-		// control plane API. This must be set if Name is not set.
-		server?: string
-	}]
-
-	// NamespaceResourceBlacklist contains list of blacklisted
-	// namespace level resources
-	namespaceResourceBlacklist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// NamespaceResourceWhitelist contains list of whitelisted
-	// namespace level resources
-	namespaceResourceWhitelist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// OrphanedResources specifies if controller should monitor
-	// orphaned resources of apps in this project
-	orphanedResources?: {
-		// Ignore contains a list of resources that are to be excluded
-		// from orphaned resources monitoring
-		ignore?: [...{
-			group?: string
-			kind?:  string
-			name?:  string
-		}]
-
-		// Warn indicates if warning condition should be created for apps
-		// which have orphaned resources
-		warn?: bool
-	}
-
-	// PermitOnlyProjectScopedClusters determines whether destinations
-	// can only reference clusters which are project-scoped
-	permitOnlyProjectScopedClusters?: bool
-
-	// Roles are user defined RBAC roles associated with this project
-	roles?: [...{
-		// Description is a description of the role
-		description?: string
-
-		// Groups are a list of OIDC group claims bound to this role
-		groups?: [...string]
-
-		// JWTTokens are a list of generated JWT tokens bound to this role
-		jwtTokens?: [...{
-			exp?: int
-			iat:  int
-			id?:  string
-		}]
-
-		// Name is a name for this role
-		name: string
-
-		// Policies Stores a list of casbin formatted strings that define
-		// access policies for the role in the project
-		policies?: [...string]
-	}]
-
-	// SignatureKeys contains a list of PGP key IDs that commits in
-	// Git must be signed with in order to be allowed for sync
-	signatureKeys?: [...{
-		// The ID of the key in hexadecimal notation
-		keyID: string
-	}]
-
-	// SourceNamespaces defines the namespaces application resources
-	// are allowed to be created in
-	sourceNamespaces?: [...string]
-
-	// SourceRepos contains list of repository URLs which can be used
-	// for deployment
-	sourceRepos?: [...string]
-
-	// SyncWindows controls when syncs can be run for apps in this
-	// project
-	syncWindows?: [...{
-		// Applications contains a list of applications that the window
-		// will apply to
-		applications?: [...string]
-
-		// Clusters contains a list of clusters that the window will apply
-		// to
-		clusters?: [...string]
-
-		// Duration is the amount of time the sync window will be open
-		duration?: string
-
-		// Kind defines if the window allows or blocks syncs
-		kind?: string
-
-		// ManualSync enables manual syncs when they would otherwise be
-		// blocked
-		manualSync?: bool
-
-		// Namespaces contains a list of namespaces that the window will
-		// apply to
-		namespaces?: [...string]
-
-		// Schedule is the time the window will begin, specified in cron
-		// format
-		schedule?: string
-
-		// TimeZone of the sync that will be applied to the schedule
-		timeZone?: string
-	}]
-}

docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -1,422 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
-
-package v1
-
-import "strings"
-
-// A Certificate resource should be created to ensure an up to
-// date and signed X.509 certificate is stored in the Kubernetes
-// Secret resource named in `spec.secretName`.
-// The stored certificate will be renewed before it expires (as
-// configured by `spec.renewBefore`).
-#Certificate: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "cert-manager.io/v1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Certificate"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// Specification of the desired state of the Certificate resource.
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-	spec!: #CertificateSpec
-}
-
-// Specification of the desired state of the Certificate resource.
-// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-#CertificateSpec: {
-	// Defines extra output formats of the private key and signed
-	// certificate chain to be written to this Certificate's target
-	// Secret.
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=AdditionalCertificateOutputFormats=true`
-	// option set on both the controller and webhook components.
-	additionalOutputFormats?: [...{
-		// Type is the name of the format type that should be written to
-		// the Certificate's target Secret.
-		type: "DER" | "CombinedPEM"
-	}]
-
-	// Requested common name X509 certificate subject attribute. More
-	// info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-	// NOTE: TLS clients will ignore this value when any subject
-	// alternative name is set (see
-	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
-	// Should have a length of 64 characters or fewer to avoid
-	// generating invalid CSRs. Cannot be set if the `literalSubject`
-	// field is set.
-	commonName?: string
-
-	// Requested DNS subject alternative names.
-	dnsNames?: [...string]
-
-	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
-	// that the issuer may choose to ignore the requested duration,
-	// just like any other requested attribute.
-	// If unset, this defaults to 90 days. Minimum accepted duration
-	// is 1 hour. Value must be in units accepted by Go
-	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
-	duration?: string
-
-	// Requested email subject alternative names.
-	emailAddresses?: [...string]
-
-	// Whether the KeyUsage and ExtKeyUsage extensions should be set
-	// in the encoded CSR.
-	// This option defaults to true, and should only be disabled if
-	// the target issuer does not support CSRs with these X509
-	// KeyUsage/ ExtKeyUsage extensions.
-	encodeUsagesInRequest?: bool
-
-	// Requested IP address subject alternative names.
-	ipAddresses?: [...string]
-
-	// Requested basic constraints isCA value. The isCA value is used
-	// to set the `isCA` field on the created CertificateRequest
-	// resources. Note that the issuer may choose to ignore the
-	// requested isCA value, just like any other requested attribute.
-	// If true, this will automatically add the `cert sign` usage to
-	// the list of requested `usages`.
-	isCA?: bool
-
-	// Reference to the issuer responsible for issuing the
-	// certificate. If the issuer is namespace-scoped, it must be in
-	// the same namespace as the Certificate. If the issuer is
-	// cluster-scoped, it can be used from any namespace.
-	// The `name` field of the reference must always be specified.
-	issuerRef: {
-		// Group of the resource being referred to.
-		group?: string
-
-		// Kind of the resource being referred to.
-		kind?: string
-
-		// Name of the resource being referred to.
-		name: string
-	}
-
-	// Additional keystore output formats to be stored in the
-	// Certificate's Secret.
-	keystores?: {
-		// JKS configures options for storing a JKS keystore in the
-		// `spec.secretName` Secret resource.
-		jks?: {
-			// Create enables JKS keystore creation for the Certificate. If
-			// true, a file named `keystore.jks` will be created in the
-			// target Secret resource, encrypted using the password stored in
-			// `passwordSecretRef`. The keystore file will be updated
-			// immediately. If the issuer provided a CA certificate, a file
-			// named `truststore.jks` will also be created in the target
-			// Secret resource, encrypted using the password stored in
-			// `passwordSecretRef` containing the issuing Certificate
-			// Authority
-			create: bool
-
-			// PasswordSecretRef is a reference to a key in a Secret resource
-			// containing the password used to encrypt the JKS keystore.
-			passwordSecretRef: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be defaulted, in
-				// others it may be required.
-				key?: string
-
-				// Name of the resource being referred to. More info:
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-				name: string
-			}
-		}
-
-		// PKCS12 configures options for storing a PKCS12 keystore in the
-		// `spec.secretName` Secret resource.
-		pkcs12?: {
-			// Create enables PKCS12 keystore creation for the Certificate. If
-			// true, a file named `keystore.p12` will be created in the
-			// target Secret resource, encrypted using the password stored in
-			// `passwordSecretRef`. The keystore file will be updated
-			// immediately. If the issuer provided a CA certificate, a file
-			// named `truststore.p12` will also be created in the target
-			// Secret resource, encrypted using the password stored in
-			// `passwordSecretRef` containing the issuing Certificate
-			// Authority
-			create: bool
-
-			// PasswordSecretRef is a reference to a key in a Secret resource
-			// containing the password used to encrypt the PKCS12 keystore.
-			passwordSecretRef: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be defaulted, in
-				// others it may be required.
-				key?: string
-
-				// Name of the resource being referred to. More info:
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-				name: string
-			}
-
-			// Profile specifies the key and certificate encryption algorithms
-			// and the HMAC algorithm used to create the PKCS12 keystore.
-			// Default value is `LegacyRC2` for backward compatibility.
-			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
-			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
-			// Less secure algorithm. Use this option for maximal
-			// compatibility. `Modern2023`: Secure algorithm. Use this option
-			// in case you have to always use secure algorithms (eg. because
-			// of company policy). Please note that the security of the
-			// algorithm is not that important in reality, because the
-			// unencrypted certificate and private key are also stored in the
-			// Secret.
-			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
-		}
-	}
-
-	// Requested X.509 certificate subject, represented using the LDAP
-	// "String Representation of a Distinguished Name" [1].
-	// Important: the LDAP string format also specifies the order of
-	// the attributes in the subject, this is important when issuing
-	// certs for LDAP authentication. Example:
-	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
-	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
-	// https://github.com/cert-manager/cert-manager/issues/3203 More
-	// info: https://github.com/cert-manager/cert-manager/issues/4424
-	// Cannot be set if the `subject` or `commonName` field is set.
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=LiteralCertificateSubject=true` option set on
-	// both the controller and webhook components.
-	literalSubject?: string
-
-	// x.509 certificate NameConstraint extension which MUST NOT be
-	// used in a non-CA certificate. More Info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=NameConstraints=true` option set on both the
-	// controller and webhook components.
-	nameConstraints?: {
-		// if true then the name constraints are marked critical.
-		critical?: bool
-
-		// Excluded contains the constraints which must be disallowed. Any
-		// name matching a restriction in the excluded field is invalid
-		// regardless of information appearing in the permitted
-		excluded?: {
-			// DNSDomains is a list of DNS domains that are permitted or
-			// excluded.
-			dnsDomains?: [...string]
-
-			// EmailAddresses is a list of Email Addresses that are permitted
-			// or excluded.
-			emailAddresses?: [...string]
-
-			// IPRanges is a list of IP Ranges that are permitted or excluded.
-			// This should be a valid CIDR notation.
-			ipRanges?: [...string]
-
-			// URIDomains is a list of URI domains that are permitted or
-			// excluded.
-			uriDomains?: [...string]
-		}
-
-		// Permitted contains the constraints in which the names must be
-		// located.
-		permitted?: {
-			// DNSDomains is a list of DNS domains that are permitted or
-			// excluded.
-			dnsDomains?: [...string]
-
-			// EmailAddresses is a list of Email Addresses that are permitted
-			// or excluded.
-			emailAddresses?: [...string]
-
-			// IPRanges is a list of IP Ranges that are permitted or excluded.
-			// This should be a valid CIDR notation.
-			ipRanges?: [...string]
-
-			// URIDomains is a list of URI domains that are permitted or
-			// excluded.
-			uriDomains?: [...string]
-		}
-	}
-
-	// `otherNames` is an escape hatch for SAN that allows any type.
-	// We currently restrict the support to string like otherNames,
-	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
-	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
-	// somevalue for `otherName`. Most commonly this would be UPN set
-	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
-	// OID passed is valid for the UTF8String type as we do not
-	// explicitly validate this.
-	otherNames?: [...{
-		// OID is the object identifier for the otherName SAN. The object
-		// identifier must be expressed as a dotted string, for example,
-		// "1.2.840.113556.1.4.221".
-		oid?: string
-
-		// utf8Value is the string value of the otherName SAN. The
-		// utf8Value accepts any valid UTF8 string to set as value for
-		// the otherName SAN.
-		utf8Value?: string
-	}]
-
-	// Private key options. These include the key algorithm and size,
-	// the used encoding and the rotation policy.
-	privateKey?: {
-		// Algorithm is the private key algorithm of the corresponding
-		// private key for this certificate.
-		// If provided, allowed values are either `RSA`, `ECDSA` or
-		// `Ed25519`. If `algorithm` is specified and `size` is not
-		// provided, key size of 2048 will be used for `RSA` key
-		// algorithm and key size of 256 will be used for `ECDSA` key
-		// algorithm. key size is ignored when using the `Ed25519` key
-		// algorithm.
-		algorithm?: "RSA" | "ECDSA" | "Ed25519"
-
-		// The private key cryptography standards (PKCS) encoding for this
-		// certificate's private key to be encoded in.
-		// If provided, allowed values are `PKCS1` and `PKCS8` standing
-		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
-		// not specified.
-		encoding?: "PKCS1" | "PKCS8"
-
-		// RotationPolicy controls how private keys should be regenerated
-		// when a re-issuance is being processed.
-		// If set to `Never`, a private key will only be generated if one
-		// does not already exist in the target `spec.secretName`. If one
-		// does exists but it does not have the correct algorithm or
-		// size, a warning will be raised to await user intervention. If
-		// set to `Always`, a private key matching the specified
-		// requirements will be generated whenever a re-issuance occurs.
-		// Default is `Never` for backward compatibility.
-		rotationPolicy?: "Never" | "Always"
-
-		// Size is the key bit size of the corresponding private key for
-		// this certificate.
-		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
-		// or `8192`, and will default to `2048` if not specified. If
-		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
-		// or `521`, and will default to `256` if not specified. If
-		// `algorithm` is set to `Ed25519`, Size is ignored. No other
-		// values are allowed.
-		size?: int
-	}
-
-	// How long before the currently issued certificate's expiry
-	// cert-manager should renew the certificate. For example, if a
-	// certificate is valid for 60 minutes, and `renewBefore=10m`,
-	// cert-manager will begin to attempt to renew the certificate 50
-	// minutes after it was issued (i.e. when there are 10 minutes
-	// remaining until the certificate is no longer valid).
-	// NOTE: The actual lifetime of the issued certificate is used to
-	// determine the renewal time. If an issuer returns a certificate
-	// with a different lifetime than the one requested, cert-manager
-	// will use the lifetime of the issued certificate.
-	// If unset, this defaults to 1/3 of the issued certificate's
-	// lifetime. Minimum accepted value is 5 minutes. Value must be
-	// in units accepted by Go time.ParseDuration
-	// https://golang.org/pkg/time/#ParseDuration.
-	renewBefore?: string
-
-	// The maximum number of CertificateRequest revisions that are
-	// maintained in the Certificate's history. Each revision
-	// represents a single `CertificateRequest` created by this
-	// Certificate, either when it was created, renewed, or Spec was
-	// changed. Revisions will be removed by oldest first if the
-	// number of revisions exceeds this number.
-	// If set, revisionHistoryLimit must be a value of `1` or greater.
-	// If unset (`nil`), revisions will not be garbage collected.
-	// Default value is `nil`.
-	revisionHistoryLimit?: int
-
-	// Name of the Secret resource that will be automatically created
-	// and managed by this Certificate resource. It will be populated
-	// with a private key and certificate, signed by the denoted
-	// issuer. The Secret resource lives in the same namespace as the
-	// Certificate resource.
-	secretName: string
-
-	// Defines annotations and labels to be copied to the
-	// Certificate's Secret. Labels and annotations on the Secret
-	// will be changed as they appear on the SecretTemplate when
-	// added or removed. SecretTemplate annotations are added in
-	// conjunction with, and cannot overwrite, the base set of
-	// annotations cert-manager sets on the Certificate's Secret.
-	secretTemplate?: {
-		// Annotations is a key value map to be copied to the target
-		// Kubernetes Secret.
-		annotations?: {
-			[string]: string
-		}
-
-		// Labels is a key value map to be copied to the target Kubernetes
-		// Secret.
-		labels?: {
-			[string]: string
-		}
-	}
-
-	// Requested set of X509 certificate subject attributes. More
-	// info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-	// The common name attribute is specified separately in the
-	// `commonName` field. Cannot be set if the `literalSubject`
-	// field is set.
-	subject?: {
-		// Countries to be used on the Certificate.
-		countries?: [...string]
-
-		// Cities to be used on the Certificate.
-		localities?: [...string]
-
-		// Organizational Units to be used on the Certificate.
-		organizationalUnits?: [...string]
-
-		// Organizations to be used on the Certificate.
-		organizations?: [...string]
-
-		// Postal codes to be used on the Certificate.
-		postalCodes?: [...string]
-
-		// State/Provinces to be used on the Certificate.
-		provinces?: [...string]
-
-		// Serial number to be used on the Certificate.
-		serialNumber?: string
-
-		// Street addresses to be used on the Certificate.
-		streetAddresses?: [...string]
-	}
-
-	// Requested URI subject alternative names.
-	uris?: [...string]
-
-	// Requested key usages and extended key usages. These usages are
-	// used to set the `usages` field on the created
-	// CertificateRequest resources. If `encodeUsagesInRequest` is
-	// unset or set to `true`, the usages will additionally be
-	// encoded in the `request` field which contains the CSR blob.
-	// If unset, defaults to `digital signature` and `key
-	// encipherment`.
-	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
-}