make: fix latest connect tools installed

On a release, make tools is run which pulls in the latest connect tools
for angular.  This is a problem because it makes the git tree dirty.

The packages should be in the package.json file and the lock file so
these additional steps should not be necessary.

Remove them.

Desired result is make tools is idempotent and installs the correct
pinned versions necessary to build and release the container image.

.cspell.json

@@ -7,6 +7,7 @@
   "words": [
     "applicationset",
     "argoproj",
+    "authcode",
     "authpolicy",
     "authproxy",
     "authroutes",
@@ -19,6 +20,7 @@
     "crossplane",
     "cuecontext",
     "cuelang",
+    "devicecode",
     "dnsmasq",
     "dscacheutil",
     "entgo",
@@ -27,7 +29,9 @@
     "flushcache",
     "gitops",
     "grpcreflect",
+    "grpcurl",
     "holos",
+    "holoslogger",
     "httpbin",
     "Infima",
     "isatty",
@@ -36,6 +40,7 @@
     "killall",
     "kubeadm",
     "kubeconfig",
+    "kubelogin",
     "Kustomization",
     "kustomize",
     "ldflags",
@@ -49,12 +54,15 @@
     "orgid",
     "otelconnect",
     "Parentspanid",
+    "pflag",
+    "PKCE",
     "platformconnect",
     "promhttp",
     "protojson",
     "putenv",
     "quickstart",
     "retryable",
+    "ropc",
     "spanid",
     "spiffe",
     "startupapicheck",
@@ -63,11 +71,15 @@
     "tablewriter",
     "Tiltfile",
     "timestamppb",
+    "tlsclientconfig",
+    "tokencache",
+    "Tokener",
     "Traceid",
     "traefik",
     "uibutton",
     "Upsert",
     "urandom",
+    "usecases",
     "userconnect",
     "userdata",
     "zerolog",

.ko.yaml

@@ -9,4 +9,5 @@ builds:
   - -s
   - -w
   - -X
+  # Makefile provides GIT_DETAIL and GIT_SUFFIX.
   - github.com/holos-run/holos/version.GitDescribe={{.Env.GIT_DETAIL}}{{.Env.GIT_SUFFIX}}

Makefile

@@ -127,11 +127,6 @@ go-deps: ## tool versions pinned in tools.go
 .PHONY: frontend-deps
 frontend-deps: ## Install Angular deps for go generate
 	cd internal/frontend/holos && npm install
-	cd internal/frontend/holos && npm install --save-dev @bufbuild/buf @connectrpc/protoc-gen-connect-es
-	cd internal/frontend/holos && npm install @connectrpc/connect @connectrpc/connect-web @bufbuild/protobuf
-	# https://github.com/connectrpc/connect-query-es/blob/1350b6f07b6aead81793917954bdb1cc3ce09df9/packages/protoc-gen-connect-query/README.md?plain=1#L23
-	cd internal/frontend/holos && npm install --save-dev @connectrpc/protoc-gen-connect-query @bufbuild/protoc-gen-es
-	cd internal/frontend/holos && npm install @connectrpc/connect-query @bufbuild/protobuf
 
 .PHONY: website-deps
 website-deps: ## Install Docusaurus deps for go generate

README.md

@@ -1,32 +1,3 @@
-## Holos - A Holostic Development Platform
+# k3d Platform
 
-<img width="50%"
-align="right"
-style="display: block; margin: 40px auto;"
-src="https://openinfrastructure.co/blog/2016/02/27/logo/logorectangle.png">
-
-Building and maintaining a software development platform is a complex and time
-consuming endeavour.  Organizations often dedicate a team of 3-4 who need 6-12
-months to build the platform.
-
-Holos is a tool and a reference platform to reduce the compexity and speed up
-the process of building a modern, cloud native software development platform.
-
- - **Accelerate new projects** - Reduce time to market and operational complexity by starting your new project on top of the Holos reference platform.
- - **Modernize existing projects** - Incrementally incorporate your existing platform services into Holos for simpler integration.
- - **Unified configuration model** - Increase safety and reduce the risk of config changes with CUE.
- - **First class Helm and Kustomize support** - Leverage and reuse your existing investment in existing configuration tools such as Helm and Kustomize.
- - **Modern Authentication and Authorization** - Holos seamlessly integrates platform identity and access mangement with zero-trust beyond corp style authorization policy.
-
-## Quick Installation
-```console
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
-## Docs and Support
-The documentation for developing and using Holos is avaialble at: https://holos.run
-
-For discussion and support, [open a discussion](https://github.com/orgs/holos-run/discussions/new/choose).
-
-## License
-Holos is licensed under Apache 2.0 as found in the [LICENSE file](LICENSE).
+Refer to https://holos.run/docs/tutorial/local/k3d

doc/md/design/rendering.md

@@ -0,0 +1,47 @@
+# Rendering
+
+:::tip
+
+This document provides a brief overview of the rendering process, a core design
+element in Holos.
+
+:::
+
+Holos uses the Kubernetes resource model to manage configuration.  The `holos`
+command line interface is the primary method you'll use to manage your platform.
+Holos uses CUE to provide a unified configuration model of the platform.  This
+unified configuration is built up from components packaged with Helm, Kustomize,
+CUE, or any other tool that can produce Kubernetes resource manifests as output.
+
+This process can be thought of as a data **rendering pipeline**.  The key
+concept is that `holos` will always produce fully rendered output, but delegates
+the _application_ of the configuration to other tools like `kubectl apply`,
+ArgoCD, or Flux.
+
+```mermaid
+---
+title: Figure 2 - Render Pipeline
+---
+graph LR
+    PS[<a href="/docs/api/core/v1alpha2#PlatformSpec">PlatformSpec</a>]
+    BP[<a href="/docs/api/core/v1alpha2#BuildPlan">BuildPlan</a>]
+    HC[<a href="/docs/api/core/v1alpha2#HolosComponent">HolosComponent</a>]
+
+    H[<a href="/docs/api/core/v1alpha2#HelmChart">HelmChart</a>]
+    K[<a href="/docs/api/core/v1alpha2#KustomizeBuild">KustomizeBuild</a>]
+    O[<a href="/docs/api/core/v1alpha2#KubernetesObjects">KubernetesObjects</a>]
+
+    P[<a href="/docs/api/core/v1alpha2#Kustomize">Kustomize</a>]
+    Y[Kubernetes <br>Resources]
+    G[GitOps <br>Resource]
+
+    C[Kube API Server]
+
+    PS --> BP --> HC
+    HC --> H --> P
+    HC --> K --> P
+    HC --> O --> P
+
+    P --> Y --> C
+    P --> G --> C
+```

doc/md/glossary.md

@@ -2,16 +2,87 @@
 
 This page describes the terms used within the context of Holos.
 
+## Platform
+
+In Holos, a Platform is a comprehensive environment configured using the
+Kubernetes resource model. It extends beyond traditional Kubernetes
+functionality by integrating cloud resources through Crossplane, allowing for a
+unified management approach across both Kubernetes and cloud infrastructure. A
+Platform typically consists of one Management Cluster, which handles control and
+secret management, and one or more Workload Clusters, where application
+workloads are deployed and run. This architecture enables a consistent and
+scalable approach to managing diverse resources and services within the
+cloud-native ecosystem.
+
 ## Management Cluster
 
+In the context of Holos, a Management Cluster is a special Kubernetes cluster
+that hosts Kubernetes controllers.  For example, cert-manager, Cluster api, and
+Crossplane.  A management cluster manages a single platform.  The primary
+function of this cluster is to securely store and manage secrets, ensuring the
+secure handling of sensitive information such as credentials, API keys, and
+other confidential data. The Management Cluster serves as a centralized and
+secure control plane for the platform, facilitating the orchestration and
+management of other components.
+
 ## Workload Cluster
 
+In Holos, a Workload Cluster is a Kubernetes cluster designed to host and run
+application workloads. Unlike the Management Cluster, which focuses on control
+and secret management, Workload Clusters are dedicated to executing the actual
+applications and services. These clusters can vary in size and configuration
+based on the specific needs of the applications they support. Workload Clusters
+leverage Kubernetes' orchestration capabilities to manage the deployment,
+scaling, and operation of containerized applications, providing a flexible and
+scalable environment for running production workloads within the platform.
+
 ## Platform Form
 
+In Holos, a Platform Form is a customizable web form defined by JSON data. Each
+platform within Holos has a unique Platform Form, which serves as an interface
+for configuring and managing the platform's settings and resources. Platform
+engineers can customize the Platform Form by modifying the underlying CUE
+(Configuration Unified Engine) code, allowing for tailored configurations that
+meet specific requirements. This flexibility enables platform engineers to
+create a user-friendly and specific interface for managing the platform's
+components and operations.
+
 ## Platform Model
 
+In Holos, the Platform Model represents the collection of values submitted
+through the Platform Form. It encapsulates the specific configuration details
+and settings defined by the platform engineers, serving as the blueprint for the
+platform's setup and operation. The Platform Model is essential for translating
+the customized options and parameters from the Platform Form into actionable
+configurations within the Holos ecosystem, ensuring that the platform operates
+according to the specified requirements and guidelines.
+
 ## Secret Store
 
+In Holos, a SecretStore is a repository for securely storing and managing
+sensitive data such as passwords, API keys, and other confidential information.
+It is compatible with any secret store supported by the External Secrets
+Operator. By default, the management cluster serves as the SecretStore to
+minimize dependencies and simplify the architecture. This setup ensures that
+secrets are managed in a secure and centralized manner, aligning with the
+overall security framework of the platform.
+
 ## Service Mesh
 
+In Holos, a Service Mesh is a dedicated infrastructure layer for managing,
+observing, and securing service-to-service communications within a microservices
+architecture. It typically includes features such as load balancing, traffic
+routing, service discovery, and security policies like mutual TLS and access
+control. The Service Mesh abstracts these functionalities away from the
+application code, providing a centralized control plane for managing the
+interactions between microservices. This facilitates better observability,
+resilience, and security in complex, distributed environments.
+
 ## Zero Trust
+
+In the context of Holos and broader security practices, Zero Trust is a security
+model that assumes no implicit trust is granted to any user, system, or
+component inside or outside the network. Instead, every request for access is
+treated as potentially malicious, and verification is required at every stage.
+This model enforces strict identity verification, continuous monitoring, and
+least-privilege access policies.

doc/md/guides/argocd/index.mdx

@@ -0,0 +1,6 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# ArgoCD
+
+Coming soon.

doc/md/guides/backstage/index.md

@@ -0,0 +1,3 @@
+# Backstage
+
+Coming soon.

doc/md/guides/observability/index.md

@@ -0,0 +1,3 @@
+# Observability
+
+Coming soon.

doc/md/guides/try-holos/index.mdx

@@ -0,0 +1,657 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Try Holos Locally
+
+This guide walks through the process of building and managing a software
+development platform with Holos.  The k3d platform built in this guide is a
+slimmed down version of the larger, more holistic, Holos reference platform.
+
+Holos is different from existing tools in a few important ways.
+
+ 1. Holos provides a **unified configuration model** purpose built to improve on
+ unmodified Helm charts, Kustomize bases, or anything else that produces
+ structured configuration data.
+ 2. Holos all but **eliminates the need to template yaml**, a common source of
+ frustration and errors in production.
+ 3. Holos platforms are **composable** and have breadth.  The toolchain and
+ techniques scale down to one machine and up to multiple clusters across
+ multiple regions.
+ 4. The unified configuration model is well suited to a **Zero Trust security
+ model**.  Platform wide policy configuration is easier to manage with Holos.
+
+---
+
+This guide assumes commands are run locally.  Capitalized terms have specific
+definitions described in the [Glossary](/docs/glossary).
+
+## What you'll need {#Requirements}
+
+You'll need the following tools installed to complete this guide.
+
+1. [holos](/docs/guides/install) - to build the platform.
+2. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that wrap upstream Helm charts.
+3. [k3d](https://k3d.io/#installation) - to provide a k8s api server.
+4. [OrbStack](https://docs.orbstack.dev/install) or [Docker](https://docs.docker.com/get-docker/) - to use k3d.
+5. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to interact with the k8s api server.
+6. [mkcert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) - to make trusted TLS certificates.
+7. [jq](https://jqlang.github.io/jq/download/) - to fiddle with JSON output.
+
+:::note
+
+Registering an account **is recommended** to try out proper authentication and
+authorization in Holos, but you can complete this guide without signing up.
+
+:::
+
+## Goal {#Goal}
+
+By the end of this guide you'll have built the foundation of a software
+development platform.  The foundation provides Zero Trust security by
+holistically integrating off-the-shelf open source software.
+
+  1. Istio is configured to authenticate and authorize requests using an OIDC
+  ID-Token issued by ZITADEL before requests reach backend services.
+  2. The platform provides single sign-on and role based access control for all
+  services running on the platform.
+
+This guide strives to keep things neat and tidy.  All of the resources are
+located in one k3d cluster and one local Git repository.  If you want to clean
+up at any point, do so with:
+
+```bash
+k3d cluster delete workload
+rm -rf holos-k3d
+```
+
+## Sign In or Out {#Sign-In}
+
+Holos provides integrated authentication and authorization which we'll use in
+this guide to protect a service.  We recommend registering an account to see
+this in action.  Registration also enables you to explore the customizable web
+form that simplifies complex configuration.
+
+If you opt-out, the platform will be configured to use a fake identity in place
+of real id tokens.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Sign In">
+    ```bash
+    holos register user
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Opt Out">
+    ```bash
+    holos logout
+    ```
+  </TabItem>
+</Tabs>
+
+## Create the Platform {#Create-Platform}
+
+A server-side platform resource in Holos stores the web form used to simplify
+platform wide configuration.
+
+First, initialize an empty Git repository:
+
+```bash
+mkdir holos-k3d
+cd holos-k3d
+git init
+```
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Use `holos` to make the rpc call to create the server-side platform
+    resource.
+
+    ```bash
+    holos create platform --name k3d --display-name "Try Holos Locally"
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    Create a blank `platform.metadata.json` file so subsequent holos commands
+    skip rpc calls.
+
+    ```bash
+    touch platform.metadata.json
+    ```
+  </TabItem>
+</Tabs>
+
+### Generate the Platform {#Generate-Platform}
+
+Generate the platform code in the repository root.
+
+```bash
+holos generate platform k3d
+```
+
+Commit the generated platform config to the repository.
+
+```bash
+git add .
+git commit -m "holos generate platform k3d - $(holos --version)"
+```
+
+### Push the Platform Form
+
+Each Holos platform has a Platform Form used to submit top level, platform-wide
+configuration values.  The purpose of the form is to validate configuration
+values and simplify complicated configurations and integrations.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Push the Platform Form to publish it.  Browse to the printed URL to view the
+    form.
+
+    ```bash
+    holos push platform form .
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    You will update the Platform Model locally in a later step so there's
+    nothing to do in this step.  Only signed-in users can push a Platform Form
+    to the Holos web server.
+
+    ```bash
+    # holos push platform form .
+    ```
+  </TabItem>
+</Tabs>
+
+The Platform Form is defined locally in `forms/platform/platform-form.cue`.
+
+On the web it looks like:
+![Platform Form Default Values](./form-pushed.png)
+
+### Update the Platform Model {#Platform-Model}
+
+Holos needs initial, top level configuration values to render the platform.  The
+Platform Model is the term we use for these values.  In this section you will
+configure role based access control by way of updating the Platform Model.
+
+In the k3d platform you're building now, role based access control is
+implemented by asserting against the oidc id token subject.  Update the form
+with the `sub` claim value from your id token.  This will ensure only you have
+access to platform services.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Copy and paste the `sub` value into your Platform Form's Subject field.
+
+    ```bash
+    holos login --print-claims --log-level=error | jq -r .sub
+    ```
+
+    After pasting the `sub` value, click Submit on the form.
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    You don't have an id token when you're signed out, so there's nothing for
+    you to do in this step.
+
+    ```bash
+    # holos login --print-claims --log-level=error | jq -r .sub
+    ```
+
+    The platform will be configured to assert against the User-Agent header
+    instead.
+  </TabItem>
+</Tabs>
+
+### Pull the Platform Model {#Pull-the-Platform-Model}
+
+The Platform Model needs to be pulled into the local Git repository after the
+form has been submitted. Next, we'll run `holos render` which operates
+exclusively on local files.
+
+Holos stores the Platform Model in the `platform.config.json` file. Holos
+provides this file as input to CUE when rendering the platform.  This file is
+intended to be added to version control.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Pull the updated Platform Model into the local repository.
+
+    ```bash
+    holos pull platform model .
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The `holos generate platform k3d` command should have created a default Platform
+    Model in `platform.config.json`.  As a result there's nothing to do in this
+    step.
+
+    ```bash
+    # holos pull platform model .
+    ```
+  </TabItem>
+</Tabs>
+
+```bash
+git add platform.config.json
+git commit -m "Add platform model"
+```
+
+## Render the Platform {#Render-the-Platform}
+
+Holos has everything necessary to render the platform once the
+`platform.config.json` file and the code from `holos generate` are in the
+current directory.
+
+Rendering a platform is the process of iterating over each platform component
+and rendering it into plain yaml. Holos does not apply the resulting manifests.
+Other tools like kubectl, ArgoCD, or Flux are responsible for applying the
+manifests.
+
+```bash
+holos render platform ./platform
+```
+
+The render command writes the manifest files to the `deploy/` directory.  Commit
+the files so they can be applied via GitOps later.
+
+```bash
+git add deploy
+git commit -m "holos render platform ./platform"
+```
+
+:::important
+
+⚡ Don't blink, this is where Holos actually builds the platform.  It usually
+takes no more than a few seconds.
+
+Rendering the holos reference platform currently results in about 500K lines of
+yaml.  In contrast, roughly 80K lines are produced by this slimmed down k3d
+platform.
+
+We mention this because the scale doesn't matter as much as it does with other
+tools.  Manage millions of lines of configuration with Holos the same way this
+guide manages thousands.  This is made possible by the unique way CUE unifies
+all configuration into one single model.
+
+:::
+
+## Create the Cluster {#Create-Cluster}
+
+The Workload Cluster is where your applications and services will be deployed.
+In production this is usually an EKS, GKE, or AKS cluster.
+
+:::tip
+
+Holos supports all compliant Kubernetes clusters. Holos was developed and tested
+on GKE, EKS, Talos, k3s, and Kubeadm clusters.
+
+:::
+
+<Tabs>
+  <TabItem value="evaluate" label="Try Holos" default>
+  Use this command when exploring Holos.
+
+  ```bash
+  k3d cluster create workload \
+    --port "443:443@loadbalancer" \
+    --k3s-arg "--disable=traefik@server:0"
+  ```
+
+  </TabItem>
+  <TabItem value="develop" label="Develop Holos">
+  Use this command when developing Holos.
+
+  ```bash
+  k3d registry create registry.holos.localhost --port 5100
+  ```
+
+  ```bash
+  k3d cluster create workload \
+    --registry-use k3d-registry.holos.localhost:5100 \
+    --port "443:443@loadbalancer" \
+    --k3s-arg "--disable=traefik@server:0"
+  ```
+
+  </TabItem>
+</Tabs>
+
+Traefik is disabled because Istio provides the same functionality.
+
+### Local CA {#Local-CA}
+
+Holos platforms use cert manager to issue tls certificates.  The browser and
+tools we're using need to trust these certificates to work together.  In this
+section we'll create a local trusted certificate authority.
+
+Admin access is necessary for `mkcert` to install the certificate into your
+trust stores.
+
+```bash
+sudo -v
+```
+
+```bash
+bash ./scripts/local-ca
+```
+
+### DNS Setup {#DNS}
+
+Configure your machine to resolve `*.holos.localhost` to your loopback
+interface.  This is necessary for requests to reach the workload cluster.
+
+<Tabs>
+  <TabItem value="macos" label="macOS" default>
+  Cache sudo credentials.
+
+  Admin access is necessary to setup a local dnsmasq instance and configure
+  macOS's DNS resolver.
+
+  ```bash
+  sudo -v
+  ```
+
+  Resolve *.holos.localhost DNS queries to 127.0.0.1.
+
+  ```bash
+  bash ./scripts/local-dns
+  ```
+
+  </TabItem>
+  <TabItem value="linux" label="Linux">
+    [NSS-myhostname](http://man7.org/linux/man-pages/man8/nss-myhostname.8.html)
+    ships with many Linux distributions and should resolve *.localhost
+    automatically to 127.0.0.1.
+
+    Otherwise it is installable with:
+
+    ```bash
+    sudo apt install libnss-myhostname
+    ```
+  </TabItem>
+  <TabItem value="windows" label="Windows">
+    Ensure the loopback interface has at least the following names in `C:\windows\system32\drivers\etc\hosts`
+
+    ```
+    127.0.0.1 httpbin.holos.localhost app.holos.localhost
+    ```
+  </TabItem>
+</Tabs>
+
+## Apply the Platform Components {#Apply-Platform-Components}
+
+Use `kubectl` to apply each platform component.  In production, it's common to
+fully automate this process with ArgoCD, but we use `kubectl` to the same
+effect.
+
+### Service Mesh
+
+The platform service mesh provides an ingress gateway and connectivity useful
+for observability, reliability, and security.
+
+#### Namespaces
+
+With Holos, components are automatically added to the namespaces component,
+useful for centrally managed policies.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/namespaces
+```
+
+#### Custom Resource Definitions
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway-api
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-base
+```
+
+#### Cert Manager {#cert-manager}
+
+Apply the cert-manager controller.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/cert-manager
+```
+
+Apply the ClusterIssuer which issues Certificate resources using the local
+certificate authority.
+
+```bash
+kubectl -n cert-manager wait pod -l app.kubernetes.io/component=webhook --for=condition=Ready
+kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca
+kubectl apply --server-side=true -f deploy/clusters/workload/components/certificates
+```
+
+#### Istio {#Istio}
+
+Istio implements the Service Mesh.
+
+```bash
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-cni
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istiod
+kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway
+```
+
+Verify the Gateway is programmed and the listeners have been accepted:
+
+```bash
+kubectl -n istio-gateways wait gateway default --for=condition=Accepted
+```
+
+#### httpbin {#httpbin}
+
+httpbin is a simple backend service useful for end-to-end testing.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-backend
+kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-routes
+kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
+```
+
+:::important
+
+Browse to [https://httpbin.holos.localhost/](https://httpbin.holos.localhost/)
+to verify end to end connectivity.  You should see the httpbin index page.
+
+:::
+
+### Authenticating Proxy
+
+The auth proxy is responsible for authenticating browser requests, handling the
+oidc authentication flow, and providing a signed id token to the rest of the
+services in the mesh.
+
+#### Cookie Secret
+
+The auth proxy stores session information in an encrypted cookie.  Generate a
+random cookie encryption Secret and apply.
+
+```bash
+LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom \
+  | head -c 32 \
+  | kubectl create secret generic "authproxy" \
+    --from-file=cookiesecret=/dev/stdin \
+    --dry-run=client -o yaml \
+  | kubectl apply -n istio-gateways -f-
+```
+
+#### Deployment
+
+The auth proxy Deployment receives requests from web browsers and responds with
+an authentication decision.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authproxy
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authroutes
+```
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    Verify authentication is working by visiting
+    [https://httpbin.holos.localhost/holos/authproxy](https://httpbin.holos.localhost/holos/authproxy).
+    The auth proxy should respond with a simple `Authenticated` response.
+
+    Istio will respond with `no healthy upstream` until the pod becomes ready.
+    Wait for the pod to become ready with:
+
+    ```bash
+    kubectl -n holos-system wait pod -l app.kubernetes.io/instance=httpbin --for=condition=Ready
+    ```
+
+    Once authenticated, visit
+    [https://httpbin.holos.localhost/holos/authproxy/userinfo](https://httpbin.holos.localhost/holos/authproxy/userinfo)
+    which returns a subset of claims from your id token:
+
+    ```json
+    {
+      "user": "275552236589843464",
+      "email": "demo@holos.run",
+      "preferredUsername": "demo"
+    }
+    ```
+
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The auth proxy will always try to sign you in when you are signed out, so
+    there isn't much to do here.  Please do take a moment to glance at the
+    Signed In tab to see how this would work if you were signed in.
+
+    The `k3d` platform relies on `https://login.holos.run` to issue id tokens.
+    Authorization has been configured against fake request headers instead of
+    the real `x-oidc-id-token` header.
+  </TabItem>
+</Tabs>
+
+### Authorization Policy
+
+Configure authorization policies using attributes of the authenticated request.
+Authorization policies route web requests through the auth proxy and then
+validate all requests against the `x-oidc-id-token` header.
+
+```bash
+kubectl apply --server-side=true -f deploy/clusters/workload/components/authpolicy
+```
+
+Istio make take a few seconds to program the Gateway with the
+AuthorizationPolicy resources.
+
+## Try out Zero Trust
+
+A basic Zero Trust security model is now in place.  The platform authenticates
+and authorizes requests before they reach the backend service.
+
+### Browser
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    The platform has been configured to authorize requests with a `x-oidc-id-token` header.
+
+    1. Verify authentication is working by browsing to [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
+        - Refresh the page a few times.
+        - The `httpbin` backend pods should echo back the `x-oidc-id-token`
+        header injected by the auth proxy.
+    2. Note the `x-oidc-id-token` header is not sent by your browser but is
+    received by the backend service.
+        - This design reduces the risk of exposing id tokens in the browser.
+        - Browser request size remains constant as more claims are added to id
+        tokens.
+        - Reliability improves because id tokens often overflow request header
+        buffers when they pass through middle boxes across the internet.
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The platform has been configured to authorize requests with a `User-Agent: anonymous` header.
+
+    1. Open an incognito window (Cmd+Shift+N) to verify the platform is
+    enforcing the authorization policy.
+    2. Browse to
+    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request)
+    you should be redirected to the sign in page by the auth proxy.
+        - You **do not** need to register or sign in.
+        - This step verifies the platform is redirecting unauthenticated
+        requests to the identity provider.
+        - Navigate back or close and re-open an incognito window.
+    3. Set your `User-Agent` header to `anonymous` using your browser developer tools.
+        - For Chrome the process is described
+        [here](https://developer.chrome.com/docs/devtools/device-mode/override-user-agent#override_the_user_agent_string).
+        - The purpose is to simulate an authenticated request.
+    4. Browse to
+    [https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
+        - The platform should allow the request through to the backend pod.
+        - `httpbin` should echo back your request which should contain `User-Agent: anonymous`.
+  </TabItem>
+</Tabs>
+
+### Command Line
+
+Verify unauthenticated requests are blocked by default outside the browser.
+
+```bash
+curl -I https://httpbin.holos.localhost/dump/request
+```
+
+You should receive a `HTTP/2 302` response that redirects to `location:
+https://login.holos.run` to start the oauth login flow.
+
+Next, verify authenticated requests are allowed.
+
+<Tabs groupId="registration">
+  <TabItem value="registered" label="Signed In">
+    The platform is configured to authenticate the id token present in the
+    `x-oidc-id-token` header.
+
+    💡 It also works with `grpcurl`.
+
+    ```bash
+    curl -H x-oidc-id-token:$(holos token) https://httpbin.holos.localhost/dump/request
+    ```
+  </TabItem>
+  <TabItem value="unregistered" label="Signed Out">
+    The platform is configured to authorize any request with `User-Agent:
+    anonymous` in place of validating the oidc id token.
+
+    💡 Take a moment to click the Signed In tab, I don't want you to miss how
+    cool `$(holos token)` is.
+
+    ```bash
+    curl -A anonymous https://httpbin.holos.localhost/dump/request
+    ```
+  </TabItem>
+</Tabs>
+
+You should receive a response showing the request headers the backend received.
+
+:::tip
+
+Note how the platform secures both web browser and command line api access to
+the backend httpbin service.  httpbin itself has no authentication or
+authorization functionality.
+
+:::
+
+## Summary
+
+Thank you for taking the time to try out Holos.  In this guide, you built the
+foundation of a software development platform that:
+
+ 1. Provides a unified configuration model with CUE that
+    - Supports unmodified Helm Charts, Kustomize Kustomizations, plain YAML.
+    - Provides a web form to pass top level parameters.
+ 2. Reduces errors by eliminating the need to template unstructured text.
+ 3. Is composable and scales down to a local machine.
+ 4. Provides an way to safely configure broad authentication and authorization
+ policy.
+
+## Next Steps
+
+Dive deeper with the following resources that build on the foundation you have now.
+
+ 1. Explore the [Rendering Process](/docs/design/rendering) in Holos.
+ 2. Dive deeper into the [Platform Manifests](./platform-manifests) rendered in this guide.
+ 3. Deploy [ArgoCD](/docs/guides/argocd) onto the foundation you built.
+ 4. Deploy [Backstage](/docs/guides/backstage) as a portal to the integrated platform components.
+
+## Clean-Up
+
+If you'd like to clean up the resources you created in this guide, remove them
+with:
+
+```bash
+k3d cluster delete workload
+rm -rf holos-k3d
+```

doc/md/guides/try-holos/platform-manifests.md

@@ -0,0 +1,137 @@
+# Platform Manifests
+
+This document provides an example of how Holos uses CUE and Helm to unify and
+render the platform configuration.  It refers to the manifests rendered in the
+[Try Holos Locally](/docs/guides/try-holos/) guide.
+
+Take a moment to review the manifests `holos` rendered to build the platform.
+
+### ArgoCD Application
+
+Note the Git URL in the Platform Model is used to derive the ArgoCD
+`Application` resource for all of the platform components.
+
+```yaml
+# deploy/clusters/workload/gitops/namespaces.application.gen.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: namespaces
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    # highlight-next-line
+    path: /deploy/clusters/workload/components/namespaces
+    # highlight-next-line
+    repoURL: https://github.com/holos-run/holos-k3d.git
+    # highlight-next-line
+    targetRevision: HEAD
+```
+
+One ArgoCD `Application` resource is produced for each Holos component by
+default.  The CUE definition which produces the rendered output is defined in
+`buildplan.cue` around line 222.
+
+:::tip
+
+Note how CUE does not use error-prone text templates, the language is well
+specified and typed which reduces errors when unifying the configuration with
+the Platform Model in the following `#Argo` definition.
+
+:::
+
+```cue
+// buildplan.cue
+
+// #Argo represents an argocd Application resource for each component, written
+// using the #HolosComponent.deployFiles field.
+#Argo: {
+	ComponentName: string
+
+	Application: app.#Application & {
+		metadata: name:      ComponentName
+		metadata: namespace: "argocd"
+		spec: {
+			destination: server: "https://kubernetes.default.svc"
+			project: "default"
+			source: {
+        // highlight-next-line
+				path:           "\(_Platform.Model.argocd.deployRoot)/deploy/clusters/\(_ClusterName)/components/\(ComponentName)"
+        // highlight-next-line
+				repoURL:        _Platform.Model.argocd.repoURL
+        // highlight-next-line
+				targetRevision: _Platform.Model.argocd.targetRevision
+			}
+		}
+	}
+
+	// deployFiles represents the output files to write along side the component.
+	deployFiles: "clusters/\(_ClusterName)/gitops/\(ComponentName).application.gen.yaml": yaml.Marshal(Application)
+}
+```
+
+### Helm Chart
+
+The `cert-manger` component renders using the upstream Helm chart.  The build
+plan that defines the helm chart to use along with the values to provide looks
+like the following.
+
+:::tip
+
+Holos fully supports your existing Helm charts.  Consider leveraging `holos` as
+an alternative to umbrella charts.
+
+:::
+
+```cue
+// components/cert-manager/cert-manager.cue
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).Output
+
+let Chart = {
+	Name:      "cert-manager"
+	Version:   "1.14.5"
+	Namespace: "cert-manager"
+
+	Repo: name: "jetstack"
+	Repo: url:  "https://charts.jetstack.io"
+
+  // highlight-next-line
+	Values: {
+		installCRDs: true
+		startupapicheck: enabled: false
+		// Must not use kube-system on gke autopilot.  GKE Warden blocks access.
+    // highlight-next-line
+		global: leaderElection: namespace: Namespace
+
+		// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
+		resources: requests: {
+			cpu:                 "250m"
+			memory:              "512Mi"
+			"ephemeral-storage": "100Mi"
+		}
+    // highlight-next-line
+		webhook: resources:        Values.resources
+    // highlight-next-line
+		cainjector: resources:     Values.resources
+    // highlight-next-line
+		startupapicheck: resource: Values.resources
+
+		// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
+		nodeSelector: {
+			"kubernetes.io/os": "linux"
+			if _ClusterName == "management" {
+				"cloud.google.com/gke-spot": "true"
+			}
+		}
+		webhook: nodeSelector:         Values.nodeSelector
+		cainjector: nodeSelector:      Values.nodeSelector
+		startupapicheck: nodeSelector: Values.nodeSelector
+	}
+}
+```

doc/md/local-development.md

@@ -2,8 +2,8 @@
 
 This document captures notes on locally developing Holos.
 
-Follow the steps in [Try Holos Locally](/docs/tutorial/local/k3d), but take
-care to select `Develop` tabs when creating the k3d cluster so you have a local
+Follow the steps in [Try Holos Locally](/docs/guides/try-holos), but take care
+to select `Develop` tabs when creating the k3d cluster so you have a local
 registry to push to.
 
 ## Apply Resources

doc/md/reference-platform/architecture.md

@@ -1,81 +1,3 @@
 # Architecture
 
-This page describes the architecture of the Holos reference platform.
-
-## Overview
-
-The reference platform manages three kubernetes clusters by default.  One management cluster and two workload clusters.
-
-```mermaid
-graph TB
-   subgraph "Management"
-       secrets(Secrets)
-       c1(Controllers)
-   end
-
-   subgraph "Primary"
-       s1p(Service 1)
-       s2p(Service 2)
-   end
-
-   subgraph "Standby"
-       s1s(Service 1)
-       s2s(Service 2)
-   end
- 
-   classDef plain fill:#ddd,stroke:#fff,stroke-width:4px,color:#000;
-   classDef k8s fill:#326ce5,stroke:#fff,stroke-width:4px,color:#fff;
-   classDef cluster fill:#fff,stroke:#bbb,stroke-width:2px,color:#326ce5;
-   class c1,s1p,s2p,s1s,s2s,secrets k8s;
-   class Management,Primary,Standby cluster;
-
-```
-
-
-The services in each cluster type are:
-
-:::tip
-The management cluster is designed to operate reliably on spot instances.  A highly available management cluster typically costs less than a cup of coffee per month to operate.
-:::
-
-1. Management Cluster
-   - **SecretStore** to provide namespace scoped secrets to workload clusters.
-   - **CertManager** to provision TLS certificates and make them available to workload clusters.
-   - **ClusterAPI** to provision and manage workload clusters via GitOps.  For example, EKS or GKE clusters.
-   - **Crossplane** to provision and manage cloud resources via GitOps.  For example, buckets, managed databases, any other cloud resource.
-   - **CronJobs** to refresh short lived credentials.  For example image pull credentials.
-   - **ArgoCD** to manage resources within the management cluster via GitOps.
-2. Primary Workload Cluster
-   - **ArgoCD** to continuously deploy your applications and services via GitOps.
-   - **External Secrets Operator** to synchronize namespace scoped secrets.
-   - **Istio** to provide a Gateway to expose services.
-   - **ZITADEL** to provide SSO login for all other services (e.g. ArgoCD, Grafana, Backstage, etc...)
-   - **PostgreSQL** for in-cluster databases.
-   - **Backstage** to provide your developer portal into the whole platform.
-   - **Observability** implemented by Prometheus, Grafana, and Loki to provide monitoring and logging.
-   - **AuthorizationPolicy** to provide role based access control to all services in the cluster.
-3. Standby Workload Cluster
-   - Identical configuration to the primary cluster.
-   - May be scaled down to zero to reduce expenses.
-   - Intended to take the primary cluster role quickly, within minutes, for disaster recovery or regular maintenance purposes.
-
-## Security
-
-### Namespaces
-
-Namespaces are security boundaries in the reference platform.  A given namespace is treated as the same security context across multiple clusters following the [SIG Multi-cluster Position](https://github.com/kubernetes/community/blob/dd4c8b704ef1c9c3bfd928c6fa9234276d61ad18/sig-multicluster/namespace-sameness-position-statement.md).
-
-The namespace sameness principle makes role based access control straightforward to manage and comprehend.  For example, granting a developer the ability to create secrets in namespace `example` means the developer has the ability to do so in the secret store in the management cluster and also synchronize the secret to the services they own in the workload clusters.
-
-## Data Platform
-
-Holos is designed to work with two distinct types of databases by default:
-
- 1. In-cluster PostgresSQL databases for lower cost and rapid development and testing.
- 2. Out-of-cluster SQL databases for production services, e.g. RDS, CloudSQL, Aurora, Redshift, etc...
-
-:::tip
-To simplify maintenance the holos reference platform provisions databases from the most recent backup by default.
-:::
-
-In-cluster databases in the holos reference platform automatically save backups to an S3 or GCS bucket.  For regular maintenance and disaster recovery, the standby cluster automatically restores databases from the most recent backup in the bucket.  This capability makes  maintenance much simpler, most maintenance tasks are carried out on the standby cluster which is then promoted to the primary.  Software upgrades in particular are intended to be carried out against the standby, verified, then promoted to primary.  Once live traffic shifts to the upgraded services in the new primary the previous cluster can be spun down to save cost or upgraded safely in place.
+Coming soon.

doc/md/runbooks/login/failover.md

@@ -0,0 +1,3 @@
+## Overview
+
+TODO: This runbook needs to be updated to reflect the switch from PGO to CNPG.

doc/md/tutorial/local/k3d.mdx

@@ -1,835 +0,0 @@
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-
-# Try Holos Locally
-
-Learn how to configure and deploy the Holos reference platform to your local
-host with k3d.
-
----
-
-This guide assumes commands are run from your local host.  Capitalized terms
-have specific definitions described in the [Glossary](/docs/glossary).
-
-## Requirements
-
-You'll need the following tools installed on your local host to complete this guide.
-
- 1. [k3d](https://k3d.io/#installation) - to provide an api server.
- 2. [Docker](https://docs.docker.com/get-docker/) - to use k3d.
- 3. [holos](/docs/tutorial/install) - to build the platform.
- 4. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to interact with the Kubernetes cluster.
- 5. [helm](https://helm.sh/docs/intro/install/) - to render Holos components that integrate vendor provided Helm charts.
- 6. [mkcert](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) - for local trusted certificates.
- 7. [jq](https://jqlang.github.io/jq/download/) - to manipulate json output.
-
-## Outcome
-
-At the end of this guide you'll have built a development platform that provides
-Zero Trust security by holistically integrating off-the-shelf components.
-
- 1. ArgoCD to review and apply platform configuration changes.
- 2. Istio service mesh with mTLS encryption.
- 3. ZITADEL to provide single sign-on identity tokens with multi factor authentication.
-
-The platform running on your local host will configure Istio to authenticate and
-authorize requests using an oidc id token issued by ZITADEL _before_ the request
-ever reaches ArgoCD.
-
-:::tip
-
-With Holos, developers don't need to write authentication or authorization logic
-for many use cases.
-
-:::
-
-Single sign-on and role based access control are provided by the platform itself
-for all service running in the platform using standardized policies.
-
-The `k3d` platform is derived from the larger holos reference platform to
-provide a smooth on-ramp to evaluate the value Holos offers.
-
- 1. Holos wraps unmodified Helm charts provided by software vendors.
- 2. Holos eliminates the need to template yaml.
- 3. Holos is composable, scaling down to local host and up to multi-cloud and multi-cluster.
- 4. The Zero Trust security model implemented by the reference platform.
- 5. Configuration unification with CUE.
-
-## Register with Holos
-
-Register an account with the Holos web service. This registration is required
-to save platform configuration values via a simple web form and to explore how
-Holos implements Zero Trust.
-
-```bash
-holos register user
-```
-
-## Create the Platform
-
-Create the platform, which stores the Platform Form and its values in the Holos
-web service. The Platform Form represents the Platform Model.
-
-```bash
-holos create platform --name k3d --display-name "Try Holos Locally"
-```
-
-## Generate the Platform
-
-Holos builds the platform by building each component of the platform into fully
-rendered Kubernetes configuration resources.  Generate the source code for the
-platform in a blank local directory.  This directory is named `holos-infra` by
-convention because it represents the Holos managed platform infrastructure.
-
-Create a new Git repository to store the platform code:
-
-```bash
-mkdir holos-k3d
-cd holos-k3d
-git init .
-```
-
-Generate the platform code in the current directory:
-
-```bash
-holos generate platform k3d
-```
-
-Commit the generated platform config to the repository:
-
-```bash
-git add .
-git commit -m "holos generate platform k3d - $(holos --version)"
-```
-
-## Push the Platform Form
-
-Push the Platform Form to the web service to provide top-level configuration
-values from which the platform components derive their final configuration.
-
-```bash
-holos push platform form .
-```
-
-Visit the printed URL to view the Platform Form.
-
-:::tip
-
-You have complete control over the form fields and validation rules.
-
-:::
-
-## Submit the Platform Model
-
-Fill out the form and submit the Platform Model.
-
-For the Role Based Access Control section, provide the value of the `sub`
-subject claim of your identity to ensure only you have administrative access to
-ArgoCD.
-
-```bash
-holos login --print-claims | jq -r .sub
-```
-
-For the ArgoCD Git repository URL, enter the url of a public repository where
-you will push your local `holos-k3d` repository.
-
-```bash
-git remote add origin https://github.com/example/holos-k3d
-git push origin HEAD:main
-```
-
-## Pull the Platform Model
-
-The Platform Model is the JSON representation of the Platform Form values.
-Holos provides the Platform Model to CUE to render the platform configuration to
-plain YAML. Configuration that varies is derived from the Platform Model using
-CUE.
-
-Pull the Platform Model to your local host to render the platform.
-
-```bash
-holos pull platform model .
-```
-
-The `platform.config.json` file is intended to be committed to version control.
-
-```bash
-git add platform.config.json
-git commit -m "Add platform model"
-```
-
-:::danger
-
-Do not store secrets in the Platform Model.
-
-:::
-
-Holos uses ExternalSecret resources to securely sync with a SecretStore and
-ensure Secrets are never stored in version control.
-
-## Render the Platform
-
-Rendering the platform iterates over each platform component and renders the
-component into the final Kubernetes resources that will be sent to the API Server.
-
-```bash
-holos render platform ./platform
-```
-
-This command writes fully rendered Kubernetes resource yaml to the `deploy/` directory.
-
-:::warning
-
-Do not edit the files in the `deploy` as they will be written over.
-
-:::
-
-Commit the rendered platform configuration for `git diff` later.
-
-```bash
-git add deploy
-git commit -m "holos render platform ./platform"
-```
-
-### Rendering
-
-Holos uses the Kubernetes resource model to manage configuration.  The `holos`
-command line interface (cli) is the primary method you'll use to manage your
-platform.  Holos uses CUE to provide a unified configuration model of the
-platform which is built from components packaged with Helm, Kustomize, CUE, or
-any tool that can produce Kubernetes resources as output.  This process can be
-thought of as a yaml **rendering pipeline**.
-
-Each component in a platform defines a rendering pipeline shown in Figure 2 to
-produce Kubernetes api resources
-
-```mermaid
----
-title: Figure 2 - Render Pipeline
----
-graph LR
-    PS[<a href="/docs/api/core/v1alpha2#PlatformSpec">PlatformSpec</a>]
-    BP[<a href="/docs/api/core/v1alpha2#BuildPlan">BuildPlan</a>]
-    HC[<a href="/docs/api/core/v1alpha2#HolosComponent">HolosComponent</a>]
-
-    H[<a href="/docs/api/core/v1alpha2#HelmChart">HelmChart</a>]
-    K[<a href="/docs/api/core/v1alpha2#KustomizeBuild">KustomizeBuild</a>]
-    O[<a href="/docs/api/core/v1alpha2#KubernetesObjects">KubernetesObjects</a>]
-
-    P[<a href="/docs/api/core/v1alpha2#Kustomize">Kustomize</a>]
-    Y[Kubernetes <br>Resources]
-    G[GitOps <br>Resource]
-
-    C[Kube API Server]
-
-    PS --> BP --> HC
-    HC --> H --> P
-    HC --> K --> P
-    HC --> O --> P
-
-    P --> Y --> C
-    P --> G --> C
-```
-
-The `holos` cli can be thought of as executing a data pipeline.  The Platform
-Model is the top level input to the pipeline and specifies the ways your
-platform varies from other organizations.  The `holos` cli takes the Platform
-Model as input and executes a series of steps to produce the platform
-configuration.  The platform configuration output of `holos` are full
-Kubernetes API resources, suitable for application to a cluster with `kubectl
-apply -f`, or GitOps tools such as ArgoCD or Flux.
-
-## Review the Platform Config
-
-:::tip
-
-This section is optional, included to provide insight into how Holos uses CUE
-and Helm to unify and render the platform configuration.
-
-:::
-
-Take a moment to review the platform config `holos` rendered.
-
-### ArgoCD Application
-
-Note the Git URL you entered into the Platform Form is used to derive the ArgoCD
-`Application` resource from the Platform Model.
-
-```yaml
-# deploy/clusters/workload/gitops/namespaces.application.gen.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: namespaces
-  namespace: argocd
-spec:
-  destination:
-    server: https://kubernetes.default.svc
-  project: default
-  source:
-    # highlight-next-line
-    path: /deploy/clusters/workload/components/namespaces
-    # highlight-next-line
-    repoURL: https://github.com/holos-run/holos-k3d
-    # highlight-next-line
-    targetRevision: HEAD
-```
-
-One ArgoCD `Application` resource is produced for each Holos component by
-default.  Note the `cert-manger` component renders the output using Helm.
-Holos unifies the Application resource using CUE.  The CUE definition which
-produces the rendered output is defined in `buildplan.cue` around line 222.
-
-:::tip
-
-Note how CUE does not use error-prone text templates, the language is well
-specified and typed which reduces errors when unifying the configuration with
-the Platform Model in the following `#Argo` definition.
-
-:::
-
-```cue
-// buildplan.cue
-
-// #Argo represents an argocd Application resource for each component, written
-// using the #HolosComponent.deployFiles field.
-#Argo: {
-	ComponentName: string
-
-	Application: app.#Application & {
-		metadata: name:      ComponentName
-		metadata: namespace: "argocd"
-		spec: {
-			destination: server: "https://kubernetes.default.svc"
-			project: "default"
-			source: {
-        // highlight-next-line
-				path:           "\(_Platform.Model.argocd.deployRoot)/deploy/clusters/\(_ClusterName)/components/\(ComponentName)"
-        // highlight-next-line
-				repoURL:        _Platform.Model.argocd.repoURL
-        // highlight-next-line
-				targetRevision: _Platform.Model.argocd.targetRevision
-			}
-		}
-	}
-
-	// deployFiles represents the output files to write along side the component.
-	deployFiles: "clusters/\(_ClusterName)/gitops/\(ComponentName).application.gen.yaml": yaml.Marshal(Application)
-}
-```
-
-### Helm Chart
-
-Holos uses CUE to safely integrate the unmodified upstream `cert-manager` Helm
-chart.
-
-:::tip
-
-Holos fully supports your existing Helm charts.  Consider leveraging `holos` as
-an safer alternative to umbrella charts.
-
-:::
-
-```cue
-// components/cert-manager/cert-manager.cue
-package holos
-
-// Produce a helm chart build plan.
-(#Helm & Chart).Output
-
-let Chart = {
-	Name:      "cert-manager"
-	Version:   "1.14.5"
-	Namespace: "cert-manager"
-
-	Repo: name: "jetstack"
-	Repo: url:  "https://charts.jetstack.io"
-
-  // highlight-next-line
-	Values: {
-		installCRDs: true
-		startupapicheck: enabled: false
-		// Must not use kube-system on gke autopilot.  GKE Warden blocks access.
-    // highlight-next-line
-		global: leaderElection: namespace: Namespace
-
-		// https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-resource-requests#min-max-requests
-		resources: requests: {
-			cpu:                 "250m"
-			memory:              "512Mi"
-			"ephemeral-storage": "100Mi"
-		}
-    // highlight-next-line
-		webhook: resources:        Values.resources
-    // highlight-next-line
-		cainjector: resources:     Values.resources
-    // highlight-next-line
-		startupapicheck: resource: Values.resources
-
-		// https://cloud.google.com/kubernetes-engine/docs/how-to/autopilot-spot-pods
-		nodeSelector: {
-			"kubernetes.io/os": "linux"
-			if _ClusterName == "management" {
-				"cloud.google.com/gke-spot": "true"
-			}
-		}
-		webhook: nodeSelector:         Values.nodeSelector
-		cainjector: nodeSelector:      Values.nodeSelector
-		startupapicheck: nodeSelector: Values.nodeSelector
-	}
-}
-```
-
-## Create the Workload Cluster
-
-The Workload Cluster is where your applications and services will be deployed.
-In production this is usually an EKS, GKE, or AKS cluster.
-
-:::tip
-
-Holos supports any compliant Kubernetes cluster and was developed and tested on
-GKE, EKS, Talos, and Kubeadm clusters.
-
-:::
-
-<Tabs>
-  <TabItem value="evaluate" label="Evaluate" default>
-  Use this command when evaluating Holos.
-
-  ```bash
-  k3d cluster create workload \
-    --port "443:443@loadbalancer" \
-    --k3s-arg "--disable=traefik@server:0"
-  ```
-  </TabItem>
-  <TabItem value="develop" label="Develop" default>
-  Use this command when developing Holos.
-
-  ```bash
-  k3d registry create registry.holos.localhost --port 5100
-  ```
-
-  ```bash
-  k3d cluster create workload \
-    --registry-use k3d-registry.holos.localhost:5100 \
-    --port "443:443@loadbalancer" \
-    --k3s-arg "--disable=traefik@server:0"
-  ```
-  </TabItem>
-</Tabs>
-
-Traefik is disabled because Istio provides the same functionality.
-
-## Local CA
-
-Create and apply the `local-ca` Secret containing the CA private key. This
-Secret is necessary to issue certificates trusted by your browser when using the
-local k3d platform.
-
-```bash
-bash ./scripts/local-ca
-```
-
-:::note
-
-Admin access is necessary for `mkcert` to install the newly generated CA cert
-into your local host's trust store.
-
-:::
-
-## DNS Setup
-
-Configure your localhost to resolve `*.holos.localhost` to your loopback
-interface.  This is necessary for your browser requests to reach the k3d
-workload cluster.
-
-<Tabs>
-  <TabItem value="macos" label="macOS" default>
-    ```bash
-    brew install dnsmasq
-    ```
-
-    ```bash
-    cat <<EOF >"$(brew --prefix)/etc/dnsmasq.d/holos.localhost.conf"
-    # Refer to https://holos.run/docs/tutorial/local/k3d/
-    address=/holos.localhost/127.0.0.1
-    EOF
-    ```
-
-    ```bash
-    if [[ -r /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist ]]; then
-      echo "dnsmasq already configured"
-    else
-      sudo cp "$(brew list dnsmasq | grep 'dnsmasq.plist$')" \
-        /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-      sudo launchctl unload /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-      sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
-      dscacheutil -flushcache
-      echo "dnsmasq configured"
-    fi
-    ```
-
-    ```bash
-    sudo mkdir -p /etc/resolver
-    sudo tee /etc/resolver/holos.localhost <<EOF
-    domain holos.localhost
-    nameserver 127.0.0.1
-    EOF
-    sudo killall -HUP mDNSResponder
-    ```
-  </TabItem>
-  <TabItem value="linux" label="Linux">
-    [NSS-myhostname](http://man7.org/linux/man-pages/man8/nss-myhostname.8.html)
-    ships with many Linux distributions and should resolve *.localhost
-    automatically to 127.0.0.1.
-
-    Otherwise it is installable with:
-
-    ```bash
-    sudo apt install libnss-myhostname
-    ```
-  </TabItem>
-  <TabItem value="windows" label="Windows">
-    Ensure the loopback interface has at least the following names in `C:\windows\system32\drivers\etc\hosts`
-
-		```
-    127.0.0.1 httpbin.holos.localhost argocd.holos.localhost app.holos.localhost
-		```
-  </TabItem>
-</Tabs>
-
-## Apply the Platform Components
-
-Use `kubectl` to apply each platform component.  In production, it's common to
-fully automate this process with ArgoCD, but we use `kubectl` in development
-and exploration contexts to the same effect.
-
-### Namespaces
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/namespaces
-```
-
-### Custom Resource Definitions
-
-Services are exposed with standard `HTTPRoute` resources from the Gateway API.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway-api
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-base
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/argo-crds
-```
-
-### Cert Manager
-
-Apply the ClusterIssuer which issues Certificate resources using the local ca.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/cert-manager
-kubectl apply --server-side=true -f deploy/clusters/workload/components/local-ca
-kubectl apply --server-side=true -f deploy/clusters/workload/components/certificates
-```
-
-### Istio
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istio-cni
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/istiod
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/gateway
-```
-
-Verify the Gateway is programmed and the listeners have been accepted:
-
-```bash
-kubectl get -n istio-gateways gateway default -o json \
-  | jq -r '.status.conditions[].message'
-```
-
-```txt
-Resource accepted
-Resource programmed, assigned to service(s) default-istio.istio-gateways.svc.cluster.local:443
-```
-
-### httpbin
-
-httpbin is a simple backend service useful for end-to-end testing.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-backend
-kubectl apply --server-side=true -f deploy/clusters/workload/components/httpbin-routes
-```
-
-:::important
-
-Browse to [https://httpbin.holos.localhost/](https://httpbin.holos.localhost/)
-to verify end to end connectivity.
-
-:::
-
-### Cookie Secret
-
-Generate a random cookie encryption Secret and apply.
-
-```bash
-LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom \
-  | head -c 32 \
-  | kubectl create secret generic "authproxy" \
-    --from-file=cookiesecret=/dev/stdin \
-    --dry-run=client -o yaml \
-  | kubectl apply -n istio-gateways -f-
-```
-:::tip
-
-The Holos reference platform uses an ExternalSecret to automatically sync this
-Secret from your SecretStore.
-
-:::
-
-
-### Auth Proxy
-
-The auth proxy is responsible for authenticating web browser requests.  The auth
-proxy provides a standard oidc id token to all services integrated with the
-mesh.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authproxy
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authroutes
-```
-
-:::important
-
-Verify authentication is working by visiting
-[https://httpbin.holos.localhost/holos/authproxy](https://httpbin.holos.localhost/holos/authproxy).
-Expect a simple `Authenticated` response.
-
-:::
-
-:::note
-
-Istio will respond with `no healthy upstream` until the pod becomes ready.
-
-:::
-
-Once authenticated, visit
-[https://httpbin.holos.localhost/holos/authproxy/userinfo](https://httpbin.holos.localhost/holos/authproxy/userinfo)
-which returns a subset of claims from your id token:
-
-```json
-{
-  "user": "275552236589843464",
-  "email": "demo@holos.run",
-  "preferredUsername": "demo"
-}
-```
-
-### Auth Policy
-
-Configure authorization policies using the claims provided in the authenticated
-id token.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/components/authpolicy
-```
-
-:::important
-
-Requests to `https://httpbin.holos.localhost` are protected by
-AuthorizationPolicy platform resources after applying this component.
-
-:::
-
-### Zero Trust
-
-A basic Zero Trust security model is now in place.  Verify authentication is
-working by browsing to
-[https://httpbin.holos.localhost/dump/request](https://httpbin.holos.localhost/dump/request).
-
-:::note
-
-Istio make take a few seconds to program the Gateway with the
-AuthorizationPolicy resources.
-
-:::
-
-:::tip
-
-Note the `x-oidc-id-token` header is not sent by your browser but is received
-by the backend service.  This design reduces the risk of exposing id tokens.
-Requests over the internet are also smaller and more reliable because large id
-tokens with may claims are confined to the cluster.
-
-:::
-
-Verify unauthenticated requests are blocked:
-
-```bash
-curl https://httpbin.holos.localhost/dump/request
-```
-
-Expect a response that redirects to the identity provider.
-
-Verify authenticated requests are allowed:
-
-```bash
-curl -H x-oidc-id-token:$(holos token) https://httpbin.holos.localhost/dump/request
-```
-
-Expect a response from the backend httpbin service with the id token header the
-platform authenticated and authorized.
-
-:::tip
-
-Note how the platform secures both web browser and command line api access to
-the backend httpbin service.  httpbin itself has no authentication or
-authorization functionality.
-
-:::
-
-### ArgoCD
-
-ArgoCD automatically applies resources defined in Git similar to how this guide
-uses `kubectl apply`.
-
-Apply controller deployments and supporting resources.
-
-```bash
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/argo-cd
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/argo-authpolicy
-kubectl apply --server-side=true -f ./deploy/clusters/workload/components/argo-routes
-```
-
-Verify all Pods are running and all containers are ready.
-
-```bash
-kubectl get pods -n argocd
-```
-
-```txt
-NAME                                                READY   STATUS      RESTARTS   AGE
-argocd-application-controller-0                     1/1     Running     0          10s
-argocd-applicationset-controller-578db65fcd-lnn76   1/1     Running     0          10s
-argocd-notifications-controller-67c856dbb7-12stk    1/1     Running     0          10s
-argocd-redis-698f57d9b9-v4kqs                       1/1     Running     0          10s
-argocd-redis-secret-init-z5zg8                      0/1     Completed   0          10s
-argocd-repo-server-69f78dfb8-f6pb7                  1/1     Running     0          10s
-argocd-server-58f7f4466d-db5fv                      2/2     Running     0          10s
-```
-
-Browse to [https://argocd.holos.localhost/](https://argocd.holos.localhost/) and
-verify you get the ArgoCD login page.
-
-![ArgoCD Login Page](./argocd-login.png)
-
-:::note
-
-Both the platform layer and the ArgoCD application layer performs authentication
-and authorization using the same identity provider.  Note how the Zero Trust
-model provides an additional layer of security without friction.
-
-:::
-
-Login using the SSO button and verify you get to the Applications page.
-
-![ArgoCD Applications](./argocd-apps.png)
-
-### ArgoCD Applications
-
-Apply the Application resources for all of the Holos components that compose the
-platform.  The Application resources provide drift detection and optional
-automatic reconciliation of platform components.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/gitops
-```
-
-Browse to or refresh [https://argocd.holos.localhost/applications](https://argocd.holos.localhost/applications).
-
-![ArgoCD Holos Components](./argocd-apps-2.png)
-
-:::important
-
-If you do not see any applications after refreshing the page ensure the `sub`
-value in the Platform Model (`platform.config.json`) is correct and matches
-`holos login --print-claims`.
-
-:::
-
-### Sync Applications
-
-Navigate to the [namespaces Application](https://argocd.holos.localhost/applications/argocd/namespaces).
-
-![ArgoCD Out of Sync](./argocd-out-of-sync.png)
-
-Review the differences between the live platform and the git configuration.
-
-![ArgoCD Diff](./argocd-diff.png)
-
-Sync the application to reconcile the differences.
-
-![ArgoCD Sync](./argocd-sync.png)
-
-The Holos components should report Sync OK.
-
-![ArgoCD Sync OK](./argocd-sync-ok.png)
-
-:::tip
-
-Automatic reconciliation is turned off by default.
-
-:::
-
-Optionally enable automatic reconciliation by adding `spec.syncPolicy.automated:
-{}` to the `#Argo` definition.
-
-Add the following to `buildplan.site.cue` to avoid `holos generate platform k3d`
-writing over the customization.
-
-:::tip
-
-CUE merges definitions located in multiple files.  This feature is used to
-customize the platform.
-
-:::
-
-```bash
-cat <<EOF > buildplan.site.cue
-package holos
-// Enable automated sync of platform components.
-#Argo: Application: spec: syncPolicy: automated: {}
-EOF
-```
-
-Re-render the platform.
-
-```bash
-holos render platform ./platform
-```
-
-Add and commit the changes.
-
-```bash
-git add .
-git commit -m 'enable argocd automatic sync'
-git push origin HEAD
-```
-
-Apply the new changes.
-
-```bash
-kubectl apply --server-side=true -f deploy/clusters/workload/gitops
-```
-
-Automatic reconciliation is enabled for all platform components.
-
-![ArgoCD Automatic Sync OK](./argocd-auto-sync-ok.png)
-
-## Summary
-
-TODO
-
-1. Configured the Service Mesh with mTLS.
-2. Configured authentication and authorization.
-3. Protected a backend service without backend code changes.
-4. ArgoCD

doc/website/README.md

@@ -1,41 +1,34 @@
 # Website
 
-This website is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.
+This website is built using [Docusaurus](https://docusaurus.io/), a modern
+static website generator.
 
-### Installation
+## Installation
 
-```
-$ yarn
+```shell
+npm install
 ```
 
 ### Local Development
 
-```
-$ yarn start
+```shell
+npm run start
 ```
 
-This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+This command starts a local development server and opens up a browser window.
+Most changes are reflected live without having to restart the server.
 
 ### Build
 
-```
-$ yarn build
+```shell
+npm run build
 ```
 
-This command generates static content into the `build` directory and can be served using any static contents hosting service.
+This command generates static content into the `build` directory and can be
+served using any static contents hosting service.
 
 ### Deployment
 
-Using SSH:
-
-```
-$ USE_SSH=true yarn deploy
-```
-
-Not using SSH:
-
-```
-$ GIT_USER=<Your GitHub username> yarn deploy
-```
-
-If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
+Deployments are made with Cloudflare Pages. Cloudflare deploys on changes to
+the main branch, and Pull Requests get comments with links to preview
+environments.

doc/website/docusaurus.config.ts

@@ -34,8 +34,22 @@ const config: Config = {
   markdown: {
     mermaid: true
   },
-  themes: ['@docusaurus/theme-mermaid'],
 
+  plugins: [
+    [
+      '@docusaurus/plugin-client-redirects',
+      {
+        redirects: [
+          {
+            to: "/docs/guides/try-holos/",
+            from: "/docs/tutorial/local/k3d/"
+          }
+        ],
+      },
+    ],
+  ],
+
+  themes: ['@docusaurus/theme-mermaid'],
   presets: [
     [
       'classic',
@@ -82,7 +96,7 @@ const config: Config = {
       items: [
         {
           type: 'doc',
-          docId: 'tutorial/local/k3d',
+          docId: 'guides/try-holos/index',
           position: 'left',
           label: 'Try Holos',
         },
@@ -120,7 +134,7 @@ const config: Config = {
           items: [
             {
               label: 'Try Holos Locally',
-              to: '/docs/tutorial/local/k3d',
+              to: '/docs/guides/try-holos',
             },
             {
               label: 'Documentation',

doc/website/package-lock.json

@@ -9,6 +9,7 @@
       "version": "0.0.0",
       "dependencies": {
         "@docusaurus/core": "3.4.0",
+        "@docusaurus/plugin-client-redirects": "^3.4.0",
         "@docusaurus/preset-classic": "3.4.0",
         "@docusaurus/theme-mermaid": "^3.4.0",
         "@mdx-js/react": "^3.0.0",
@@ -2971,6 +2972,29 @@
         "react-dom": "*"
       }
     },
+    "node_modules/@docusaurus/plugin-client-redirects": {
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/@docusaurus/plugin-client-redirects/-/plugin-client-redirects-3.4.0.tgz",
+      "integrity": "sha512-Pr8kyh/+OsmYCvdZhc60jy/FnrY6flD2TEAhl4rJxeVFxnvvRgEhoaIVX8q9MuJmaQoh6frPk94pjs7/6YgBDQ==",
+      "dependencies": {
+        "@docusaurus/core": "3.4.0",
+        "@docusaurus/logger": "3.4.0",
+        "@docusaurus/utils": "3.4.0",
+        "@docusaurus/utils-common": "3.4.0",
+        "@docusaurus/utils-validation": "3.4.0",
+        "eta": "^2.2.0",
+        "fs-extra": "^11.1.1",
+        "lodash": "^4.17.21",
+        "tslib": "^2.6.0"
+      },
+      "engines": {
+        "node": ">=18.0"
+      },
+      "peerDependencies": {
+        "react": "^18.0.0",
+        "react-dom": "^18.0.0"
+      }
+    },
     "node_modules/@docusaurus/plugin-content-blog": {
       "version": "3.4.0",
       "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-blog/-/plugin-content-blog-3.4.0.tgz",

doc/website/package.json

@@ -16,6 +16,7 @@
   },
   "dependencies": {
     "@docusaurus/core": "3.4.0",
+    "@docusaurus/plugin-client-redirects": "^3.4.0",
     "@docusaurus/preset-classic": "3.4.0",
     "@docusaurus/theme-mermaid": "^3.4.0",
     "@mdx-js/react": "^3.0.0",

doc/website/sidebars.ts

@@ -15,10 +15,23 @@ const sidebars: SidebarsConfig = {
     'intro',
     {
       type: 'category',
-      label: 'Tutorial',
+      label: 'Guides',
       collapsed: false,
       items: [
-        'tutorial/local/k3d',
+        'guides/install',
+        'guides/try-holos/index',
+        'guides/try-holos/platform-manifests',
+        'guides/argocd/index',
+        'guides/backstage/index',
+        'guides/observability/index',
+      ],
+    },
+    {
+      type: 'category',
+      label: 'Design',
+      collapsed: false,
+      items: [
+        'design/rendering',
       ],
     },
     {

docs/examples/api/ListPlatform/listplatform.json

@@ -1,10 +0,0 @@
-{
-  "org_id": "018f36fb-e3f7-7f7f-a1c5-c85fb735d215",
-  "field_mask": {
-    "paths": [
-      "id",
-      "name",
-      "displayName"
-    ]
-  }
-}

docs/examples/api/UpdatePlatform/clearform.json

@@ -1,8 +0,0 @@
-{
-  "update_mask": {
-    "paths": ["form"]
-  },
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94"
-  }
-}

docs/examples/api/UpdatePlatform/model.json

@@ -1,11 +0,0 @@
-{
-  "update_mask": {
-    "paths": ["model","name","display_name"]
-  },
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
-    "name": "bareplatform",
-    "display_name": "Bare Platform",
-    "model": {}
-  }
-}

docs/examples/api/UpdatePlatform/nomask.json

@@ -1,6 +0,0 @@
-{
-  "update": {
-    "platform_id": "018f36fb-e3ff-7f7f-a5d1-7ca2bf499e94",
-    "model": {}
-  }
-}

docs/examples/authpolicy.cue

@@ -1,45 +0,0 @@
-package holos
-
-import ap "security.istio.io/authorizationpolicy/v1"
-
-// #AuthPolicyRules represents AuthorizationPolicy rules for hosts that need
-// specialized treatment.  Entries in this struct are excluded from
-// AuthorizationPolicy/authproxy-custom in the istio-ingress namespace.  Entries
-// are added to their own AuthorizationPolicy.
-#AuthPolicyRules: {
-	// AuthProxySpec represents the identity provider configuration
-	AuthProxySpec: #AuthProxySpec & #Platform.authproxy
-
-	// Hosts are hosts that need specialized treatment
-	hosts: {
-		[Name=_]: {
-			// name is the fully qualifed hostname, a Host: header value.
-			name: Name
-			// slug is the resource name prefix
-			slug: string
-			// NoAuthorizationPolicy disables an AuthorizationPolicy for the host
-			NoAuthorizationPolicy: true | *false
-
-			// Refer to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule
-			spec: ap.#AuthorizationPolicySpec & {
-				action: "CUSTOM"
-				provider: name: AuthProxySpec.provider
-				selector: matchLabels: istio: "ingressgateway"
-			}
-		}
-	}
-
-	objects: #APIObjects & {
-		for Host in hosts {
-			if Host.NoAuthorizationPolicy == false {
-				apiObjects: {
-					AuthorizationPolicy: "\(Host.slug)-custom": {
-						metadata: namespace: "istio-ingress"
-						metadata: name:      "\(Host.slug)-custom"
-						spec: Host.spec
-					}
-				}
-			}
-		}
-	}
-}

docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue

@@ -1,82 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
-
-package v1
-
-import "strings"
-
-// Order is a type to represent an Order with an ACME server
-#Order: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "acme.cert-manager.io/v1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Order"
-	metadata: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-	spec!: #OrderSpec
-}
-#OrderSpec: {
-	// CommonName is the common name as specified on the DER encoded
-	// CSR. If specified, this value must also be present in
-	// `dnsNames` or `ipAddresses`. This field must match the
-	// corresponding field on the DER encoded CSR.
-	commonName?: string
-
-	// DNSNames is a list of DNS names that should be included as part
-	// of the Order validation process. This field must match the
-	// corresponding field on the DER encoded CSR.
-	dnsNames?: [...string]
-
-	// Duration is the duration for the not after date for the
-	// requested certificate. this is set on order creation as pe the
-	// ACME spec.
-	duration?: string
-
-	// IPAddresses is a list of IP addresses that should be included
-	// as part of the Order validation process. This field must match
-	// the corresponding field on the DER encoded CSR.
-	ipAddresses?: [...string]
-
-	// IssuerRef references a properly configured ACME-type Issuer
-	// which should be used to create this Order. If the Issuer does
-	// not exist, processing will be retried. If the Issuer is not an
-	// 'ACME' Issuer, an error will be returned and the Order will be
-	// marked as failed.
-	issuerRef: {
-		// Group of the resource being referred to.
-		group?: string
-
-		// Kind of the resource being referred to.
-		kind?: string
-
-		// Name of the resource being referred to.
-		name: string
-	}
-
-	// Certificate signing request bytes in DER encoding. This will be
-	// used when finalizing the order. This field must be set on the
-	// order.
-	request: string
-}

docs/examples/cue.mod/gen/argoproj.io/appproject/v1alpha1/types_gen.cue

@@ -1,189 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-platform-argocd/prod-platform-argocd.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// AppProject provides a logical grouping of applications,
-// providing controls for: * where the apps may deploy to
-// (cluster whitelist) * what may be deployed (repository
-// whitelist, resource whitelist/blacklist) * who can access
-// these applications (roles, OIDC group claims bindings) * and
-// what they can do (RBAC policies) * automation access to these
-// roles (JWT tokens)
-#AppProject: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "argoproj.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "AppProject"
-	metadata: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// AppProjectSpec is the specification of an AppProject
-	spec!: #AppProjectSpec
-}
-
-// AppProjectSpec is the specification of an AppProject
-#AppProjectSpec: {
-	// ClusterResourceBlacklist contains list of blacklisted cluster
-	// level resources
-	clusterResourceBlacklist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// ClusterResourceWhitelist contains list of whitelisted cluster
-	// level resources
-	clusterResourceWhitelist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// Description contains optional project description
-	description?: string
-
-	// Destinations contains list of destinations available for
-	// deployment
-	destinations?: [...{
-		// Name is an alternate way of specifying the target cluster by
-		// its symbolic name. This must be set if Server is not set.
-		name?: string
-
-		// Namespace specifies the target namespace for the application's
-		// resources. The namespace will only be set for namespace-scoped
-		// resources that have not set a value for .metadata.namespace
-		namespace?: string
-
-		// Server specifies the URL of the target cluster's Kubernetes
-		// control plane API. This must be set if Name is not set.
-		server?: string
-	}]
-
-	// NamespaceResourceBlacklist contains list of blacklisted
-	// namespace level resources
-	namespaceResourceBlacklist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// NamespaceResourceWhitelist contains list of whitelisted
-	// namespace level resources
-	namespaceResourceWhitelist?: [...{
-		group: string
-		kind:  string
-	}]
-
-	// OrphanedResources specifies if controller should monitor
-	// orphaned resources of apps in this project
-	orphanedResources?: {
-		// Ignore contains a list of resources that are to be excluded
-		// from orphaned resources monitoring
-		ignore?: [...{
-			group?: string
-			kind?:  string
-			name?:  string
-		}]
-
-		// Warn indicates if warning condition should be created for apps
-		// which have orphaned resources
-		warn?: bool
-	}
-
-	// PermitOnlyProjectScopedClusters determines whether destinations
-	// can only reference clusters which are project-scoped
-	permitOnlyProjectScopedClusters?: bool
-
-	// Roles are user defined RBAC roles associated with this project
-	roles?: [...{
-		// Description is a description of the role
-		description?: string
-
-		// Groups are a list of OIDC group claims bound to this role
-		groups?: [...string]
-
-		// JWTTokens are a list of generated JWT tokens bound to this role
-		jwtTokens?: [...{
-			exp?: int
-			iat:  int
-			id?:  string
-		}]
-
-		// Name is a name for this role
-		name: string
-
-		// Policies Stores a list of casbin formatted strings that define
-		// access policies for the role in the project
-		policies?: [...string]
-	}]
-
-	// SignatureKeys contains a list of PGP key IDs that commits in
-	// Git must be signed with in order to be allowed for sync
-	signatureKeys?: [...{
-		// The ID of the key in hexadecimal notation
-		keyID: string
-	}]
-
-	// SourceNamespaces defines the namespaces application resources
-	// are allowed to be created in
-	sourceNamespaces?: [...string]
-
-	// SourceRepos contains list of repository URLs which can be used
-	// for deployment
-	sourceRepos?: [...string]
-
-	// SyncWindows controls when syncs can be run for apps in this
-	// project
-	syncWindows?: [...{
-		// Applications contains a list of applications that the window
-		// will apply to
-		applications?: [...string]
-
-		// Clusters contains a list of clusters that the window will apply
-		// to
-		clusters?: [...string]
-
-		// Duration is the amount of time the sync window will be open
-		duration?: string
-
-		// Kind defines if the window allows or blocks syncs
-		kind?: string
-
-		// ManualSync enables manual syncs when they would otherwise be
-		// blocked
-		manualSync?: bool
-
-		// Namespaces contains a list of namespaces that the window will
-		// apply to
-		namespaces?: [...string]
-
-		// Schedule is the time the window will begin, specified in cron
-		// format
-		schedule?: string
-
-		// TimeZone of the sync that will be applied to the schedule
-		timeZone?: string
-	}]
-}

docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue

@@ -1,422 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
-
-package v1
-
-import "strings"
-
-// A Certificate resource should be created to ensure an up to
-// date and signed X.509 certificate is stored in the Kubernetes
-// Secret resource named in `spec.secretName`.
-// The stored certificate will be renewed before it expires (as
-// configured by `spec.renewBefore`).
-#Certificate: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "cert-manager.io/v1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Certificate"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// Specification of the desired state of the Certificate resource.
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-	spec!: #CertificateSpec
-}
-
-// Specification of the desired state of the Certificate resource.
-// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-#CertificateSpec: {
-	// Defines extra output formats of the private key and signed
-	// certificate chain to be written to this Certificate's target
-	// Secret.
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=AdditionalCertificateOutputFormats=true`
-	// option set on both the controller and webhook components.
-	additionalOutputFormats?: [...{
-		// Type is the name of the format type that should be written to
-		// the Certificate's target Secret.
-		type: "DER" | "CombinedPEM"
-	}]
-
-	// Requested common name X509 certificate subject attribute. More
-	// info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-	// NOTE: TLS clients will ignore this value when any subject
-	// alternative name is set (see
-	// https://tools.ietf.org/html/rfc6125#section-6.4.4).
-	// Should have a length of 64 characters or fewer to avoid
-	// generating invalid CSRs. Cannot be set if the `literalSubject`
-	// field is set.
-	commonName?: string
-
-	// Requested DNS subject alternative names.
-	dnsNames?: [...string]
-
-	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
-	// that the issuer may choose to ignore the requested duration,
-	// just like any other requested attribute.
-	// If unset, this defaults to 90 days. Minimum accepted duration
-	// is 1 hour. Value must be in units accepted by Go
-	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
-	duration?: string
-
-	// Requested email subject alternative names.
-	emailAddresses?: [...string]
-
-	// Whether the KeyUsage and ExtKeyUsage extensions should be set
-	// in the encoded CSR.
-	// This option defaults to true, and should only be disabled if
-	// the target issuer does not support CSRs with these X509
-	// KeyUsage/ ExtKeyUsage extensions.
-	encodeUsagesInRequest?: bool
-
-	// Requested IP address subject alternative names.
-	ipAddresses?: [...string]
-
-	// Requested basic constraints isCA value. The isCA value is used
-	// to set the `isCA` field on the created CertificateRequest
-	// resources. Note that the issuer may choose to ignore the
-	// requested isCA value, just like any other requested attribute.
-	// If true, this will automatically add the `cert sign` usage to
-	// the list of requested `usages`.
-	isCA?: bool
-
-	// Reference to the issuer responsible for issuing the
-	// certificate. If the issuer is namespace-scoped, it must be in
-	// the same namespace as the Certificate. If the issuer is
-	// cluster-scoped, it can be used from any namespace.
-	// The `name` field of the reference must always be specified.
-	issuerRef: {
-		// Group of the resource being referred to.
-		group?: string
-
-		// Kind of the resource being referred to.
-		kind?: string
-
-		// Name of the resource being referred to.
-		name: string
-	}
-
-	// Additional keystore output formats to be stored in the
-	// Certificate's Secret.
-	keystores?: {
-		// JKS configures options for storing a JKS keystore in the
-		// `spec.secretName` Secret resource.
-		jks?: {
-			// Create enables JKS keystore creation for the Certificate. If
-			// true, a file named `keystore.jks` will be created in the
-			// target Secret resource, encrypted using the password stored in
-			// `passwordSecretRef`. The keystore file will be updated
-			// immediately. If the issuer provided a CA certificate, a file
-			// named `truststore.jks` will also be created in the target
-			// Secret resource, encrypted using the password stored in
-			// `passwordSecretRef` containing the issuing Certificate
-			// Authority
-			create: bool
-
-			// PasswordSecretRef is a reference to a key in a Secret resource
-			// containing the password used to encrypt the JKS keystore.
-			passwordSecretRef: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be defaulted, in
-				// others it may be required.
-				key?: string
-
-				// Name of the resource being referred to. More info:
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-				name: string
-			}
-		}
-
-		// PKCS12 configures options for storing a PKCS12 keystore in the
-		// `spec.secretName` Secret resource.
-		pkcs12?: {
-			// Create enables PKCS12 keystore creation for the Certificate. If
-			// true, a file named `keystore.p12` will be created in the
-			// target Secret resource, encrypted using the password stored in
-			// `passwordSecretRef`. The keystore file will be updated
-			// immediately. If the issuer provided a CA certificate, a file
-			// named `truststore.p12` will also be created in the target
-			// Secret resource, encrypted using the password stored in
-			// `passwordSecretRef` containing the issuing Certificate
-			// Authority
-			create: bool
-
-			// PasswordSecretRef is a reference to a key in a Secret resource
-			// containing the password used to encrypt the PKCS12 keystore.
-			passwordSecretRef: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be defaulted, in
-				// others it may be required.
-				key?: string
-
-				// Name of the resource being referred to. More info:
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-				name: string
-			}
-
-			// Profile specifies the key and certificate encryption algorithms
-			// and the HMAC algorithm used to create the PKCS12 keystore.
-			// Default value is `LegacyRC2` for backward compatibility.
-			// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
-			// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
-			// Less secure algorithm. Use this option for maximal
-			// compatibility. `Modern2023`: Secure algorithm. Use this option
-			// in case you have to always use secure algorithms (eg. because
-			// of company policy). Please note that the security of the
-			// algorithm is not that important in reality, because the
-			// unencrypted certificate and private key are also stored in the
-			// Secret.
-			profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
-		}
-	}
-
-	// Requested X.509 certificate subject, represented using the LDAP
-	// "String Representation of a Distinguished Name" [1].
-	// Important: the LDAP string format also specifies the order of
-	// the attributes in the subject, this is important when issuing
-	// certs for LDAP authentication. Example:
-	// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
-	// https://datatracker.ietf.org/doc/html/rfc4514 More info:
-	// https://github.com/cert-manager/cert-manager/issues/3203 More
-	// info: https://github.com/cert-manager/cert-manager/issues/4424
-	// Cannot be set if the `subject` or `commonName` field is set.
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=LiteralCertificateSubject=true` option set on
-	// both the controller and webhook components.
-	literalSubject?: string
-
-	// x.509 certificate NameConstraint extension which MUST NOT be
-	// used in a non-CA certificate. More Info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
-	// This is an Alpha Feature and is only enabled with the
-	// `--feature-gates=NameConstraints=true` option set on both the
-	// controller and webhook components.
-	nameConstraints?: {
-		// if true then the name constraints are marked critical.
-		critical?: bool
-
-		// Excluded contains the constraints which must be disallowed. Any
-		// name matching a restriction in the excluded field is invalid
-		// regardless of information appearing in the permitted
-		excluded?: {
-			// DNSDomains is a list of DNS domains that are permitted or
-			// excluded.
-			dnsDomains?: [...string]
-
-			// EmailAddresses is a list of Email Addresses that are permitted
-			// or excluded.
-			emailAddresses?: [...string]
-
-			// IPRanges is a list of IP Ranges that are permitted or excluded.
-			// This should be a valid CIDR notation.
-			ipRanges?: [...string]
-
-			// URIDomains is a list of URI domains that are permitted or
-			// excluded.
-			uriDomains?: [...string]
-		}
-
-		// Permitted contains the constraints in which the names must be
-		// located.
-		permitted?: {
-			// DNSDomains is a list of DNS domains that are permitted or
-			// excluded.
-			dnsDomains?: [...string]
-
-			// EmailAddresses is a list of Email Addresses that are permitted
-			// or excluded.
-			emailAddresses?: [...string]
-
-			// IPRanges is a list of IP Ranges that are permitted or excluded.
-			// This should be a valid CIDR notation.
-			ipRanges?: [...string]
-
-			// URIDomains is a list of URI domains that are permitted or
-			// excluded.
-			uriDomains?: [...string]
-		}
-	}
-
-	// `otherNames` is an escape hatch for SAN that allows any type.
-	// We currently restrict the support to string like otherNames,
-	// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
-	// passed with by setting the keys oid: x.x.x.x and UTF8Value:
-	// somevalue for `otherName`. Most commonly this would be UPN set
-	// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
-	// OID passed is valid for the UTF8String type as we do not
-	// explicitly validate this.
-	otherNames?: [...{
-		// OID is the object identifier for the otherName SAN. The object
-		// identifier must be expressed as a dotted string, for example,
-		// "1.2.840.113556.1.4.221".
-		oid?: string
-
-		// utf8Value is the string value of the otherName SAN. The
-		// utf8Value accepts any valid UTF8 string to set as value for
-		// the otherName SAN.
-		utf8Value?: string
-	}]
-
-	// Private key options. These include the key algorithm and size,
-	// the used encoding and the rotation policy.
-	privateKey?: {
-		// Algorithm is the private key algorithm of the corresponding
-		// private key for this certificate.
-		// If provided, allowed values are either `RSA`, `ECDSA` or
-		// `Ed25519`. If `algorithm` is specified and `size` is not
-		// provided, key size of 2048 will be used for `RSA` key
-		// algorithm and key size of 256 will be used for `ECDSA` key
-		// algorithm. key size is ignored when using the `Ed25519` key
-		// algorithm.
-		algorithm?: "RSA" | "ECDSA" | "Ed25519"
-
-		// The private key cryptography standards (PKCS) encoding for this
-		// certificate's private key to be encoded in.
-		// If provided, allowed values are `PKCS1` and `PKCS8` standing
-		// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
-		// not specified.
-		encoding?: "PKCS1" | "PKCS8"
-
-		// RotationPolicy controls how private keys should be regenerated
-		// when a re-issuance is being processed.
-		// If set to `Never`, a private key will only be generated if one
-		// does not already exist in the target `spec.secretName`. If one
-		// does exists but it does not have the correct algorithm or
-		// size, a warning will be raised to await user intervention. If
-		// set to `Always`, a private key matching the specified
-		// requirements will be generated whenever a re-issuance occurs.
-		// Default is `Never` for backward compatibility.
-		rotationPolicy?: "Never" | "Always"
-
-		// Size is the key bit size of the corresponding private key for
-		// this certificate.
-		// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
-		// or `8192`, and will default to `2048` if not specified. If
-		// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
-		// or `521`, and will default to `256` if not specified. If
-		// `algorithm` is set to `Ed25519`, Size is ignored. No other
-		// values are allowed.
-		size?: int
-	}
-
-	// How long before the currently issued certificate's expiry
-	// cert-manager should renew the certificate. For example, if a
-	// certificate is valid for 60 minutes, and `renewBefore=10m`,
-	// cert-manager will begin to attempt to renew the certificate 50
-	// minutes after it was issued (i.e. when there are 10 minutes
-	// remaining until the certificate is no longer valid).
-	// NOTE: The actual lifetime of the issued certificate is used to
-	// determine the renewal time. If an issuer returns a certificate
-	// with a different lifetime than the one requested, cert-manager
-	// will use the lifetime of the issued certificate.
-	// If unset, this defaults to 1/3 of the issued certificate's
-	// lifetime. Minimum accepted value is 5 minutes. Value must be
-	// in units accepted by Go time.ParseDuration
-	// https://golang.org/pkg/time/#ParseDuration.
-	renewBefore?: string
-
-	// The maximum number of CertificateRequest revisions that are
-	// maintained in the Certificate's history. Each revision
-	// represents a single `CertificateRequest` created by this
-	// Certificate, either when it was created, renewed, or Spec was
-	// changed. Revisions will be removed by oldest first if the
-	// number of revisions exceeds this number.
-	// If set, revisionHistoryLimit must be a value of `1` or greater.
-	// If unset (`nil`), revisions will not be garbage collected.
-	// Default value is `nil`.
-	revisionHistoryLimit?: int
-
-	// Name of the Secret resource that will be automatically created
-	// and managed by this Certificate resource. It will be populated
-	// with a private key and certificate, signed by the denoted
-	// issuer. The Secret resource lives in the same namespace as the
-	// Certificate resource.
-	secretName: string
-
-	// Defines annotations and labels to be copied to the
-	// Certificate's Secret. Labels and annotations on the Secret
-	// will be changed as they appear on the SecretTemplate when
-	// added or removed. SecretTemplate annotations are added in
-	// conjunction with, and cannot overwrite, the base set of
-	// annotations cert-manager sets on the Certificate's Secret.
-	secretTemplate?: {
-		// Annotations is a key value map to be copied to the target
-		// Kubernetes Secret.
-		annotations?: {
-			[string]: string
-		}
-
-		// Labels is a key value map to be copied to the target Kubernetes
-		// Secret.
-		labels?: {
-			[string]: string
-		}
-	}
-
-	// Requested set of X509 certificate subject attributes. More
-	// info:
-	// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
-	// The common name attribute is specified separately in the
-	// `commonName` field. Cannot be set if the `literalSubject`
-	// field is set.
-	subject?: {
-		// Countries to be used on the Certificate.
-		countries?: [...string]
-
-		// Cities to be used on the Certificate.
-		localities?: [...string]
-
-		// Organizational Units to be used on the Certificate.
-		organizationalUnits?: [...string]
-
-		// Organizations to be used on the Certificate.
-		organizations?: [...string]
-
-		// Postal codes to be used on the Certificate.
-		postalCodes?: [...string]
-
-		// State/Provinces to be used on the Certificate.
-		provinces?: [...string]
-
-		// Serial number to be used on the Certificate.
-		serialNumber?: string
-
-		// Street addresses to be used on the Certificate.
-		streetAddresses?: [...string]
-	}
-
-	// Requested URI subject alternative names.
-	uris?: [...string]
-
-	// Requested key usages and extended key usages. These usages are
-	// used to set the `usages` field on the created
-	// CertificateRequest resources. If `encodeUsagesInRequest` is
-	// unset or set to `true`, the usages will additionally be
-	// encoded in the `request` field which contains the CSR blob.
-	// If unset, defaults to `digital signature` and `key
-	// encipherment`.
-	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
-}

docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue

@@ -1,127 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
-
-package v1
-
-import "strings"
-
-// A CertificateRequest is used to request a signed certificate
-// from one of the configured issuers.
-// All fields within the CertificateRequest's `spec` are immutable
-// after creation. A CertificateRequest will either succeed or
-// fail, as denoted by its `Ready` status condition and its
-// `status.failureTime` field.
-// A CertificateRequest is a one-shot resource, meaning it
-// represents a single point in time request for a certificate
-// and cannot be re-used.
-#CertificateRequest: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "cert-manager.io/v1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "CertificateRequest"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// Specification of the desired state of the CertificateRequest
-	// resource.
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-	spec!: #CertificateRequestSpec
-}
-
-// Specification of the desired state of the CertificateRequest
-// resource.
-// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-#CertificateRequestSpec: {
-	// Requested 'duration' (i.e. lifetime) of the Certificate. Note
-	// that the issuer may choose to ignore the requested duration,
-	// just like any other requested attribute.
-	duration?: string
-
-	// Extra contains extra attributes of the user that created the
-	// CertificateRequest. Populated by the cert-manager webhook on
-	// creation and immutable.
-	extra?: {
-		[string]: [...string]
-	}
-
-	// Groups contains group membership of the user that created the
-	// CertificateRequest. Populated by the cert-manager webhook on
-	// creation and immutable.
-	groups?: [...string]
-
-	// Requested basic constraints isCA value. Note that the issuer
-	// may choose to ignore the requested isCA value, just like any
-	// other requested attribute.
-	// NOTE: If the CSR in the `Request` field has a BasicConstraints
-	// extension, it must have the same isCA value as specified here.
-	// If true, this will automatically add the `cert sign` usage to
-	// the list of requested `usages`.
-	isCA?: bool
-
-	// Reference to the issuer responsible for issuing the
-	// certificate. If the issuer is namespace-scoped, it must be in
-	// the same namespace as the Certificate. If the issuer is
-	// cluster-scoped, it can be used from any namespace.
-	// The `name` field of the reference must always be specified.
-	issuerRef: {
-		// Group of the resource being referred to.
-		group?: string
-
-		// Kind of the resource being referred to.
-		kind?: string
-
-		// Name of the resource being referred to.
-		name: string
-	}
-
-	// The PEM-encoded X.509 certificate signing request to be
-	// submitted to the issuer for signing.
-	// If the CSR has a BasicConstraints extension, its isCA attribute
-	// must match the `isCA` value of this CertificateRequest. If the
-	// CSR has a KeyUsage extension, its key usages must match the
-	// key usages in the `usages` field of this CertificateRequest.
-	// If the CSR has a ExtKeyUsage extension, its extended key
-	// usages must match the extended key usages in the `usages`
-	// field of this CertificateRequest.
-	request: string
-
-	// UID contains the uid of the user that created the
-	// CertificateRequest. Populated by the cert-manager webhook on
-	// creation and immutable.
-	uid?: string
-
-	// Requested key usages and extended key usages.
-	// NOTE: If the CSR in the `Request` field has uses the KeyUsage
-	// or ExtKeyUsage extension, these extensions must have the same
-	// values as specified here without any additional values.
-	// If unset, defaults to `digital signature` and `key
-	// encipherment`.
-	usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
-
-	// Username contains the name of the user that created the
-	// CertificateRequest. Populated by the cert-manager webhook on
-	// creation and immutable.
-	username?: string
-}

docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue

@@ -1,123 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
-
-package v1alpha1
-
-import (
-	"strings"
-	"list"
-)
-
-#WasmPlugin: {
-	// Extend the functionality provided by the Istio proxy through
-	// WebAssembly filters. See more details at:
-	// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
-	spec!:      #WasmPluginSpec
-	apiVersion: "extensions.istio.io/v1alpha1"
-	kind:       "WasmPlugin"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-}
-
-// Extend the functionality provided by the Istio proxy through
-// WebAssembly filters. See more details at:
-// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
-#WasmPluginSpec: {
-	// Specifies the failure behavior for the plugin due to fatal
-	// errors.
-	failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
-
-	// The pull behaviour to be applied when fetching Wasm module by
-	// either OCI image or http/https.
-	imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
-
-	// Credentials to use for OCI image pulling.
-	imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
-
-	// Specifies the criteria to determine which traffic is passed to
-	// WasmPlugin.
-	match?: [...{
-		// Criteria for selecting traffic by their direction.
-		mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
-
-		// Criteria for selecting traffic by their destination port.
-		ports?: [...{
-			number: uint16 & >=1
-		}]
-	}]
-
-	// Determines where in the filter chain this `WasmPlugin` is to be
-	// injected.
-	phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
-
-	// The configuration that will be passed on to the plugin.
-	pluginConfig?: {
-		...
-	}
-
-	// The plugin name to be used in the Envoy configuration (used to
-	// be called `rootID`).
-	pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
-
-	// Determines ordering of `WasmPlugins` in the same `phase`.
-	priority?: null | int
-	selector?: {
-		// One or more labels that indicate a specific set of pods/VMs on
-		// which a policy should be applied.
-		matchLabels?: {
-			[string]: string
-		}
-	}
-
-	// SHA256 checksum that will be used to verify Wasm module or OCI
-	// container.
-	sha256?: =~"(^$|^[a-f0-9]{64}$)"
-
-	// Optional.
-	targetRef?: {
-		// group is the group of the target resource.
-		group?: string
-
-		// kind is kind of the target resource.
-		kind?: string
-
-		// name is the name of the target resource.
-		name?: string
-
-		// namespace is the namespace of the referent.
-		namespace?: string
-	}
-
-	// Specifies the type of Wasm Extension to be used.
-	type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
-
-	// URL of a Wasm module or OCI container.
-	url:              strings.MinRunes(1)
-	verificationKey?: string
-	vmConfig?: {
-		// Specifies environment variables to be injected to this VM.
-		env?: list.MaxItems(256) & [...{
-			// Name of the environment variable.
-			name: strings.MaxRunes(256) & strings.MinRunes(1)
-
-			// Value for the environment variable.
-			value?: strings.MaxRunes(2048)
-
-			// Source for the environment variable's value.
-			valueFrom?: "INLINE" | "HOST"
-		}]
-	}
-}

docs/examples/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -1,378 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1beta1
-
-import (
-	"strings"
-	"struct"
-)
-
-// ClusterExternalSecret is the Schema for the
-// clusterexternalsecrets API.
-#ClusterExternalSecret: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "external-secrets.io/v1beta1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ClusterExternalSecret"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ClusterExternalSecretSpec defines the desired state of
-	// ClusterExternalSecret.
-	spec!: #ClusterExternalSecretSpec
-}
-
-// ClusterExternalSecretSpec defines the desired state of
-// ClusterExternalSecret.
-#ClusterExternalSecretSpec: {
-	// The metadata of the external secrets to be created
-	externalSecretMetadata?: {
-		annotations?: {
-			[string]: string
-		}
-		labels?: {
-			[string]: string
-		}
-	}
-
-	// The name of the external secrets to be created defaults to the
-	// name of the ClusterExternalSecret
-	externalSecretName?: string
-
-	// The spec for the ExternalSecrets to be created
-	externalSecretSpec: {
-		// Data defines the connection between the Kubernetes Secret keys
-		// and the Provider data
-		data?: [...{
-			// RemoteRef points to the remote secret and defines
-			// which secret (version/property/..) to fetch.
-			remoteRef: {
-				// Used to define a conversion Strategy
-				conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-				// Used to define a decoding Strategy
-				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-
-				// Key is the key used in the Provider, mandatory
-				key: string
-
-				// Policy for fetching tags/labels from provider secrets, possible
-				// options are Fetch, None. Defaults to None
-				metadataPolicy?: "None" | "Fetch" | *"None"
-
-				// Used to select a specific property of the Provider value (if a
-				// map), if supported
-				property?: string
-
-				// Used to select a specific version of the Provider value, if
-				// supported
-				version?: string
-			}
-
-			// SecretKey defines the key in which the controller stores
-			// the value. This is the key in the Kind=Secret
-			secretKey: string
-
-			// SourceRef allows you to override the source
-			// from which the value will pulled from.
-			sourceRef?: struct.MaxFields(1) & {
-				// GeneratorRef points to a generator custom resource.
-				//
-				//
-				// Deprecated: The generatorRef is not implemented in .data[].
-				// this will be removed with v1.
-				generatorRef?: {
-					// Specify the apiVersion of the generator resource
-					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
-
-					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
-					// etc.
-					kind: string
-
-					// Specify the name of the generator resource
-					name: string
-				}
-
-				// SecretStoreRef defines which SecretStore to fetch the
-				// ExternalSecret data.
-				storeRef?: {
-					// Kind of the SecretStore resource (SecretStore or
-					// ClusterSecretStore)
-					// Defaults to `SecretStore`
-					kind?: string
-
-					// Name of the SecretStore resource
-					name: string
-				}
-			}
-		}]
-
-		// DataFrom is used to fetch all properties from a specific
-		// Provider data
-		// If multiple entries are specified, the Secret keys are merged
-		// in the specified order
-		dataFrom?: [...{
-			// Used to extract multiple key/value pairs from one secret
-			// Note: Extract does not support sourceRef.Generator or
-			// sourceRef.GeneratorRef.
-			extract?: {
-				// Used to define a conversion Strategy
-				conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-				// Used to define a decoding Strategy
-				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-
-				// Key is the key used in the Provider, mandatory
-				key: string
-
-				// Policy for fetching tags/labels from provider secrets, possible
-				// options are Fetch, None. Defaults to None
-				metadataPolicy?: "None" | "Fetch" | *"None"
-
-				// Used to select a specific property of the Provider value (if a
-				// map), if supported
-				property?: string
-
-				// Used to select a specific version of the Provider value, if
-				// supported
-				version?: string
-			}
-
-			// Used to find secrets based on tags or regular expressions
-			// Note: Find does not support sourceRef.Generator or
-			// sourceRef.GeneratorRef.
-			find?: {
-				// Used to define a conversion Strategy
-				conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-				// Used to define a decoding Strategy
-				decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-				name?: {
-					// Finds secrets base
-					regexp?: string
-				}
-
-				// A root path to start the find operations.
-				path?: string
-
-				// Find secrets based on tags.
-				tags?: {
-					[string]: string
-				}
-			}
-
-			// Used to rewrite secret Keys after getting them from the secret
-			// Provider
-			// Multiple Rewrite operations can be provided. They are applied
-			// in a layered order (first to last)
-			rewrite?: [...{
-				// Used to rewrite with regular expressions.
-				// The resulting key will be the output of a regexp.ReplaceAll
-				// operation.
-				regexp?: {
-					// Used to define the regular expression of a re.Compiler.
-					source: string
-
-					// Used to define the target pattern of a ReplaceAll operation.
-					target: string
-				}
-				transform?: {
-					// Used to define the template to apply on the secret name.
-					// `.value ` will specify the secret name in the template.
-					template: string
-				}
-			}]
-
-			// SourceRef points to a store or generator
-			// which contains secret values ready to use.
-			// Use this in combination with Extract or Find pull values out of
-			// a specific SecretStore.
-			// When sourceRef points to a generator Extract or Find is not
-			// supported.
-			// The generator returns a static map of values
-			sourceRef?: struct.MaxFields(1) & {
-				// GeneratorRef points to a generator custom resource.
-				generatorRef?: {
-					// Specify the apiVersion of the generator resource
-					apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
-
-					// Specify the Kind of the resource, e.g. Password, ACRAccessToken
-					// etc.
-					kind: string
-
-					// Specify the name of the generator resource
-					name: string
-				}
-
-				// SecretStoreRef defines which SecretStore to fetch the
-				// ExternalSecret data.
-				storeRef?: {
-					// Kind of the SecretStore resource (SecretStore or
-					// ClusterSecretStore)
-					// Defaults to `SecretStore`
-					kind?: string
-
-					// Name of the SecretStore resource
-					name: string
-				}
-			}
-		}]
-
-		// RefreshInterval is the amount of time before the values are
-		// read again from the SecretStore provider
-		// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-		// May be set to zero to fetch and create it once. Defaults to 1h.
-		refreshInterval?: string | *"1h"
-
-		// SecretStoreRef defines which SecretStore to fetch the
-		// ExternalSecret data.
-		secretStoreRef?: {
-			// Kind of the SecretStore resource (SecretStore or
-			// ClusterSecretStore)
-			// Defaults to `SecretStore`
-			kind?: string
-
-			// Name of the SecretStore resource
-			name: string
-		}
-
-		// ExternalSecretTarget defines the Kubernetes Secret to be
-		// created
-		// There can be only one target per ExternalSecret.
-		target?: {
-			// CreationPolicy defines rules on how to create the resulting
-			// Secret
-			// Defaults to 'Owner'
-			creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
-
-			// DeletionPolicy defines rules on how to delete the resulting
-			// Secret
-			// Defaults to 'Retain'
-			deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
-
-			// Immutable defines if the final secret will be immutable
-			immutable?: bool
-
-			// Name defines the name of the Secret resource to be managed
-			// This field is immutable
-			// Defaults to the .metadata.name of the ExternalSecret resource
-			name?: string
-
-			// Template defines a blueprint for the created Secret resource.
-			template?: {
-				data?: {
-					[string]: string
-				}
-
-				// EngineVersion specifies the template engine version
-				// that should be used to compile/execute the
-				// template specified in .data and .templateFrom[].
-				engineVersion?: "v1" | "v2" | *"v2"
-				mergePolicy?:   "Replace" | "Merge" | *"Replace"
-
-				// ExternalSecretTemplateMetadata defines metadata fields for the
-				// Secret blueprint.
-				metadata?: {
-					annotations?: {
-						[string]: string
-					}
-					labels?: {
-						[string]: string
-					}
-				}
-				templateFrom?: [...{
-					configMap?: {
-						items: [...{
-							key:         string
-							templateAs?: "Values" | "KeysAndValues" | *"Values"
-						}]
-						name: string
-					}
-					literal?: string
-					secret?: {
-						items: [...{
-							key:         string
-							templateAs?: "Values" | "KeysAndValues" | *"Values"
-						}]
-						name: string
-					}
-					target?: "Data" | "Annotations" | "Labels" | *"Data"
-				}]
-				type?: string
-			}
-		} | *{
-			creationPolicy: "Owner"
-			deletionPolicy: "Retain"
-		}
-	}
-
-	// The labels to select by to find the Namespaces to create the
-	// ExternalSecrets in.
-	namespaceSelector?: {
-		// matchExpressions is a list of label selector requirements. The
-		// requirements are ANDed.
-		matchExpressions?: [...{
-			// key is the label key that the selector applies to.
-			key: string
-
-			// operator represents a key's relationship to a set of values.
-			// Valid operators are In, NotIn, Exists and DoesNotExist.
-			operator: string
-
-			// values is an array of string values. If the operator is In or
-			// NotIn,
-			// the values array must be non-empty. If the operator is Exists
-			// or DoesNotExist,
-			// the values array must be empty. This array is replaced during a
-			// strategic
-			// merge patch.
-			values?: [...string]
-		}]
-
-		// matchLabels is a map of {key,value} pairs. A single {key,value}
-		// in the matchLabels
-		// map is equivalent to an element of matchExpressions, whose key
-		// field is "key", the
-		// operator is "In", and the values array contains only "value".
-		// The requirements are ANDed.
-		matchLabels?: {
-			[string]: string
-		}
-	}
-
-	// Choose namespaces by name. This field is ORed with anything
-	// that NamespaceSelector ends up choosing.
-	namespaces?: [...string]
-
-	// The time in which the controller should reconcile its objects
-	// and recheck namespaces for labels.
-	refreshTime?: string
-}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -1,168 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import (
-	"strings"
-	"struct"
-)
-
-// ExternalSecret is the Schema for the external-secrets API.
-#ExternalSecret: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ExternalSecret"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ExternalSecretSpec defines the desired state of ExternalSecret.
-	spec!: #ExternalSecretSpec
-}
-
-// ExternalSecretSpec defines the desired state of ExternalSecret.
-#ExternalSecretSpec: {
-	// Data defines the connection between the Kubernetes Secret keys
-	// and the Provider data
-	data?: [...{
-		// ExternalSecretDataRemoteRef defines Provider data location.
-		remoteRef: {
-			// Used to define a conversion Strategy
-			conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-			// Key is the key used in the Provider, mandatory
-			key: string
-
-			// Used to select a specific property of the Provider value (if a
-			// map), if supported
-			property?: string
-
-			// Used to select a specific version of the Provider value, if
-			// supported
-			version?: string
-		}
-		secretKey: string
-	}]
-
-	// DataFrom is used to fetch all properties from a specific
-	// Provider data
-	// If multiple entries are specified, the Secret keys are merged
-	// in the specified order
-	dataFrom?: [...{
-		// Used to define a conversion Strategy
-		conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-		// Key is the key used in the Provider, mandatory
-		key: string
-
-		// Used to select a specific property of the Provider value (if a
-		// map), if supported
-		property?: string
-
-		// Used to select a specific version of the Provider value, if
-		// supported
-		version?: string
-	}]
-
-	// RefreshInterval is the amount of time before the values are
-	// read again from the SecretStore provider
-	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-	// May be set to zero to fetch and create it once. Defaults to 1h.
-	refreshInterval?: string | *"1h"
-
-	// SecretStoreRef defines which SecretStore to fetch the
-	// ExternalSecret data.
-	secretStoreRef: {
-		// Kind of the SecretStore resource (SecretStore or
-		// ClusterSecretStore)
-		// Defaults to `SecretStore`
-		kind?: string
-
-		// Name of the SecretStore resource
-		name: string
-	}
-
-	// ExternalSecretTarget defines the Kubernetes Secret to be
-	// created
-	// There can be only one target per ExternalSecret.
-	target: {
-		// CreationPolicy defines rules on how to create the resulting
-		// Secret
-		// Defaults to 'Owner'
-		creationPolicy?: "Owner" | "Merge" | "None" | *"Owner"
-
-		// Immutable defines if the final secret will be immutable
-		immutable?: bool
-
-		// Name defines the name of the Secret resource to be managed
-		// This field is immutable
-		// Defaults to the .metadata.name of the ExternalSecret resource
-		name?: string
-
-		// Template defines a blueprint for the created Secret resource.
-		template?: {
-			data?: {
-				[string]: string
-			}
-
-			// EngineVersion specifies the template engine version
-			// that should be used to compile/execute the
-			// template specified in .data and .templateFrom[].
-			engineVersion?: "v1" | "v2" | *"v1"
-
-			// ExternalSecretTemplateMetadata defines metadata fields for the
-			// Secret blueprint.
-			metadata?: {
-				annotations?: {
-					[string]: string
-				}
-				labels?: {
-					[string]: string
-				}
-			}
-			templateFrom?: [...struct.MaxFields(1) & {
-				configMap?: {
-					items: [...{
-						key: string
-					}]
-					name: string
-				}
-				secret?: {
-					items: [...{
-						key: string
-					}]
-					name: string
-				}
-			}]
-			type?: string
-		}
-	}
-}

docs/examples/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -1,316 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1beta1
-
-import (
-	"strings"
-	"struct"
-)
-
-// ExternalSecret is the Schema for the external-secrets API.
-#ExternalSecret: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "external-secrets.io/v1beta1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ExternalSecret"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ExternalSecretSpec defines the desired state of ExternalSecret.
-	spec!: #ExternalSecretSpec
-}
-
-// ExternalSecretSpec defines the desired state of ExternalSecret.
-#ExternalSecretSpec: {
-	// Data defines the connection between the Kubernetes Secret keys
-	// and the Provider data
-	data?: [...{
-		// RemoteRef points to the remote secret and defines
-		// which secret (version/property/..) to fetch.
-		remoteRef: {
-			// Used to define a conversion Strategy
-			conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-			// Used to define a decoding Strategy
-			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-
-			// Key is the key used in the Provider, mandatory
-			key: string
-
-			// Policy for fetching tags/labels from provider secrets, possible
-			// options are Fetch, None. Defaults to None
-			metadataPolicy?: "None" | "Fetch" | *"None"
-
-			// Used to select a specific property of the Provider value (if a
-			// map), if supported
-			property?: string
-
-			// Used to select a specific version of the Provider value, if
-			// supported
-			version?: string
-		}
-
-		// SecretKey defines the key in which the controller stores
-		// the value. This is the key in the Kind=Secret
-		secretKey: string
-
-		// SourceRef allows you to override the source
-		// from which the value will pulled from.
-		sourceRef?: struct.MaxFields(1) & {
-			// GeneratorRef points to a generator custom resource.
-			//
-			//
-			// Deprecated: The generatorRef is not implemented in .data[].
-			// this will be removed with v1.
-			generatorRef?: {
-				// Specify the apiVersion of the generator resource
-				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
-
-				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
-				// etc.
-				kind: string
-
-				// Specify the name of the generator resource
-				name: string
-			}
-
-			// SecretStoreRef defines which SecretStore to fetch the
-			// ExternalSecret data.
-			storeRef?: {
-				// Kind of the SecretStore resource (SecretStore or
-				// ClusterSecretStore)
-				// Defaults to `SecretStore`
-				kind?: string
-
-				// Name of the SecretStore resource
-				name: string
-			}
-		}
-	}]
-
-	// DataFrom is used to fetch all properties from a specific
-	// Provider data
-	// If multiple entries are specified, the Secret keys are merged
-	// in the specified order
-	dataFrom?: [...{
-		// Used to extract multiple key/value pairs from one secret
-		// Note: Extract does not support sourceRef.Generator or
-		// sourceRef.GeneratorRef.
-		extract?: {
-			// Used to define a conversion Strategy
-			conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-			// Used to define a decoding Strategy
-			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-
-			// Key is the key used in the Provider, mandatory
-			key: string
-
-			// Policy for fetching tags/labels from provider secrets, possible
-			// options are Fetch, None. Defaults to None
-			metadataPolicy?: "None" | "Fetch" | *"None"
-
-			// Used to select a specific property of the Provider value (if a
-			// map), if supported
-			property?: string
-
-			// Used to select a specific version of the Provider value, if
-			// supported
-			version?: string
-		}
-
-		// Used to find secrets based on tags or regular expressions
-		// Note: Find does not support sourceRef.Generator or
-		// sourceRef.GeneratorRef.
-		find?: {
-			// Used to define a conversion Strategy
-			conversionStrategy?: "Default" | "Unicode" | *"Default"
-
-			// Used to define a decoding Strategy
-			decodingStrategy?: "Auto" | "Base64" | "Base64URL" | "None" | *"None"
-			name?: {
-				// Finds secrets base
-				regexp?: string
-			}
-
-			// A root path to start the find operations.
-			path?: string
-
-			// Find secrets based on tags.
-			tags?: {
-				[string]: string
-			}
-		}
-
-		// Used to rewrite secret Keys after getting them from the secret
-		// Provider
-		// Multiple Rewrite operations can be provided. They are applied
-		// in a layered order (first to last)
-		rewrite?: [...{
-			// Used to rewrite with regular expressions.
-			// The resulting key will be the output of a regexp.ReplaceAll
-			// operation.
-			regexp?: {
-				// Used to define the regular expression of a re.Compiler.
-				source: string
-
-				// Used to define the target pattern of a ReplaceAll operation.
-				target: string
-			}
-			transform?: {
-				// Used to define the template to apply on the secret name.
-				// `.value ` will specify the secret name in the template.
-				template: string
-			}
-		}]
-
-		// SourceRef points to a store or generator
-		// which contains secret values ready to use.
-		// Use this in combination with Extract or Find pull values out of
-		// a specific SecretStore.
-		// When sourceRef points to a generator Extract or Find is not
-		// supported.
-		// The generator returns a static map of values
-		sourceRef?: struct.MaxFields(1) & {
-			// GeneratorRef points to a generator custom resource.
-			generatorRef?: {
-				// Specify the apiVersion of the generator resource
-				apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
-
-				// Specify the Kind of the resource, e.g. Password, ACRAccessToken
-				// etc.
-				kind: string
-
-				// Specify the name of the generator resource
-				name: string
-			}
-
-			// SecretStoreRef defines which SecretStore to fetch the
-			// ExternalSecret data.
-			storeRef?: {
-				// Kind of the SecretStore resource (SecretStore or
-				// ClusterSecretStore)
-				// Defaults to `SecretStore`
-				kind?: string
-
-				// Name of the SecretStore resource
-				name: string
-			}
-		}
-	}]
-
-	// RefreshInterval is the amount of time before the values are
-	// read again from the SecretStore provider
-	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-	// May be set to zero to fetch and create it once. Defaults to 1h.
-	refreshInterval?: string | *"1h"
-
-	// SecretStoreRef defines which SecretStore to fetch the
-	// ExternalSecret data.
-	secretStoreRef?: {
-		// Kind of the SecretStore resource (SecretStore or
-		// ClusterSecretStore)
-		// Defaults to `SecretStore`
-		kind?: string
-
-		// Name of the SecretStore resource
-		name: string
-	}
-
-	// ExternalSecretTarget defines the Kubernetes Secret to be
-	// created
-	// There can be only one target per ExternalSecret.
-	target?: {
-		// CreationPolicy defines rules on how to create the resulting
-		// Secret
-		// Defaults to 'Owner'
-		creationPolicy?: "Owner" | "Orphan" | "Merge" | "None" | *"Owner"
-
-		// DeletionPolicy defines rules on how to delete the resulting
-		// Secret
-		// Defaults to 'Retain'
-		deletionPolicy?: "Delete" | "Merge" | "Retain" | *"Retain"
-
-		// Immutable defines if the final secret will be immutable
-		immutable?: bool
-
-		// Name defines the name of the Secret resource to be managed
-		// This field is immutable
-		// Defaults to the .metadata.name of the ExternalSecret resource
-		name?: string
-
-		// Template defines a blueprint for the created Secret resource.
-		template?: {
-			data?: {
-				[string]: string
-			}
-
-			// EngineVersion specifies the template engine version
-			// that should be used to compile/execute the
-			// template specified in .data and .templateFrom[].
-			engineVersion?: "v1" | "v2" | *"v2"
-			mergePolicy?:   "Replace" | "Merge" | *"Replace"
-
-			// ExternalSecretTemplateMetadata defines metadata fields for the
-			// Secret blueprint.
-			metadata?: {
-				annotations?: {
-					[string]: string
-				}
-				labels?: {
-					[string]: string
-				}
-			}
-			templateFrom?: [...{
-				configMap?: {
-					items: [...{
-						key:         string
-						templateAs?: "Values" | "KeysAndValues" | *"Values"
-					}]
-					name: string
-				}
-				literal?: string
-				secret?: {
-					items: [...{
-						key:         string
-						templateAs?: "Values" | "KeysAndValues" | *"Values"
-					}]
-					name: string
-				}
-				target?: "Data" | "Annotations" | "Labels" | *"Data"
-			}]
-			type?: string
-		}
-	} | *{
-		creationPolicy: "Owner"
-		deletionPolicy: "Retain"
-	}
-}

docs/examples/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -1,171 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-#PushSecret: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "PushSecret"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// PushSecretSpec configures the behavior of the PushSecret.
-	spec!: #PushSecretSpec
-}
-
-// PushSecretSpec configures the behavior of the PushSecret.
-#PushSecretSpec: {
-	// Secret Data that should be pushed to providers
-	data?: [...{
-		// Match a given Secret Key to be pushed to the provider.
-		match: {
-			// Remote Refs to push to providers.
-			remoteRef: {
-				// Name of the property in the resulting secret
-				property?: string
-
-				// Name of the resulting provider secret.
-				remoteKey: string
-			}
-
-			// Secret Key to be pushed
-			secretKey?: string
-		}
-
-		// Metadata is metadata attached to the secret.
-		// The structure of metadata is provider specific, please look it
-		// up in the provider documentation.
-		metadata?: _
-	}]
-
-	// Deletion Policy to handle Secrets in the provider. Possible
-	// Values: "Delete/None". Defaults to "None".
-	deletionPolicy?: "Delete" | "None" | *"None"
-
-	// The Interval to which External Secrets will try to push a
-	// secret definition
-	refreshInterval?: string
-	secretStoreRefs: [...{
-		// Kind of the SecretStore resource (SecretStore or
-		// ClusterSecretStore)
-		// Defaults to `SecretStore`
-		kind?: string | *"SecretStore"
-
-		// Optionally, sync to secret stores with label selector
-		labelSelector?: {
-			// matchExpressions is a list of label selector requirements. The
-			// requirements are ANDed.
-			matchExpressions?: [...{
-				// key is the label key that the selector applies to.
-				key: string
-
-				// operator represents a key's relationship to a set of values.
-				// Valid operators are In, NotIn, Exists and DoesNotExist.
-				operator: string
-
-				// values is an array of string values. If the operator is In or
-				// NotIn,
-				// the values array must be non-empty. If the operator is Exists
-				// or DoesNotExist,
-				// the values array must be empty. This array is replaced during a
-				// strategic
-				// merge patch.
-				values?: [...string]
-			}]
-
-			// matchLabels is a map of {key,value} pairs. A single {key,value}
-			// in the matchLabels
-			// map is equivalent to an element of matchExpressions, whose key
-			// field is "key", the
-			// operator is "In", and the values array contains only "value".
-			// The requirements are ANDed.
-			matchLabels?: {
-				[string]: string
-			}
-		}
-
-		// Optionally, sync to the SecretStore of the given name
-		name?: string
-	}]
-	selector: {
-		secret: {
-			// Name of the Secret. The Secret must exist in the same namespace
-			// as the PushSecret manifest.
-			name: string
-		}
-	}
-
-	// Template defines a blueprint for the created Secret resource.
-	template?: {
-		data?: {
-			[string]: string
-		}
-
-		// EngineVersion specifies the template engine version
-		// that should be used to compile/execute the
-		// template specified in .data and .templateFrom[].
-		engineVersion?: "v1" | "v2" | *"v2"
-		mergePolicy?:   "Replace" | "Merge" | *"Replace"
-
-		// ExternalSecretTemplateMetadata defines metadata fields for the
-		// Secret blueprint.
-		metadata?: {
-			annotations?: {
-				[string]: string
-			}
-			labels?: {
-				[string]: string
-			}
-		}
-		templateFrom?: [...{
-			configMap?: {
-				items: [...{
-					key:         string
-					templateAs?: "Values" | "KeysAndValues" | *"Values"
-				}]
-				name: string
-			}
-			literal?: string
-			secret?: {
-				items: [...{
-					key:         string
-					templateAs?: "Values" | "KeysAndValues" | *"Values"
-				}]
-				name: string
-			}
-			target?: "Data" | "Annotations" | "Labels" | *"Data"
-		}]
-		type?: string
-	}
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/acraccesstoken/v1alpha1/types_gen.cue

@@ -1,167 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// ACRAccessToken returns a Azure Container Registry token
-// that can be used for pushing/pulling images.
-// Note: by default it will return an ACR Refresh Token with full
-// access
-// (depending on the identity).
-// This can be scoped down to the repository level using
-// .spec.scope.
-// In case scope is defined it will return an ACR Access Token.
-//
-//
-// See docs:
-// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
-#ACRAccessToken: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ACRAccessToken"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ACRAccessTokenSpec defines how to generate the access token
-	// e.g. how to authenticate and which registry to use.
-	// see:
-	// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-	spec!: #ACRAccessTokenSpec
-}
-
-// ACRAccessTokenSpec defines how to generate the access token
-// e.g. how to authenticate and which registry to use.
-// see:
-// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
-#ACRAccessTokenSpec: {
-	auth: {
-		managedIdentity?: {
-			// If multiple Managed Identity is assigned to the pod, you can
-			// select the one to be used
-			identityId?: string
-		}
-		servicePrincipal?: {
-			// Configuration used to authenticate with Azure using static
-			// credentials stored in a Kind=Secret.
-			secretRef: {
-				// The Azure clientId of the service principle used for
-				// authentication.
-				clientId?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// The Azure ClientSecret of the service principle used for
-				// authentication.
-				clientSecret?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-			}
-		}
-		workloadIdentity?: {
-			// ServiceAccountRef specified the service account
-			// that should be used when authenticating with WorkloadIdentity.
-			serviceAccountRef?: {
-				// Audience specifies the `aud` claim for the service account
-				// token
-				// If the service account uses a well-known annotation for e.g.
-				// IRSA or GCP Workload Identity
-				// then this audiences will be appended to the list
-				audiences?: [...string]
-
-				// The name of the ServiceAccount resource being referred to.
-				name: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-	}
-
-	// EnvironmentType specifies the Azure cloud environment endpoints
-	// to use for
-	// connecting and authenticating with Azure. By default it points
-	// to the public cloud AAD endpoint.
-	// The following endpoints are available, also see here:
-	// https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-	environmentType?: "PublicCloud" | "USGovernmentCloud" | "ChinaCloud" | "GermanCloud" | *"PublicCloud"
-
-	// the domain name of the ACR registry
-	// e.g. foobarexample.azurecr.io
-	registry: string
-
-	// Define the scope for the access token, e.g. pull/push access
-	// for a repository.
-	// if not provided it will return a refresh token that has full
-	// scope.
-	// Note: you need to pin it down to the repository level, there is
-	// no wildcard available.
-	//
-	//
-	// examples:
-	// repository:my-repository:pull,push
-	// repository:my-repository:pull
-	//
-	//
-	// see docs for details:
-	// https://docs.docker.com/registry/spec/auth/scope/
-	scope?: string
-
-	// TenantID configures the Azure Tenant to send requests to.
-	// Required for ServicePrincipal auth type.
-	tenantId?: string
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/ecrauthorizationtoken/v1alpha1/types_gen.cue

@@ -1,142 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to
-// retrieve an
-// authorization token.
-// The authorization token is valid for 12 hours.
-// The authorizationToken returned is a base64 encoded string that
-// can be decoded
-// and used in a docker login command to authenticate to a
-// registry.
-// For more information, see Registry authentication
-// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth)
-// in the Amazon Elastic Container Registry User Guide.
-#ECRAuthorizationToken: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ECRAuthorizationToken"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-	spec!: #ECRAuthorizationTokenSpec
-}
-#ECRAuthorizationTokenSpec: {
-	// Auth defines how to authenticate with AWS
-	auth?: {
-		jwt?: {
-			// A reference to a ServiceAccount resource.
-			serviceAccountRef?: {
-				// Audience specifies the `aud` claim for the service account
-				// token
-				// If the service account uses a well-known annotation for e.g.
-				// IRSA or GCP Workload Identity
-				// then this audiences will be appended to the list
-				audiences?: [...string]
-
-				// The name of the ServiceAccount resource being referred to.
-				name: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-
-		// AWSAuthSecretRef holds secret references for AWS credentials
-		// both AccessKeyID and SecretAccessKey must be defined in order
-		// to properly authenticate.
-		secretRef?: {
-			// The AccessKeyID is used for authentication
-			accessKeyIDSecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-
-			// The SecretAccessKey is used for authentication
-			secretAccessKeySecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-
-			// The SessionToken used for authentication
-			// This must be defined if AccessKeyID and SecretAccessKey are
-			// temporary credentials
-			// see:
-			// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-			sessionTokenSecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-	}
-
-	// Region specifies the region to operate in.
-	region: string
-
-	// You can assume a role before making calls to the
-	// desired AWS service.
-	role?: string
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/fake/v1alpha1/types_gen.cue

@@ -1,62 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// Fake generator is used for testing. It lets you define
-// a static set of credentials that is always returned.
-#Fake: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Fake"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// FakeSpec contains the static data.
-	spec!: #FakeSpec
-}
-
-// FakeSpec contains the static data.
-#FakeSpec: {
-	// Used to select the correct ESO controller (think:
-	// ingress.ingressClassName)
-	// The ESO controller is instantiated with a specific controller
-	// name and filters VDS based on this property
-	controller?: string
-
-	// Data defines the static data returned
-	// by this generator.
-	data?: {
-		[string]: string
-	}
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/gcraccesstoken/v1alpha1/types_gen.cue

@@ -1,93 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// GCRAccessToken generates an GCP access token
-// that can be used to authenticate with GCR.
-#GCRAccessToken: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "GCRAccessToken"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-	spec!: #GCRAccessTokenSpec
-}
-#GCRAccessTokenSpec: {
-	// Auth defines the means for authenticating with GCP
-	auth: {
-		secretRef?: {
-			// The SecretAccessKey is used for authentication
-			secretAccessKeySecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-		workloadIdentity?: {
-			clusterLocation:   string
-			clusterName:       string
-			clusterProjectID?: string
-
-			// A reference to a ServiceAccount resource.
-			serviceAccountRef: {
-				// Audience specifies the `aud` claim for the service account
-				// token
-				// If the service account uses a well-known annotation for e.g.
-				// IRSA or GCP Workload Identity
-				// then this audiences will be appended to the list
-				audiences?: [...string]
-
-				// The name of the ServiceAccount resource being referred to.
-				name: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-	}
-
-	// ProjectID defines which project to use to authenticate with
-	projectID: string
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/password/v1alpha1/types_gen.cue

@@ -1,77 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-// Password generates a random password based on the
-// configuration parameters in spec.
-// You can specify the length, characterset and other attributes.
-#Password: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "Password"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// PasswordSpec controls the behavior of the password generator.
-	spec!: #PasswordSpec
-}
-
-// PasswordSpec controls the behavior of the password generator.
-#PasswordSpec: {
-	// set AllowRepeat to true to allow repeating characters.
-	allowRepeat: bool | *false
-
-	// Digits specifies the number of digits in the generated
-	// password. If omitted it defaults to 25% of the length of the
-	// password
-	digits?: int
-
-	// Length of the password to be generated.
-	// Defaults to 24
-	length: int | *24
-
-	// Set NoUpper to disable uppercase characters
-	noUpper: bool | *false
-
-	// SymbolCharacters specifies the special characters that should
-	// be used
-	// in the generated password.
-	symbolCharacters?: string
-
-	// Symbols specifies the number of symbol characters in the
-	// generated
-	// password. If omitted it defaults to 25% of the length of the
-	// password
-	symbols?: int
-}

docs/examples/cue.mod/gen/generators.external-secrets.io/vaultdynamicsecret/v1alpha1/types_gen.cue

@@ -1,609 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
-
-package v1alpha1
-
-import "strings"
-
-#VaultDynamicSecret: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object.
-	// Servers should convert recognized schemas to the latest
-	// internal value, and
-	// may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "generators.external-secrets.io/v1alpha1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents.
-	// Servers may infer this from the endpoint the client submits
-	// requests to.
-	// Cannot be updated.
-	// In CamelCase.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "VaultDynamicSecret"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-	spec!: #VaultDynamicSecretSpec
-}
-#VaultDynamicSecretSpec: {
-	// Used to select the correct ESO controller (think:
-	// ingress.ingressClassName)
-	// The ESO controller is instantiated with a specific controller
-	// name and filters VDS based on this property
-	controller?: string
-
-	// Vault API method to use (GET/POST/other)
-	method?: string
-
-	// Parameters to pass to Vault write (for non-GET methods)
-	parameters?: _
-
-	// Vault path to obtain the dynamic secret from
-	path: string
-
-	// Vault provider common spec
-	provider: {
-		// Auth configures how secret-manager authenticates with the Vault
-		// server.
-		auth: {
-			// AppRole authenticates with Vault using the App Role auth
-			// mechanism,
-			// with the role and secret stored in a Kubernetes Secret
-			// resource.
-			appRole?: {
-				// Path where the App Role authentication backend is mounted
-				// in Vault, e.g: "approle"
-				path: string | *"approle"
-
-				// RoleID configured in the App Role authentication backend when
-				// setting
-				// up the authentication backend in Vault.
-				roleId?: string
-
-				// Reference to a key in a Secret that contains the App Role ID
-				// used
-				// to authenticate with Vault.
-				// The `key` field must be specified and denotes which entry
-				// within the Secret
-				// resource is used as the app role id.
-				roleRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// Reference to a key in a Secret that contains the App Role
-				// secret used
-				// to authenticate with Vault.
-				// The `key` field must be specified and denotes which entry
-				// within the Secret
-				// resource is used as the app role secret.
-				secretRef: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-			}
-
-			// Cert authenticates with TLS Certificates by passing client
-			// certificate, private key and ca certificate
-			// Cert authentication method
-			cert?: {
-				// ClientCert is a certificate to authenticate using the Cert
-				// Vault
-				// authentication method
-				clientCert?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// SecretRef to a key in a Secret resource containing client
-				// private key to
-				// authenticate with Vault using the Cert authentication method
-				secretRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-			}
-
-			// Iam authenticates with vault by passing a special AWS request
-			// signed with AWS IAM credentials
-			// AWS IAM authentication method
-			iam?: {
-				// AWS External ID set on assumed IAM roles
-				externalID?: string
-				jwt?: {
-					// A reference to a ServiceAccount resource.
-					serviceAccountRef?: {
-						// Audience specifies the `aud` claim for the service account
-						// token
-						// If the service account uses a well-known annotation for e.g.
-						// IRSA or GCP Workload Identity
-						// then this audiences will be appended to the list
-						audiences?: [...string]
-
-						// The name of the ServiceAccount resource being referred to.
-						name: string
-
-						// Namespace of the resource being referred to. Ignored if
-						// referent is not cluster-scoped. cluster-scoped defaults
-						// to the namespace of the referent.
-						namespace?: string
-					}
-				}
-
-				// Path where the AWS auth method is enabled in Vault, e.g: "aws"
-				path?: string
-
-				// AWS region
-				region?: string
-
-				// This is the AWS role to be assumed before talking to vault
-				role?: string
-
-				// Specify credentials in a Secret object
-				secretRef?: {
-					// The AccessKeyID is used for authentication
-					accessKeyIDSecretRef?: {
-						// The key of the entry in the Secret resource's `data` field to
-						// be used. Some instances of this field may be
-						// defaulted, in others it may be required.
-						key?: string
-
-						// The name of the Secret resource being referred to.
-						name?: string
-
-						// Namespace of the resource being referred to. Ignored if
-						// referent is not cluster-scoped. cluster-scoped defaults
-						// to the namespace of the referent.
-						namespace?: string
-					}
-
-					// The SecretAccessKey is used for authentication
-					secretAccessKeySecretRef?: {
-						// The key of the entry in the Secret resource's `data` field to
-						// be used. Some instances of this field may be
-						// defaulted, in others it may be required.
-						key?: string
-
-						// The name of the Secret resource being referred to.
-						name?: string
-
-						// Namespace of the resource being referred to. Ignored if
-						// referent is not cluster-scoped. cluster-scoped defaults
-						// to the namespace of the referent.
-						namespace?: string
-					}
-
-					// The SessionToken used for authentication
-					// This must be defined if AccessKeyID and SecretAccessKey are
-					// temporary credentials
-					// see:
-					// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-					sessionTokenSecretRef?: {
-						// The key of the entry in the Secret resource's `data` field to
-						// be used. Some instances of this field may be
-						// defaulted, in others it may be required.
-						key?: string
-
-						// The name of the Secret resource being referred to.
-						name?: string
-
-						// Namespace of the resource being referred to. Ignored if
-						// referent is not cluster-scoped. cluster-scoped defaults
-						// to the namespace of the referent.
-						namespace?: string
-					}
-				}
-
-				// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault
-				// IAM auth method to mitigate against different types of replay
-				// attacks. More details here:
-				// https://developer.hashicorp.com/vault/docs/auth/aws
-				vaultAwsIamServerID?: string
-
-				// Vault Role. In vault, a role describes an identity with a set
-				// of permissions, groups, or policies you want to attach a user
-				// of the secrets engine
-				vaultRole: string
-			}
-
-			// Jwt authenticates with Vault by passing role and JWT token
-			// using the
-			// JWT/OIDC authentication method
-			jwt?: {
-				// Optional ServiceAccountToken specifies the Kubernetes service
-				// account for which to request
-				// a token for with the `TokenRequest` API.
-				kubernetesServiceAccountToken?: {
-					// Optional audiences field that will be used to request a
-					// temporary Kubernetes service
-					// account token for the service account referenced by
-					// `serviceAccountRef`.
-					// Defaults to a single audience `vault` it not specified.
-					// Deprecated: use serviceAccountRef.Audiences instead
-					audiences?: [...string]
-
-					// Optional expiration time in seconds that will be used to
-					// request a temporary
-					// Kubernetes service account token for the service account
-					// referenced by
-					// `serviceAccountRef`.
-					// Deprecated: this will be removed in the future.
-					// Defaults to 10 minutes.
-					expirationSeconds?: int
-
-					// Service account field containing the name of a kubernetes
-					// ServiceAccount.
-					serviceAccountRef: {
-						// Audience specifies the `aud` claim for the service account
-						// token
-						// If the service account uses a well-known annotation for e.g.
-						// IRSA or GCP Workload Identity
-						// then this audiences will be appended to the list
-						audiences?: [...string]
-
-						// The name of the ServiceAccount resource being referred to.
-						name: string
-
-						// Namespace of the resource being referred to. Ignored if
-						// referent is not cluster-scoped. cluster-scoped defaults
-						// to the namespace of the referent.
-						namespace?: string
-					}
-				}
-
-				// Path where the JWT authentication backend is mounted
-				// in Vault, e.g: "jwt"
-				path: string | *"jwt"
-
-				// Role is a JWT role to authenticate using the JWT/OIDC Vault
-				// authentication method
-				role?: string
-
-				// Optional SecretRef that refers to a key in a Secret resource
-				// containing JWT token to
-				// authenticate with Vault using the JWT/OIDC authentication
-				// method.
-				secretRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-			}
-
-			// Kubernetes authenticates with Vault by passing the
-			// ServiceAccount
-			// token stored in the named Secret resource to the Vault server.
-			kubernetes?: {
-				// Path where the Kubernetes authentication backend is mounted in
-				// Vault, e.g:
-				// "kubernetes"
-				mountPath: string | *"kubernetes"
-
-				// A required field containing the Vault Role to assume. A Role
-				// binds a
-				// Kubernetes ServiceAccount with a set of Vault policies.
-				role: string
-
-				// Optional secret field containing a Kubernetes ServiceAccount
-				// JWT used
-				// for authenticating with Vault. If a name is specified without a
-				// key,
-				// `token` is the default. If one is not specified, the one bound
-				// to
-				// the controller will be used.
-				secretRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// Optional service account field containing the name of a
-				// kubernetes ServiceAccount.
-				// If the service account is specified, the service account secret
-				// token JWT will be used
-				// for authenticating with Vault. If the service account selector
-				// is not supplied,
-				// the secretRef will be used instead.
-				serviceAccountRef?: {
-					// Audience specifies the `aud` claim for the service account
-					// token
-					// If the service account uses a well-known annotation for e.g.
-					// IRSA or GCP Workload Identity
-					// then this audiences will be appended to the list
-					audiences?: [...string]
-
-					// The name of the ServiceAccount resource being referred to.
-					name: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-			}
-
-			// Ldap authenticates with Vault by passing username/password pair
-			// using
-			// the LDAP authentication method
-			ldap?: {
-				// Path where the LDAP authentication backend is mounted
-				// in Vault, e.g: "ldap"
-				path: string | *"ldap"
-
-				// SecretRef to a key in a Secret resource containing password for
-				// the LDAP
-				// user used to authenticate with Vault using the LDAP
-				// authentication
-				// method
-				secretRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// Username is a LDAP user name used to authenticate using the
-				// LDAP Vault
-				// authentication method
-				username: string
-			}
-
-			// TokenSecretRef authenticates with Vault by presenting a token.
-			tokenSecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-
-			// UserPass authenticates with Vault by passing username/password
-			// pair
-			userPass?: {
-				// Path where the UserPassword authentication backend is mounted
-				// in Vault, e.g: "user"
-				path: string | *"user"
-
-				// SecretRef to a key in a Secret resource containing password for
-				// the
-				// user used to authenticate with Vault using the UserPass
-				// authentication
-				// method
-				secretRef?: {
-					// The key of the entry in the Secret resource's `data` field to
-					// be used. Some instances of this field may be
-					// defaulted, in others it may be required.
-					key?: string
-
-					// The name of the Secret resource being referred to.
-					name?: string
-
-					// Namespace of the resource being referred to. Ignored if
-					// referent is not cluster-scoped. cluster-scoped defaults
-					// to the namespace of the referent.
-					namespace?: string
-				}
-
-				// Username is a user name used to authenticate using the UserPass
-				// Vault
-				// authentication method
-				username: string
-			}
-		}
-
-		// PEM encoded CA bundle used to validate Vault server
-		// certificate. Only used
-		// if the Server URL is using HTTPS protocol. This parameter is
-		// ignored for
-		// plain HTTP protocol connection. If not set the system root
-		// certificates
-		// are used to validate the TLS connection.
-		caBundle?: string
-
-		// The provider for the CA bundle to use to validate Vault server
-		// certificate.
-		caProvider?: {
-			// The key where the CA certificate can be found in the Secret or
-			// ConfigMap.
-			key?: string
-
-			// The name of the object located at the provider type.
-			name: string
-
-			// The namespace the Provider type is in.
-			// Can only be defined when used in a ClusterSecretStore.
-			namespace?: string
-
-			// The type of provider to use such as "Secret", or "ConfigMap".
-			type: "Secret" | "ConfigMap"
-		}
-
-		// ForwardInconsistent tells Vault to forward read-after-write
-		// requests to the Vault
-		// leader instead of simply retrying within a loop. This can
-		// increase performance if
-		// the option is enabled serverside.
-		// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-		forwardInconsistent?: bool
-
-		// Name of the vault namespace. Namespaces is a set of features
-		// within Vault Enterprise that allows
-		// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-		// More about namespaces can be found here
-		// https://www.vaultproject.io/docs/enterprise/namespaces
-		namespace?: string
-
-		// Path is the mount path of the Vault KV backend endpoint, e.g:
-		// "secret". The v2 KV secret engine version specific "/data" path
-		// suffix
-		// for fetching secrets from Vault is optional and will be
-		// appended
-		// if not present in specified path.
-		path?: string
-
-		// ReadYourWrites ensures isolated read-after-write semantics by
-		// providing discovered cluster replication states in each
-		// request.
-		// More information about eventual consistency in Vault can be
-		// found here
-		// https://www.vaultproject.io/docs/enterprise/consistency
-		readYourWrites?: bool
-
-		// Server is the connection address for the Vault server, e.g:
-		// "https://vault.example.com:8200".
-		server: string
-
-		// The configuration used for client side related TLS
-		// communication, when the Vault server
-		// requires mutual authentication. Only used if the Server URL is
-		// using HTTPS protocol.
-		// This parameter is ignored for plain HTTP protocol connection.
-		// It's worth noting this configuration is different from the "TLS
-		// certificates auth method",
-		// which is available under the `auth.cert` section.
-		tls?: {
-			// CertSecretRef is a certificate added to the transport layer
-			// when communicating with the Vault server.
-			// If no key for the Secret is specified, external-secret will
-			// default to 'tls.crt'.
-			certSecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-
-			// KeySecretRef to a key in a Secret resource containing client
-			// private key
-			// added to the transport layer when communicating with the Vault
-			// server.
-			// If no key for the Secret is specified, external-secret will
-			// default to 'tls.key'.
-			keySecretRef?: {
-				// The key of the entry in the Secret resource's `data` field to
-				// be used. Some instances of this field may be
-				// defaulted, in others it may be required.
-				key?: string
-
-				// The name of the Secret resource being referred to.
-				name?: string
-
-				// Namespace of the resource being referred to. Ignored if
-				// referent is not cluster-scoped. cluster-scoped defaults
-				// to the namespace of the referent.
-				namespace?: string
-			}
-		}
-
-		// Version is the Vault KV secret engine version. This can be
-		// either "v1" or
-		// "v2". Version defaults to "v2".
-		version?: "v1" | "v2" | *"v2"
-	}
-
-	// Result type defines which data is returned from the generator.
-	// By default it is the "data" section of the Vault API response.
-	// When using e.g. /auth/token/create the "data" section is empty
-	// but
-	// the "auth" section contains the generated token.
-	// Please refer to the vault docs regarding the result data
-	// structure.
-	resultType?: "Data" | "Auth" | *"Data"
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/buildplan_go_gen.cue

@@ -1,26 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// BuildPlan is the primary interface between CUE and the Holos cli.
-#BuildPlan: {
-	#TypeMeta
-
-	// Metadata represents the holos component name
-	metadata?: #ObjectMeta    @go(Metadata)
-	spec?:     #BuildPlanSpec @go(Spec)
-}
-
-#BuildPlanSpec: {
-	disabled?:   bool                 @go(Disabled)
-	components?: #BuildPlanComponents @go(Components)
-}
-
-#BuildPlanComponents: {
-	helmChartList?: [...#HelmChart] @go(HelmChartList,[]HelmChart)
-	kubernetesObjectsList?: [...#KubernetesObjects] @go(KubernetesObjectsList,[]KubernetesObjects)
-	kustomizeBuildList?: [...#KustomizeBuild] @go(KustomizeBuildList,[]KustomizeBuild)
-	resources?: {[string]: #KubernetesObjects} @go(Resources,map[string]KubernetesObjects)
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/component_go_gen.cue

@@ -1,24 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// HolosComponent defines the fields common to all holos component kinds including the Render Result.
-#HolosComponent: {
-	#TypeMeta
-
-	// Metadata represents the holos component name
-	metadata?: #ObjectMeta @go(Metadata)
-
-	// APIObjectMap holds the marshalled representation of api objects. Think of
-	// these as resources overlaid at the back of the render pipeline.
-	apiObjectMap?: #APIObjectMap @go(APIObjectMap)
-
-	#Kustomization
-
-	#Kustomize
-
-	// Skip causes holos to take no action regarding the component.
-	Skip: bool
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/constants_go_gen.cue

@@ -1,15 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#APIVersion:    "holos.run/v1alpha1"
-#BuildPlanKind: "BuildPlan"
-#HelmChartKind: "HelmChart"
-
-// ChartDir is the directory name created in the holos component directory to cache a chart.
-#ChartDir: "vendor"
-
-// ResourcesFile is the file name used to store component output when post-processing with kustomize.
-#ResourcesFile: "resources.yaml"

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/doc_go_gen.cue

@@ -1,6 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-// Package v1alpha1 defines the api boundary between CUE and Holos.
-package v1alpha1

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/helm_go_gen.cue

@@ -1,28 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// A HelmChart represents a helm command to provide chart values in order to render kubernetes api objects.
-#HelmChart: {
-	#HolosComponent
-
-	// Namespace is the namespace to install into.  TODO: Use metadata.namespace instead.
-	namespace:     string @go(Namespace)
-	chart:         #Chart @go(Chart)
-	valuesContent: string @go(ValuesContent)
-	enableHooks:   bool   @go(EnableHooks)
-}
-
-#Chart: {
-	name:        string      @go(Name)
-	version:     string      @go(Version)
-	release:     string      @go(Release)
-	repository?: #Repository @go(Repository)
-}
-
-#Repository: {
-	name: string @go(Name)
-	url:  string @go(URL)
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kubernetesobjects_go_gen.cue

@@ -1,12 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#KubernetesObjectsKind: "KubernetesObjects"
-
-// KubernetesObjects represents CUE output which directly provides Kubernetes api objects to holos.
-#KubernetesObjects: {
-	#HolosComponent
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomization_go_gen.cue

@@ -1,11 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// Kustomization holds the rendered flux kustomization api object content for git ops.
-#Kustomization: {
-	// KsContent is the yaml representation of the flux kustomization for gitops.
-	ksContent?: string @go(KsContent)
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomize_go_gen.cue

@@ -1,25 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#KustomizeBuildKind: "KustomizeBuild"
-
-// Kustomize represents resources necessary to execute a kustomize build.
-// Intended for at least two use cases:
-//
-//  1. Process raw yaml file resources in a holos component directory.
-//  2. Post process a HelmChart to inject istio, add custom labels, etc...
-#Kustomize: {
-	// KustomizeFiles holds file contents for kustomize, e.g. patch files.
-	kustomizeFiles?: #FileContentMap @go(KustomizeFiles)
-
-	// ResourcesFile is the file name used for api objects in kustomization.yaml
-	resourcesFile?: string @go(ResourcesFile)
-}
-
-// KustomizeBuild renders plain yaml files in the holos component directory using kubectl kustomize build.
-#KustomizeBuild: {
-	#HolosComponent
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/kustomizebuild_go_gen.cue

@@ -1,12 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#KustomizeBuildKind: "KustomizeBuild"
-
-// KustomizeBuild
-#KustomizeBuild: {
-	#HolosComponent
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmap_go_gen.cue

@@ -1,18 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// Label is an arbitrary unique identifier.  Defined as a type for clarity and type checking.
-#Label: string
-
-// Kind is a kubernetes api object kind. Defined as a type for clarity and type checking.
-#Kind: string
-
-// APIObjectMap is the shape of marshalled api objects returned from cue to the
-// holos cli. A map is used to improve the clarity of error messages from cue.
-#APIObjectMap: {[string]: [string]: string}
-
-// FileContentMap is a map of file names to file contents.
-#FileContentMap: {[string]: string}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/objectmeta_go_gen.cue

@@ -1,22 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// ObjectMeta represents metadata of a holos component object. The fields are a
-// copy of upstream kubernetes api machinery but are by holos objects distinct
-// from kubernetes api objects.
-#ObjectMeta: {
-	// Name uniquely identifies the holos component instance and must be suitable as a file name.
-	name?: string @go(Name)
-
-	// Namespace confines a holos component to a single namespace via kustomize if set.
-	namespace?: string @go(Namespace)
-
-	// Labels are not used but are copied from api machinery ObjectMeta for completeness.
-	labels?: {[string]: string} @go(Labels,map[string]string)
-
-	// Annotations are not used but are copied from api machinery ObjectMeta for completeness.
-	annotations?: {[string]: string} @go(Annotations,map[string]string)
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/render_go_gen.cue

@@ -1,7 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#Renderer: _

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/result_go_gen.cue

@@ -1,10 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-// Result is the build result for display or writing.  Holos components Render the Result as a data pipeline.
-#Result: {
-	HolosComponent: #HolosComponent
-}

docs/examples/cue.mod/gen/github.com/holos-run/holos/api/v1alpha1/typemeta_go_gen.cue

@@ -1,10 +0,0 @@
-// Code generated by cue get go. DO NOT EDIT.
-
-//cue:generate cue get go github.com/holos-run/holos/api/v1alpha1
-
-package v1alpha1
-
-#TypeMeta: {
-	kind?:       string @go(Kind)
-	apiVersion?: string @go(APIVersion)
-}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta1/types_gen.cue

@@ -1,692 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
-
-package v2beta1
-
-import "strings"
-
-// HelmRelease is the Schema for the helmreleases API
-#HelmRelease: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "helm.toolkit.fluxcd.io/v2beta1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "HelmRelease"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// HelmReleaseSpec defines the desired state of a Helm release.
-	spec!: #HelmReleaseSpec
-}
-
-// HelmReleaseSpec defines the desired state of a Helm release.
-#HelmReleaseSpec: {
-	// Chart defines the template of the v1beta2.HelmChart that should
-	// be created for this HelmRelease.
-	chart: {
-		// ObjectMeta holds the template for metadata like labels and
-		// annotations.
-		metadata?: {
-			// Annotations is an unstructured key value map stored with a
-			// resource that may be set by external tools to store and
-			// retrieve arbitrary metadata. They are not queryable and should
-			// be preserved when modifying objects. More info:
-			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-			annotations?: {
-				[string]: string
-			}
-
-			// Map of string keys and values that can be used to organize and
-			// categorize (scope and select) objects. More info:
-			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-			labels?: {
-				[string]: string
-			}
-		}
-
-		// Spec holds the template for the v1beta2.HelmChartSpec for this
-		// HelmRelease.
-		spec: {
-			// The name or path the Helm chart is available at in the
-			// SourceRef.
-			chart: string
-
-			// Interval at which to check the v1beta2.Source for updates.
-			// Defaults to 'HelmReleaseSpec.Interval'.
-			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-
-			// Determines what enables the creation of a new artifact. Valid
-			// values are ('ChartVersion', 'Revision'). See the documentation
-			// of the values for an explanation on their behavior. Defaults
-			// to ChartVersion when omitted.
-			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
-
-			// The name and namespace of the v1beta2.Source the chart is
-			// available at.
-			sourceRef: {
-				// APIVersion of the referent.
-				apiVersion?: string
-
-				// Kind of the referent.
-				kind?: "HelmRepository" | "GitRepository" | "Bucket"
-
-				// Name of the referent.
-				name: strings.MaxRunes(253) & strings.MinRunes(1)
-
-				// Namespace of the referent.
-				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-			}
-
-			// Alternative values file to use as the default chart values,
-			// expected to be a relative path in the SourceRef. Deprecated in
-			// favor of ValuesFiles, for backwards compatibility the file
-			// defined here is merged before the ValuesFiles items. Ignored
-			// when omitted.
-			valuesFile?: string
-
-			// Alternative list of values files to use as the chart values
-			// (values.yaml is not included by default), expected to be a
-			// relative path in the SourceRef. Values files are merged in the
-			// order of this list with the last file overriding the first.
-			// Ignored when omitted.
-			valuesFiles?: [...string]
-
-			// Verify contains the secret name containing the trusted public
-			// keys used to verify the signature and specifies which provider
-			// to use to check whether OCI image is authentic. This field is
-			// only supported for OCI sources. Chart dependencies, which are
-			// not bundled in the umbrella chart artifact, are not verified.
-			verify?: {
-				// Provider specifies the technology used to sign the OCI Helm
-				// chart.
-				provider: "cosign" | *"cosign"
-				secretRef?: {
-					// Name of the referent.
-					name: string
-				}
-			}
-
-			// Version semver expression, ignored for charts from
-			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
-			// latest when omitted.
-			version?: string | *"*"
-		}
-	}
-
-	// DependsOn may contain a meta.NamespacedObjectReference slice
-	// with references to HelmRelease resources that must be ready
-	// before this HelmRelease can be reconciled.
-	dependsOn?: [...{
-		// Name of the referent.
-		name: string
-
-		// Namespace of the referent, when not specified it acts as
-		// LocalObjectReference.
-		namespace?: string
-	}]
-
-	// DriftDetection holds the configuration for detecting and
-	// handling differences between the manifest in the Helm storage
-	// and the resources currently existing in the cluster.
-	// Note: this field is provisional to the v2beta2 API, and not
-	// actively used by v2beta1 HelmReleases.
-	driftDetection?: {
-		// Ignore contains a list of rules for specifying which changes to
-		// ignore during diffing.
-		ignore?: [...{
-			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
-			// from consideration in a Kubernetes object.
-			paths: [...string]
-
-			// Target is a selector for specifying Kubernetes objects to which
-			// this rule applies. If Target is not set, the Paths will be
-			// ignored for all Kubernetes objects within the manifest of the
-			// Helm release.
-			target?: {
-				// AnnotationSelector is a string that follows the label selection
-				// expression
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-				// It matches with the resource annotations.
-				annotationSelector?: string
-
-				// Group is the API group to select resources from. Together with
-				// Version and Kind it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				group?: string
-
-				// Kind of the API Group to select resources from. Together with
-				// Group and Version it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				kind?: string
-
-				// LabelSelector is a string that follows the label selection
-				// expression
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-				// It matches with the resource labels.
-				labelSelector?: string
-
-				// Name to match resources with.
-				name?: string
-
-				// Namespace to select resources from.
-				namespace?: string
-
-				// Version of the API Group to select resources from. Together
-				// with Group and Kind it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				version?: string
-			}
-		}]
-
-		// Mode defines how differences should be handled between the Helm
-		// manifest and the manifest currently applied to the cluster. If
-		// not explicitly set, it defaults to DiffModeDisabled.
-		mode?: "enabled" | "warn" | "disabled"
-	}
-
-	// Install holds the configuration for Helm install actions for
-	// this HelmRelease.
-	install?: {
-		// CRDs upgrade CRDs from the Helm Chart's crds directory
-		// according to the CRD upgrade policy provided here. Valid
-		// values are `Skip`, `Create` or `CreateReplace`. Default is
-		// `Create` and if omitted CRDs are installed but not updated.
-		// Skip: do neither install nor replace (update) any CRDs.
-		// Create: new CRDs are created, existing CRDs are neither updated
-		// nor deleted.
-		// CreateReplace: new CRDs are created, existing CRDs are updated
-		// (replaced) but not deleted.
-		// By default, CRDs are applied (installed) during Helm install
-		// action. With this option users can opt-in to CRD replace
-		// existing CRDs on Helm install actions, which is not (yet)
-		// natively supported by Helm.
-		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
-		crds?: "Skip" | "Create" | "CreateReplace"
-
-		// CreateNamespace tells the Helm install action to create the
-		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
-		// uninstall, the namespace will not be garbage collected.
-		createNamespace?: bool
-
-		// DisableHooks prevents hooks from running during the Helm
-		// install action.
-		disableHooks?: bool
-
-		// DisableOpenAPIValidation prevents the Helm install action from
-		// validating rendered templates against the Kubernetes OpenAPI
-		// Schema.
-		disableOpenAPIValidation?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm install has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm install has been performed.
-		disableWaitForJobs?: bool
-
-		// Remediation holds the remediation configuration for when the
-		// Helm install action for the HelmRelease fails. The default is
-		// to not perform any action.
-		remediation?: {
-			// IgnoreTestFailures tells the controller to skip remediation
-			// when the Helm tests are run after an install action but fail.
-			// Defaults to 'Test.IgnoreFailures'.
-			ignoreTestFailures?: bool
-
-			// RemediateLastFailure tells the controller to remediate the last
-			// failure, when no retries remain. Defaults to 'false'.
-			remediateLastFailure?: bool
-
-			// Retries is the number of retries that should be attempted on
-			// failures before bailing. Remediation, using an uninstall, is
-			// performed between each attempt. Defaults to '0', a negative
-			// integer equals to unlimited retries.
-			retries?: int
-		}
-
-		// Replace tells the Helm install action to re-use the
-		// 'ReleaseName', but only if that name is a deleted release
-		// which remains in the history.
-		replace?: bool
-
-		// SkipCRDs tells the Helm install action to not install any CRDs.
-		// By default, CRDs are installed if not already present.
-		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
-		// instead.
-		skipCRDs?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Interval at which to reconcile the Helm release. This interval
-	// is approximate and may be subject to jitter to ensure
-	// efficient use of resources.
-	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	kubeConfig?: {
-		// SecretRef holds the name of a secret that contains a key with
-		// the kubeconfig file as the value. If no key is set, the key
-		// will default to 'value'. It is recommended that the kubeconfig
-		// is self-contained, and the secret is regularly updated if
-		// credentials such as a cloud-access-token expire. Cloud
-		// specific `cmd-path` auth helpers will not function without
-		// adding binaries and credentials to the Pod that is responsible
-		// for reconciling Kubernetes resources.
-		secretRef: {
-			// Key in the Secret, when not specified an
-			// implementation-specific default key is used.
-			key?: string
-
-			// Name of the Secret.
-			name: string
-		}
-	}
-
-	// MaxHistory is the number of revisions saved by Helm for this
-	// HelmRelease. Use '0' for an unlimited number of revisions;
-	// defaults to '10'.
-	maxHistory?: int
-
-	// PersistentClient tells the controller to use a persistent
-	// Kubernetes client for this release. When enabled, the client
-	// will be reused for the duration of the reconciliation, instead
-	// of being created and destroyed for each (step of a) Helm
-	// action.
-	// This can improve performance, but may cause issues with some
-	// Helm charts that for example do create Custom Resource
-	// Definitions during installation outside Helm's CRD lifecycle
-	// hooks, which are then not observed to be available by e.g.
-	// post-install hooks.
-	// If not set, it defaults to true.
-	persistentClient?: bool
-
-	// PostRenderers holds an array of Helm PostRenderers, which will
-	// be applied in order of their definition.
-	postRenderers?: [...{
-		// Kustomization to apply as PostRenderer.
-		kustomize?: {
-			// Images is a list of (image name, new name, new tag or digest)
-			// for changing image names, tags or digests. This can also be
-			// achieved with a patch, but this operator is simpler to
-			// specify.
-			images?: [...{
-				// Digest is the value used to replace the original image tag. If
-				// digest is present NewTag value is ignored.
-				digest?: string
-
-				// Name is a tag-less image name.
-				name: string
-
-				// NewName is the value used to replace the original name.
-				newName?: string
-
-				// NewTag is the value used to replace the original tag.
-				newTag?: string
-			}]
-
-			// Strategic merge and JSON patches, defined as inline YAML
-			// objects, capable of targeting objects based on kind, label and
-			// annotation selectors.
-			patches?: [...{
-				// Patch contains an inline StrategicMerge patch or an inline
-				// JSON6902 patch with an array of operation objects.
-				patch: string
-
-				// Target points to the resources that the patch document should
-				// be applied to.
-				target?: {
-					// AnnotationSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource annotations.
-					annotationSelector?: string
-
-					// Group is the API group to select resources from. Together with
-					// Version and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					group?: string
-
-					// Kind of the API Group to select resources from. Together with
-					// Group and Version it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					kind?: string
-
-					// LabelSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource labels.
-					labelSelector?: string
-
-					// Name to match resources with.
-					name?: string
-
-					// Namespace to select resources from.
-					namespace?: string
-
-					// Version of the API Group to select resources from. Together
-					// with Group and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					version?: string
-				}
-			}]
-
-			// JSON 6902 patches, defined as inline YAML objects.
-			patchesJson6902?: [...{
-				// Patch contains the JSON6902 patch document with an array of
-				// operation objects.
-				patch: [...{
-					// From contains a JSON-pointer value that references a location
-					// within the target document where the operation is performed.
-					// The meaning of the value depends on the value of Op, and is
-					// NOT taken into account by all operations.
-					from?: string
-
-					// Op indicates the operation to perform. Its value MUST be one of
-					// "add", "remove", "replace", "move", "copy", or "test".
-					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
-					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
-
-					// Path contains the JSON-pointer value that references a location
-					// within the target document where the operation is performed.
-					// The meaning of the value depends on the value of Op.
-					path: string
-
-					// Value contains a valid JSON structure. The meaning of the value
-					// depends on the value of Op, and is NOT taken into account by
-					// all operations.
-					value?: _
-				}]
-
-				// Target points to the resources that the patch document should
-				// be applied to.
-				target: {
-					// AnnotationSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource annotations.
-					annotationSelector?: string
-
-					// Group is the API group to select resources from. Together with
-					// Version and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					group?: string
-
-					// Kind of the API Group to select resources from. Together with
-					// Group and Version it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					kind?: string
-
-					// LabelSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource labels.
-					labelSelector?: string
-
-					// Name to match resources with.
-					name?: string
-
-					// Namespace to select resources from.
-					namespace?: string
-
-					// Version of the API Group to select resources from. Together
-					// with Group and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					version?: string
-				}
-			}]
-
-			// Strategic merge patches, defined as inline YAML objects.
-			patchesStrategicMerge?: [...]
-		}
-	}]
-
-	// ReleaseName used for the Helm release. Defaults to a
-	// composition of '[TargetNamespace-]Name'.
-	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
-
-	// Rollback holds the configuration for Helm rollback actions for
-	// this HelmRelease.
-	rollback?: {
-		// CleanupOnFail allows deletion of new resources created during
-		// the Helm rollback action when it fails.
-		cleanupOnFail?: bool
-
-		// DisableHooks prevents hooks from running during the Helm
-		// rollback action.
-		disableHooks?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm rollback has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm rollback has been performed.
-		disableWaitForJobs?: bool
-
-		// Force forces resource updates through a replacement strategy.
-		force?: bool
-
-		// Recreate performs pod restarts for the resource if applicable.
-		recreate?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// The name of the Kubernetes service account to impersonate when
-	// reconciling this HelmRelease.
-	serviceAccountName?: string
-
-	// StorageNamespace used for the Helm storage. Defaults to the
-	// namespace of the HelmRelease.
-	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-
-	// Suspend tells the controller to suspend reconciliation for this
-	// HelmRelease, it does not apply to already started
-	// reconciliations. Defaults to false.
-	suspend?: bool
-
-	// TargetNamespace to target when performing operations for the
-	// HelmRelease. Defaults to the namespace of the HelmRelease.
-	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-
-	// Test holds the configuration for Helm test actions for this
-	// HelmRelease.
-	test?: {
-		// Enable enables Helm test actions for this HelmRelease after an
-		// Helm install or upgrade action has been performed.
-		enable?: bool
-
-		// IgnoreFailures tells the controller to skip remediation when
-		// the Helm tests are run but fail. Can be overwritten for tests
-		// run after install or upgrade actions in
-		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
-		ignoreFailures?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation during the performance of a Helm test action.
-		// Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Timeout is the time to wait for any individual Kubernetes
-	// operation (like Jobs for hooks) during the performance of a
-	// Helm action. Defaults to '5m0s'.
-	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-
-	// Uninstall holds the configuration for Helm uninstall actions
-	// for this HelmRelease.
-	uninstall?: {
-		// DeletionPropagation specifies the deletion propagation policy
-		// when a Helm uninstall is performed.
-		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
-
-		// DisableHooks prevents hooks from running during the Helm
-		// rollback action.
-		disableHooks?: bool
-
-		// DisableWait disables waiting for all the resources to be
-		// deleted after a Helm uninstall is performed.
-		disableWait?: bool
-
-		// KeepHistory tells Helm to remove all associated resources and
-		// mark the release as deleted, but retain the release history.
-		keepHistory?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Upgrade holds the configuration for Helm upgrade actions for
-	// this HelmRelease.
-	upgrade?: {
-		// CleanupOnFail allows deletion of new resources created during
-		// the Helm upgrade action when it fails.
-		cleanupOnFail?: bool
-
-		// CRDs upgrade CRDs from the Helm Chart's crds directory
-		// according to the CRD upgrade policy provided here. Valid
-		// values are `Skip`, `Create` or `CreateReplace`. Default is
-		// `Skip` and if omitted CRDs are neither installed nor upgraded.
-		// Skip: do neither install nor replace (update) any CRDs.
-		// Create: new CRDs are created, existing CRDs are neither updated
-		// nor deleted.
-		// CreateReplace: new CRDs are created, existing CRDs are updated
-		// (replaced) but not deleted.
-		// By default, CRDs are not applied during Helm upgrade action.
-		// With this option users can opt-in to CRD upgrade, which is not
-		// (yet) natively supported by Helm.
-		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
-		crds?: "Skip" | "Create" | "CreateReplace"
-
-		// DisableHooks prevents hooks from running during the Helm
-		// upgrade action.
-		disableHooks?: bool
-
-		// DisableOpenAPIValidation prevents the Helm upgrade action from
-		// validating rendered templates against the Kubernetes OpenAPI
-		// Schema.
-		disableOpenAPIValidation?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm upgrade has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm upgrade has been performed.
-		disableWaitForJobs?: bool
-
-		// Force forces resource updates through a replacement strategy.
-		force?: bool
-
-		// PreserveValues will make Helm reuse the last release's values
-		// and merge in overrides from 'Values'. Setting this flag makes
-		// the HelmRelease non-declarative.
-		preserveValues?: bool
-
-		// Remediation holds the remediation configuration for when the
-		// Helm upgrade action for the HelmRelease fails. The default is
-		// to not perform any action.
-		remediation?: {
-			// IgnoreTestFailures tells the controller to skip remediation
-			// when the Helm tests are run after an upgrade action but fail.
-			// Defaults to 'Test.IgnoreFailures'.
-			ignoreTestFailures?: bool
-
-			// RemediateLastFailure tells the controller to remediate the last
-			// failure, when no retries remain. Defaults to 'false' unless
-			// 'Retries' is greater than 0.
-			remediateLastFailure?: bool
-
-			// Retries is the number of retries that should be attempted on
-			// failures before bailing. Remediation, using 'Strategy', is
-			// performed between each attempt. Defaults to '0', a negative
-			// integer equals to unlimited retries.
-			retries?: int
-
-			// Strategy to use for failure remediation. Defaults to
-			// 'rollback'.
-			strategy?: "rollback" | "uninstall"
-		}
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Values holds the values for this Helm release.
-	values?: _
-
-	// ValuesFrom holds references to resources containing Helm values
-	// for this HelmRelease, and information about how they should be
-	// merged.
-	valuesFrom?: [...{
-		// Kind of the values referent, valid values are ('Secret',
-		// 'ConfigMap').
-		kind: "Secret" | "ConfigMap"
-
-		// Name of the values referent. Should reside in the same
-		// namespace as the referring resource.
-		name: strings.MaxRunes(253) & strings.MinRunes(1)
-
-		// Optional marks this ValuesReference as optional. When set, a
-		// not found error for the values reference is ignored, but any
-		// ValuesKey, TargetPath or transient error will still result in
-		// a reconciliation failure.
-		optional?: bool
-
-		// TargetPath is the YAML dot notation path the value should be
-		// merged at. When set, the ValuesKey is expected to be a single
-		// flat value. Defaults to 'None', which results in the values
-		// getting merged at the root.
-		targetPath?: strings.MaxRunes(250) & {
-			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
-		}
-
-		// ValuesKey is the data key where the values.yaml or a specific
-		// value can be found at. Defaults to 'values.yaml'. When set,
-		// must be a valid Data Key, consisting of alphanumeric
-		// characters, '-', '_' or '.'.
-		valuesKey?: strings.MaxRunes(253) & {
-			=~"^[\\-._a-zA-Z0-9]+$"
-		}
-	}]
-}

docs/examples/cue.mod/gen/helm.toolkit.fluxcd.io/helmrelease/v2beta2/types_gen.cue

@@ -1,697 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
-
-package v2beta2
-
-import "strings"
-
-// HelmRelease is the Schema for the helmreleases API
-#HelmRelease: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "helm.toolkit.fluxcd.io/v2beta2"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "HelmRelease"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// HelmReleaseSpec defines the desired state of a Helm release.
-	spec!: #HelmReleaseSpec
-}
-
-// HelmReleaseSpec defines the desired state of a Helm release.
-#HelmReleaseSpec: {
-	// Chart defines the template of the v1beta2.HelmChart that should
-	// be created for this HelmRelease.
-	chart: {
-		// ObjectMeta holds the template for metadata like labels and
-		// annotations.
-		metadata?: {
-			// Annotations is an unstructured key value map stored with a
-			// resource that may be set by external tools to store and
-			// retrieve arbitrary metadata. They are not queryable and should
-			// be preserved when modifying objects. More info:
-			// https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-			annotations?: {
-				[string]: string
-			}
-
-			// Map of string keys and values that can be used to organize and
-			// categorize (scope and select) objects. More info:
-			// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-			labels?: {
-				[string]: string
-			}
-		}
-
-		// Spec holds the template for the v1beta2.HelmChartSpec for this
-		// HelmRelease.
-		spec: {
-			// The name or path the Helm chart is available at in the
-			// SourceRef.
-			chart: strings.MaxRunes(2048) & strings.MinRunes(1)
-
-			// Interval at which to check the v1.Source for updates. Defaults
-			// to 'HelmReleaseSpec.Interval'.
-			interval?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-
-			// Determines what enables the creation of a new artifact. Valid
-			// values are ('ChartVersion', 'Revision'). See the documentation
-			// of the values for an explanation on their behavior. Defaults
-			// to ChartVersion when omitted.
-			reconcileStrategy?: "ChartVersion" | "Revision" | *"ChartVersion"
-
-			// The name and namespace of the v1.Source the chart is available
-			// at.
-			sourceRef: {
-				// APIVersion of the referent.
-				apiVersion?: string
-
-				// Kind of the referent.
-				kind?: "HelmRepository" | "GitRepository" | "Bucket"
-
-				// Name of the referent.
-				name: strings.MaxRunes(253) & strings.MinRunes(1)
-
-				// Namespace of the referent.
-				namespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-			}
-
-			// Alternative values file to use as the default chart values,
-			// expected to be a relative path in the SourceRef. Deprecated in
-			// favor of ValuesFiles, for backwards compatibility the file
-			// defined here is merged before the ValuesFiles items. Ignored
-			// when omitted.
-			valuesFile?: string
-
-			// Alternative list of values files to use as the chart values
-			// (values.yaml is not included by default), expected to be a
-			// relative path in the SourceRef. Values files are merged in the
-			// order of this list with the last file overriding the first.
-			// Ignored when omitted.
-			valuesFiles?: [...string]
-
-			// Verify contains the secret name containing the trusted public
-			// keys used to verify the signature and specifies which provider
-			// to use to check whether OCI image is authentic. This field is
-			// only supported for OCI sources. Chart dependencies, which are
-			// not bundled in the umbrella chart artifact, are not verified.
-			verify?: {
-				// Provider specifies the technology used to sign the OCI Helm
-				// chart.
-				provider: "cosign" | *"cosign"
-				secretRef?: {
-					// Name of the referent.
-					name: string
-				}
-			}
-
-			// Version semver expression, ignored for charts from
-			// v1beta2.GitRepository and v1beta2.Bucket sources. Defaults to
-			// latest when omitted.
-			version?: string | *"*"
-		}
-	}
-
-	// DependsOn may contain a meta.NamespacedObjectReference slice
-	// with references to HelmRelease resources that must be ready
-	// before this HelmRelease can be reconciled.
-	dependsOn?: [...{
-		// Name of the referent.
-		name: string
-
-		// Namespace of the referent, when not specified it acts as
-		// LocalObjectReference.
-		namespace?: string
-	}]
-
-	// DriftDetection holds the configuration for detecting and
-	// handling differences between the manifest in the Helm storage
-	// and the resources currently existing in the cluster.
-	driftDetection?: {
-		// Ignore contains a list of rules for specifying which changes to
-		// ignore during diffing.
-		ignore?: [...{
-			// Paths is a list of JSON Pointer (RFC 6901) paths to be excluded
-			// from consideration in a Kubernetes object.
-			paths: [...string]
-
-			// Target is a selector for specifying Kubernetes objects to which
-			// this rule applies. If Target is not set, the Paths will be
-			// ignored for all Kubernetes objects within the manifest of the
-			// Helm release.
-			target?: {
-				// AnnotationSelector is a string that follows the label selection
-				// expression
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-				// It matches with the resource annotations.
-				annotationSelector?: string
-
-				// Group is the API group to select resources from. Together with
-				// Version and Kind it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				group?: string
-
-				// Kind of the API Group to select resources from. Together with
-				// Group and Version it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				kind?: string
-
-				// LabelSelector is a string that follows the label selection
-				// expression
-				// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-				// It matches with the resource labels.
-				labelSelector?: string
-
-				// Name to match resources with.
-				name?: string
-
-				// Namespace to select resources from.
-				namespace?: string
-
-				// Version of the API Group to select resources from. Together
-				// with Group and Kind it is capable of unambiguously identifying
-				// and/or selecting resources.
-				// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-				version?: string
-			}
-		}]
-
-		// Mode defines how differences should be handled between the Helm
-		// manifest and the manifest currently applied to the cluster. If
-		// not explicitly set, it defaults to DiffModeDisabled.
-		mode?: "enabled" | "warn" | "disabled"
-	}
-
-	// Install holds the configuration for Helm install actions for
-	// this HelmRelease.
-	install?: {
-		// CRDs upgrade CRDs from the Helm Chart's crds directory
-		// according to the CRD upgrade policy provided here. Valid
-		// values are `Skip`, `Create` or `CreateReplace`. Default is
-		// `Create` and if omitted CRDs are installed but not updated.
-		// Skip: do neither install nor replace (update) any CRDs.
-		// Create: new CRDs are created, existing CRDs are neither updated
-		// nor deleted.
-		// CreateReplace: new CRDs are created, existing CRDs are updated
-		// (replaced) but not deleted.
-		// By default, CRDs are applied (installed) during Helm install
-		// action. With this option users can opt in to CRD replace
-		// existing CRDs on Helm install actions, which is not (yet)
-		// natively supported by Helm.
-		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
-		crds?: "Skip" | "Create" | "CreateReplace"
-
-		// CreateNamespace tells the Helm install action to create the
-		// HelmReleaseSpec.TargetNamespace if it does not exist yet. On
-		// uninstall, the namespace will not be garbage collected.
-		createNamespace?: bool
-
-		// DisableHooks prevents hooks from running during the Helm
-		// install action.
-		disableHooks?: bool
-
-		// DisableOpenAPIValidation prevents the Helm install action from
-		// validating rendered templates against the Kubernetes OpenAPI
-		// Schema.
-		disableOpenAPIValidation?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm install has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm install has been performed.
-		disableWaitForJobs?: bool
-
-		// Remediation holds the remediation configuration for when the
-		// Helm install action for the HelmRelease fails. The default is
-		// to not perform any action.
-		remediation?: {
-			// IgnoreTestFailures tells the controller to skip remediation
-			// when the Helm tests are run after an install action but fail.
-			// Defaults to 'Test.IgnoreFailures'.
-			ignoreTestFailures?: bool
-
-			// RemediateLastFailure tells the controller to remediate the last
-			// failure, when no retries remain. Defaults to 'false'.
-			remediateLastFailure?: bool
-
-			// Retries is the number of retries that should be attempted on
-			// failures before bailing. Remediation, using an uninstall, is
-			// performed between each attempt. Defaults to '0', a negative
-			// integer equals to unlimited retries.
-			retries?: int
-		}
-
-		// Replace tells the Helm install action to re-use the
-		// 'ReleaseName', but only if that name is a deleted release
-		// which remains in the history.
-		replace?: bool
-
-		// SkipCRDs tells the Helm install action to not install any CRDs.
-		// By default, CRDs are installed if not already present.
-		// Deprecated use CRD policy (`crds`) attribute with value `Skip`
-		// instead.
-		skipCRDs?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm install action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Interval at which to reconcile the Helm release.
-	interval: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	kubeConfig?: {
-		// SecretRef holds the name of a secret that contains a key with
-		// the kubeconfig file as the value. If no key is set, the key
-		// will default to 'value'. It is recommended that the kubeconfig
-		// is self-contained, and the secret is regularly updated if
-		// credentials such as a cloud-access-token expire. Cloud
-		// specific `cmd-path` auth helpers will not function without
-		// adding binaries and credentials to the Pod that is responsible
-		// for reconciling Kubernetes resources.
-		secretRef: {
-			// Key in the Secret, when not specified an
-			// implementation-specific default key is used.
-			key?: string
-
-			// Name of the Secret.
-			name: string
-		}
-	}
-
-	// MaxHistory is the number of revisions saved by Helm for this
-	// HelmRelease. Use '0' for an unlimited number of revisions;
-	// defaults to '5'.
-	maxHistory?: int
-
-	// PersistentClient tells the controller to use a persistent
-	// Kubernetes client for this release. When enabled, the client
-	// will be reused for the duration of the reconciliation, instead
-	// of being created and destroyed for each (step of a) Helm
-	// action.
-	// This can improve performance, but may cause issues with some
-	// Helm charts that for example do create Custom Resource
-	// Definitions during installation outside Helm's CRD lifecycle
-	// hooks, which are then not observed to be available by e.g.
-	// post-install hooks.
-	// If not set, it defaults to true.
-	persistentClient?: bool
-
-	// PostRenderers holds an array of Helm PostRenderers, which will
-	// be applied in order of their definition.
-	postRenderers?: [...{
-		// Kustomization to apply as PostRenderer.
-		kustomize?: {
-			// Images is a list of (image name, new name, new tag or digest)
-			// for changing image names, tags or digests. This can also be
-			// achieved with a patch, but this operator is simpler to
-			// specify.
-			images?: [...{
-				// Digest is the value used to replace the original image tag. If
-				// digest is present NewTag value is ignored.
-				digest?: string
-
-				// Name is a tag-less image name.
-				name: string
-
-				// NewName is the value used to replace the original name.
-				newName?: string
-
-				// NewTag is the value used to replace the original tag.
-				newTag?: string
-			}]
-
-			// Strategic merge and JSON patches, defined as inline YAML
-			// objects, capable of targeting objects based on kind, label and
-			// annotation selectors.
-			patches?: [...{
-				// Patch contains an inline StrategicMerge patch or an inline
-				// JSON6902 patch with an array of operation objects.
-				patch: string
-
-				// Target points to the resources that the patch document should
-				// be applied to.
-				target?: {
-					// AnnotationSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource annotations.
-					annotationSelector?: string
-
-					// Group is the API group to select resources from. Together with
-					// Version and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					group?: string
-
-					// Kind of the API Group to select resources from. Together with
-					// Group and Version it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					kind?: string
-
-					// LabelSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource labels.
-					labelSelector?: string
-
-					// Name to match resources with.
-					name?: string
-
-					// Namespace to select resources from.
-					namespace?: string
-
-					// Version of the API Group to select resources from. Together
-					// with Group and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					version?: string
-				}
-			}]
-
-			// JSON 6902 patches, defined as inline YAML objects. Deprecated:
-			// use Patches instead.
-			patchesJson6902?: [...{
-				// Patch contains the JSON6902 patch document with an array of
-				// operation objects.
-				patch: [...{
-					// From contains a JSON-pointer value that references a location
-					// within the target document where the operation is performed.
-					// The meaning of the value depends on the value of Op, and is
-					// NOT taken into account by all operations.
-					from?: string
-
-					// Op indicates the operation to perform. Its value MUST be one of
-					// "add", "remove", "replace", "move", "copy", or "test".
-					// https://datatracker.ietf.org/doc/html/rfc6902#section-4
-					op: "test" | "remove" | "add" | "replace" | "move" | "copy"
-
-					// Path contains the JSON-pointer value that references a location
-					// within the target document where the operation is performed.
-					// The meaning of the value depends on the value of Op.
-					path: string
-
-					// Value contains a valid JSON structure. The meaning of the value
-					// depends on the value of Op, and is NOT taken into account by
-					// all operations.
-					value?: _
-				}]
-
-				// Target points to the resources that the patch document should
-				// be applied to.
-				target: {
-					// AnnotationSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource annotations.
-					annotationSelector?: string
-
-					// Group is the API group to select resources from. Together with
-					// Version and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					group?: string
-
-					// Kind of the API Group to select resources from. Together with
-					// Group and Version it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					kind?: string
-
-					// LabelSelector is a string that follows the label selection
-					// expression
-					// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api
-					// It matches with the resource labels.
-					labelSelector?: string
-
-					// Name to match resources with.
-					name?: string
-
-					// Namespace to select resources from.
-					namespace?: string
-
-					// Version of the API Group to select resources from. Together
-					// with Group and Kind it is capable of unambiguously identifying
-					// and/or selecting resources.
-					// https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/api-group.md
-					version?: string
-				}
-			}]
-
-			// Strategic merge patches, defined as inline YAML objects.
-			// Deprecated: use Patches instead.
-			patchesStrategicMerge?: [...]
-		}
-	}]
-
-	// ReleaseName used for the Helm release. Defaults to a
-	// composition of '[TargetNamespace-]Name'.
-	releaseName?: strings.MaxRunes(53) & strings.MinRunes(1)
-
-	// Rollback holds the configuration for Helm rollback actions for
-	// this HelmRelease.
-	rollback?: {
-		// CleanupOnFail allows deletion of new resources created during
-		// the Helm rollback action when it fails.
-		cleanupOnFail?: bool
-
-		// DisableHooks prevents hooks from running during the Helm
-		// rollback action.
-		disableHooks?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm rollback has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm rollback has been performed.
-		disableWaitForJobs?: bool
-
-		// Force forces resource updates through a replacement strategy.
-		force?: bool
-
-		// Recreate performs pod restarts for the resource if applicable.
-		recreate?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm rollback action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// The name of the Kubernetes service account to impersonate when
-	// reconciling this HelmRelease.
-	serviceAccountName?: strings.MaxRunes(253) & strings.MinRunes(1)
-
-	// StorageNamespace used for the Helm storage. Defaults to the
-	// namespace of the HelmRelease.
-	storageNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-
-	// Suspend tells the controller to suspend reconciliation for this
-	// HelmRelease, it does not apply to already started
-	// reconciliations. Defaults to false.
-	suspend?: bool
-
-	// TargetNamespace to target when performing operations for the
-	// HelmRelease. Defaults to the namespace of the HelmRelease.
-	targetNamespace?: strings.MaxRunes(63) & strings.MinRunes(1)
-
-	// Test holds the configuration for Helm test actions for this
-	// HelmRelease.
-	test?: {
-		// Enable enables Helm test actions for this HelmRelease after an
-		// Helm install or upgrade action has been performed.
-		enable?: bool
-
-		// Filters is a list of tests to run or exclude from running.
-		filters?: [...{
-			// Exclude specifies whether the named test should be excluded.
-			exclude?: bool
-
-			// Name is the name of the test.
-			name: strings.MaxRunes(253) & strings.MinRunes(1)
-		}]
-
-		// IgnoreFailures tells the controller to skip remediation when
-		// the Helm tests are run but fail. Can be overwritten for tests
-		// run after install or upgrade actions in
-		// 'Install.IgnoreTestFailures' and 'Upgrade.IgnoreTestFailures'.
-		ignoreFailures?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation during the performance of a Helm test action.
-		// Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Timeout is the time to wait for any individual Kubernetes
-	// operation (like Jobs for hooks) during the performance of a
-	// Helm action. Defaults to '5m0s'.
-	timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-
-	// Uninstall holds the configuration for Helm uninstall actions
-	// for this HelmRelease.
-	uninstall?: {
-		// DeletionPropagation specifies the deletion propagation policy
-		// when a Helm uninstall is performed.
-		deletionPropagation?: "background" | "foreground" | "orphan" | *"background"
-
-		// DisableHooks prevents hooks from running during the Helm
-		// rollback action.
-		disableHooks?: bool
-
-		// DisableWait disables waiting for all the resources to be
-		// deleted after a Helm uninstall is performed.
-		disableWait?: bool
-
-		// KeepHistory tells Helm to remove all associated resources and
-		// mark the release as deleted, but retain the release history.
-		keepHistory?: bool
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm uninstall action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Upgrade holds the configuration for Helm upgrade actions for
-	// this HelmRelease.
-	upgrade?: {
-		// CleanupOnFail allows deletion of new resources created during
-		// the Helm upgrade action when it fails.
-		cleanupOnFail?: bool
-
-		// CRDs upgrade CRDs from the Helm Chart's crds directory
-		// according to the CRD upgrade policy provided here. Valid
-		// values are `Skip`, `Create` or `CreateReplace`. Default is
-		// `Skip` and if omitted CRDs are neither installed nor upgraded.
-		// Skip: do neither install nor replace (update) any CRDs.
-		// Create: new CRDs are created, existing CRDs are neither updated
-		// nor deleted.
-		// CreateReplace: new CRDs are created, existing CRDs are updated
-		// (replaced) but not deleted.
-		// By default, CRDs are not applied during Helm upgrade action.
-		// With this option users can opt-in to CRD upgrade, which is not
-		// (yet) natively supported by Helm.
-		// https://helm.sh/docs/chart_best_practices/custom_resource_definitions.
-		crds?: "Skip" | "Create" | "CreateReplace"
-
-		// DisableHooks prevents hooks from running during the Helm
-		// upgrade action.
-		disableHooks?: bool
-
-		// DisableOpenAPIValidation prevents the Helm upgrade action from
-		// validating rendered templates against the Kubernetes OpenAPI
-		// Schema.
-		disableOpenAPIValidation?: bool
-
-		// DisableWait disables the waiting for resources to be ready
-		// after a Helm upgrade has been performed.
-		disableWait?: bool
-
-		// DisableWaitForJobs disables waiting for jobs to complete after
-		// a Helm upgrade has been performed.
-		disableWaitForJobs?: bool
-
-		// Force forces resource updates through a replacement strategy.
-		force?: bool
-
-		// PreserveValues will make Helm reuse the last release's values
-		// and merge in overrides from 'Values'. Setting this flag makes
-		// the HelmRelease non-declarative.
-		preserveValues?: bool
-
-		// Remediation holds the remediation configuration for when the
-		// Helm upgrade action for the HelmRelease fails. The default is
-		// to not perform any action.
-		remediation?: {
-			// IgnoreTestFailures tells the controller to skip remediation
-			// when the Helm tests are run after an upgrade action but fail.
-			// Defaults to 'Test.IgnoreFailures'.
-			ignoreTestFailures?: bool
-
-			// RemediateLastFailure tells the controller to remediate the last
-			// failure, when no retries remain. Defaults to 'false' unless
-			// 'Retries' is greater than 0.
-			remediateLastFailure?: bool
-
-			// Retries is the number of retries that should be attempted on
-			// failures before bailing. Remediation, using 'Strategy', is
-			// performed between each attempt. Defaults to '0', a negative
-			// integer equals to unlimited retries.
-			retries?: int
-
-			// Strategy to use for failure remediation. Defaults to
-			// 'rollback'.
-			strategy?: "rollback" | "uninstall"
-		}
-
-		// Timeout is the time to wait for any individual Kubernetes
-		// operation (like Jobs for hooks) during the performance of a
-		// Helm upgrade action. Defaults to 'HelmReleaseSpec.Timeout'.
-		timeout?: =~"^([0-9]+(\\.[0-9]+)?(ms|s|m|h))+$"
-	}
-
-	// Values holds the values for this Helm release.
-	values?: _
-
-	// ValuesFrom holds references to resources containing Helm values
-	// for this HelmRelease, and information about how they should be
-	// merged.
-	valuesFrom?: [...{
-		// Kind of the values referent, valid values are ('Secret',
-		// 'ConfigMap').
-		kind: "Secret" | "ConfigMap"
-
-		// Name of the values referent. Should reside in the same
-		// namespace as the referring resource.
-		name: strings.MaxRunes(253) & strings.MinRunes(1)
-
-		// Optional marks this ValuesReference as optional. When set, a
-		// not found error for the values reference is ignored, but any
-		// ValuesKey, TargetPath or transient error will still result in
-		// a reconciliation failure.
-		optional?: bool
-
-		// TargetPath is the YAML dot notation path the value should be
-		// merged at. When set, the ValuesKey is expected to be a single
-		// flat value. Defaults to 'None', which results in the values
-		// getting merged at the root.
-		targetPath?: strings.MaxRunes(250) & {
-			=~"^([a-zA-Z0-9_\\-.\\\\\\/]|\\[[0-9]{1,5}\\])+$"
-		}
-
-		// ValuesKey is the data key where the values.yaml or a specific
-		// value can be found at. Defaults to 'values.yaml'.
-		valuesKey?: strings.MaxRunes(253) & {
-			=~"^[\\-._a-zA-Z0-9]+$"
-		}
-	}]
-}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta1/types_gen.cue

@@ -1,93 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
-
-package v1beta1
-
-import "strings"
-
-// ImagePolicy is the Schema for the imagepolicies API
-#ImagePolicy: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "image.toolkit.fluxcd.io/v1beta1"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ImagePolicy"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ImagePolicySpec defines the parameters for calculating the
-	// ImagePolicy
-	spec!: #ImagePolicySpec
-}
-
-// ImagePolicySpec defines the parameters for calculating the
-// ImagePolicy
-#ImagePolicySpec: {
-	// FilterTags enables filtering for only a subset of tags based on
-	// a set of rules. If no rules are provided, all the tags from
-	// the repository will be ordered and compared.
-	filterTags?: {
-		// Extract allows a capture group to be extracted from the
-		// specified regular expression pattern, useful before tag
-		// evaluation.
-		extract?: string
-
-		// Pattern specifies a regular expression pattern used to filter
-		// for image tags.
-		pattern?: string
-	}
-
-	// ImageRepositoryRef points at the object specifying the image
-	// being scanned
-	imageRepositoryRef: {
-		// Name of the referent.
-		name: string
-
-		// Namespace of the referent, when not specified it acts as
-		// LocalObjectReference.
-		namespace?: string
-	}
-
-	// Policy gives the particulars of the policy to be followed in
-	// selecting the most recent image
-	policy: {
-		alphabetical?: {
-			// Order specifies the sorting order of the tags. Given the
-			// letters of the alphabet as tags, ascending order would select
-			// Z, and descending order would select A.
-			order?: "asc" | "desc" | *"asc"
-		}
-		numerical?: {
-			// Order specifies the sorting order of the tags. Given the
-			// integer values from 0 to 9 as tags, ascending order would
-			// select 9, and descending order would select 0.
-			order?: "asc" | "desc" | *"asc"
-		}
-		semver?: {
-			// Range gives a semver range for the image tag; the highest
-			// version within the range that's a tag yields the latest image.
-			range: string
-		}
-	}
-}

docs/examples/cue.mod/gen/image.toolkit.fluxcd.io/imagepolicy/v1beta2/types_gen.cue

@@ -1,93 +0,0 @@
-// Code generated by timoni. DO NOT EDIT.
-
-//timoni:generate timoni vendor crd -f https://github.com/fluxcd/flux2/releases/download/v2.2.3/install.yaml
-
-package v1beta2
-
-import "strings"
-
-// ImagePolicy is the Schema for the imagepolicies API
-#ImagePolicy: {
-	// APIVersion defines the versioned schema of this representation
-	// of an object. Servers should convert recognized schemas to the
-	// latest internal value, and may reject unrecognized values.
-	// More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-	apiVersion: "image.toolkit.fluxcd.io/v1beta2"
-
-	// Kind is a string value representing the REST resource this
-	// object represents. Servers may infer this from the endpoint
-	// the client submits requests to. Cannot be updated. In
-	// CamelCase. More info:
-	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-	kind: "ImagePolicy"
-	metadata!: {
-		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
-			string
-		}
-		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
-			string
-		}
-		labels?: {
-			[string]: string
-		}
-		annotations?: {
-			[string]: string
-		}
-	}
-
-	// ImagePolicySpec defines the parameters for calculating the
-	// ImagePolicy.
-	spec!: #ImagePolicySpec
-}
-
-// ImagePolicySpec defines the parameters for calculating the
-// ImagePolicy.
-#ImagePolicySpec: {
-	// FilterTags enables filtering for only a subset of tags based on
-	// a set of rules. If no rules are provided, all the tags from
-	// the repository will be ordered and compared.
-	filterTags?: {
-		// Extract allows a capture group to be extracted from the
-		// specified regular expression pattern, useful before tag
-		// evaluation.
-		extract?: string
-
-		// Pattern specifies a regular expression pattern used to filter
-		// for image tags.
-		pattern?: string
-	}
-
-	// ImageRepositoryRef points at the object specifying the image
-	// being scanned
-	imageRepositoryRef: {
-		// Name of the referent.
-		name: string
-
-		// Namespace of the referent, when not specified it acts as
-		// LocalObjectReference.
-		namespace?: string
-	}
-
-	// Policy gives the particulars of the policy to be followed in
-	// selecting the most recent image
-	policy: {
-		alphabetical?: {
-			// Order specifies the sorting order of the tags. Given the
-			// letters of the alphabet as tags, ascending order would select
-			// Z, and descending order would select A.
-			order?: "asc" | "desc" | *"asc"
-		}
-		numerical?: {
-			// Order specifies the sorting order of the tags. Given the
-			// integer values from 0 to 9 as tags, ascending order would
-			// select 9, and descending order would select 0.
-			order?: "asc" | "desc" | *"asc"
-		}
-		semver?: {
-			// Range gives a semver range for the image tag; the highest
-			// version within the range that's a tag yields the latest image.
-			range: string
-		}
-	}
-}