version 0.94.0

Previously all generated ArgoCD Application resources go into the
default project following the Quickstart guide.  The configuration code
is being organized into the concept of projects in the filesystem, so we
want to the GitOps configuration to also reflect this concept of
projects.

This patch extends the ArgoConfig user facing schema to accept a project
string.  The app-projects component automatically manages AppProject
resources in the argocd namespace for each of the defined projects.

This allows CUE configuration in the a project directory to specify the
project name so that all Applications are automatically assigned to the
correct project.

.cspell.json

@@ -5,46 +5,68 @@
     "mdx"
   ],
   "words": [
+    "admissionregistration",
+    "apiextensions",
     "applicationset",
     "argoproj",
     "authcode",
+    "authorizationpolicies",
     "authpolicy",
     "authproxy",
     "authroutes",
     "buildplan",
     "cainjector",
     "CAROOT",
+    "certificaterequests",
+    "certificatesigningrequests",
     "clsx",
     "clusterissuer",
+    "clusterissuers",
+    "clusterrole",
+    "clusterrolebinding",
+    "configmap",
     "cookiesecret",
     "coredns",
+    "corev",
     "CRD's",
     "crds",
     "creds",
     "crossplane",
     "cuecontext",
     "cuelang",
+    "customresourcedefinition",
+    "daemonset",
+    "destinationrules",
     "devicecode",
     "dnsmasq",
     "dscacheutil",
     "entgo",
+    "envoyfilters",
     "errgroup",
+    "fctr",
     "fieldmaskpb",
     "flushcache",
+    "gatewayclasses",
     "gendoc",
+    "ggnpl",
     "ghaction",
     "gitops",
     "godoc",
     "golangci",
     "goreleaser",
     "grpcreflect",
+    "grpcroutes",
     "grpcurl",
     "holos",
     "holoslogger",
+    "horizontalpodautoscaler",
     "httpbin",
+    "httproute",
+    "httproutes",
     "Infima",
     "isatty",
     "istiod",
+    "jbrx",
     "jetstack",
     "Jsonnet",
     "killall",
@@ -55,12 +77,17 @@
     "Kustomizations",
     "kustomize",
     "ldflags",
+    "leaderelection",
     "libnss",
     "loadbalancer",
     "mattn",
+    "mccutchen",
     "mindmap",
     "mktemp",
+    "msqbn",
+    "mtls",
     "Multicluster",
+    "mutatingwebhookconfiguration",
     "mxcl",
     "myhostname",
     "nameserver",
@@ -68,26 +95,43 @@
     "orgid",
     "otelconnect",
     "Parentspanid",
+    "pcjc",
+    "peerauthentications",
     "pflag",
     "pipefail",
     "PKCE",
     "platformconnect",
+    "poddisruptionbudget",
     "podinfo",
+    "portmapping",
     "promhttp",
     "protobuf",
     "protojson",
+    "proxyconfigs",
     "Pulumi",
     "putenv",
+    "qjbp",
     "quickstart",
+    "referencegrant",
+    "referencegrants",
+    "requestauthentications",
     "retryable",
+    "rolebinding",
     "ropc",
+    "seccomp",
     "SECRETKEY",
     "secretstores",
+    "serverlb",
+    "serverside",
+    "serviceaccount",
+    "serviceentries",
     "spanid",
     "spiffe",
     "startupapicheck",
     "stefanprodan",
     "structpb",
+    "subjectaccessreviews",
+    "svclb",
     "systemconnect",
     "tablewriter",
     "Tiltfile",
@@ -105,7 +149,13 @@
     "usecases",
     "userconnect",
     "userdata",
+    "validatingwebhookconfiguration",
+    "virtualservices",
+    "wasmplugins",
+    "workloadentries",
+    "workloadgroups",
     "zerolog",
-    "zitadel"
+    "zitadel",
+    "ztunnel"
   ]
 }

api/schema/v1alpha3/definitions.go

@@ -11,18 +11,29 @@ import (
 
 //go:generate ../../../hack/gendoc
 
+// Component represents the fields common the different kinds of component.  All
+// components have a name, support mixing in resources, and produce a BuildPlan.
+type ComponentFields struct {
+	// Name represents the Component name.
+	Name string
+	// Resources are kubernetes api objects to mix into the output.
+	Resources map[string]any
+	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
+	ArgoConfig ArgoConfig
+	// BuildPlan represents the derived BuildPlan for the Holos cli to render.
+	BuildPlan core.BuildPlan
+}
+
 // Helm provides a BuildPlan via the Output field which contains one HelmChart
 // from package core.  Useful as a convenience wrapper to render a HelmChart
 // with optional mix-in resources and Kustomization post-processing.
 type Helm struct {
-	// Name represents the chart name.
-	Name string
+	ComponentFields `json:",inline"`
+
 	// Version represents the chart version.
 	Version string
 	// Namespace represents the helm namespace option when rendering the chart.
 	Namespace string
-	// Resources are kubernetes api objects to mix into the output.
-	Resources map[string]any `cue:"{...}"`
 
 	// Repo represents the chart repository
 	Repo struct {
@@ -57,27 +68,23 @@ type Helm struct {
 	// KustomizeResources represents additional resources files to include in the
 	// kustomize resources list.
 	KustomizeResources map[string]any `cue:"{[string]: {...}}"`
-
-	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-	ArgoConfig ArgoConfig
-
-	// Output represents the derived BuildPlan for the Holos cli to render.
-	Output core.BuildPlan
 }
 
-// Resources represents the default schema for a Kubernetes API object resource.
-// For example, a Service, Namespace or Deployment.  The top level key is the
-// kind of resource so default behavior and strict schema enforcement may be
-// enforced for the kind.  The second level keys are an arbitrary internal
-// label, which serves as the default value for the resource metadata name
-// field, but may differ for situations where the same resource kind and name
-// are managed in different namespaces.
-//
-// Refer to [definitions.cue] for the CUE schema definition as an example to
-// build on when defining your own Components.
-//
-// [definitions.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/schema/v1alpha3/definitions.cue#L9
-// type Resources map[string]map[string]any
+// Kustomize provides a BuildPlan via the Output field which contains one
+// KustomizeBuild from package core.
+type Kustomize struct {
+	ComponentFields `json:",inline"`
+	// Kustomization represents the kustomize build plan for holos to render.
+	Kustomization core.KustomizeBuild
+}
+
+// Kubernetes provides a BuildPlan via the Output field which contains inline
+// API Objects provided directly from CUE.
+type Kubernetes struct {
+	ComponentFields `json:",inline"`
+	// Objects represents the kubernetes api objects for the Component.
+	Objects core.KubernetesObjects
+}
 
 // ArgoConfig represents the ArgoCD GitOps configuration for a Component.
 // Useful to define once at the root of the Platform configuration and reuse
@@ -99,6 +106,8 @@ type ArgoConfig struct {
 	// Application.spec.source.targetRevision field.  Defaults to the branch named
 	// main.
 	TargetRevision string `cue:"string | *\"main\""`
+	// AppProject represents the ArgoCD Project to associate the Application with.
+	AppProject string `cue:"string | *\"default\""`
 }
 
 // Cluster represents a cluster managed by the Platform.
@@ -129,7 +138,7 @@ type StandardFleets struct {
 	// Workload represents a Fleet of zero or more workload Clusters.
 	Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
 	// Management represents a Fleet with one Cluster named management.
-	Management Fleet `json:"management" cue:"{name: \"management\", clusters: management: _}"`
+	Management Fleet `json:"management" cue:"{name: \"management\"}"`
 }
 
 // Platform is a convenience structure to produce a core Platform specification
@@ -147,4 +156,8 @@ type Platform struct {
 	// Output represents the core Platform spec for the holos cli to iterate over
 	// and render each listed Component, injecting the Model.
 	Output core.Platform
+	// Domain represents the primary domain the Platform operates in.  This field
+	// is intended as a sensible default for component authors to reference and
+	// platform operators to define.
+	Domain string `cue:"string | *\"holos.localhost\""`
 }

doc/md/api/schema/v1alpha3.md

@@ -12,8 +12,11 @@ Package v1alpha3 contains CUE definitions intended as convenience wrappers aroun
 
 - [type ArgoConfig](<#ArgoConfig>)
 - [type Cluster](<#Cluster>)
+- [type ComponentFields](<#ComponentFields>)
 - [type Fleet](<#Fleet>)
 - [type Helm](<#Helm>)
+- [type Kubernetes](<#Kubernetes>)
+- [type Kustomize](<#Kustomize>)
 - [type Platform](<#Platform>)
 - [type StandardFleets](<#StandardFleets>)
 
@@ -41,6 +44,8 @@ type ArgoConfig struct {
     // Application.spec.source.targetRevision field.  Defaults to the branch named
     // main.
     TargetRevision string `cue:"string | *\"main\""`
+    // AppProject represents the ArgoCD Project to associate the Application with.
+    AppProject string `cue:"string | *\"default\""`
 }
 ```
 
@@ -60,6 +65,24 @@ type Cluster struct {
 }
 ```
 
+<a name="ComponentFields"></a>
+## type ComponentFields {#ComponentFields}
+
+Component represents the fields common the different kinds of component. All components have a name, support mixing in resources, and produce a BuildPlan.
+
+```go
+type ComponentFields struct {
+    // Name represents the Component name.
+    Name string
+    // Resources are kubernetes api objects to mix into the output.
+    Resources map[string]any
+    // ArgoConfig represents the ArgoCD GitOps configuration for this Component.
+    ArgoConfig ArgoConfig
+    // BuildPlan represents the derived BuildPlan for the Holos cli to render.
+    BuildPlan core.BuildPlan
+}
+```
+
 <a name="Fleet"></a>
 ## type Fleet {#Fleet}
 
@@ -80,14 +103,12 @@ Helm provides a BuildPlan via the Output field which contains one HelmChart from
 
 ```go
 type Helm struct {
-    // Name represents the chart name.
-    Name string
+    ComponentFields `json:",inline"`
+
     // Version represents the chart version.
     Version string
     // Namespace represents the helm namespace option when rendering the chart.
     Namespace string
-    // Resources are kubernetes api objects to mix into the output.
-    Resources map[string]any `cue:"{...}"`
 
     // Repo represents the chart repository
     Repo struct {
@@ -122,12 +143,32 @@ type Helm struct {
     // KustomizeResources represents additional resources files to include in the
     // kustomize resources list.
     KustomizeResources map[string]any `cue:"{[string]: {...}}"`
+}
+```
 
-    // ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-    ArgoConfig ArgoConfig
+<a name="Kubernetes"></a>
+## type Kubernetes {#Kubernetes}
 
-    // Output represents the derived BuildPlan for the Holos cli to render.
-    Output core.BuildPlan
+Kubernetes provides a BuildPlan via the Output field which contains inline API Objects provided directly from CUE.
+
+```go
+type Kubernetes struct {
+    ComponentFields `json:",inline"`
+    // Objects represents the kubernetes api objects for the Component.
+    Objects core.KubernetesObjects
+}
+```
+
+<a name="Kustomize"></a>
+## type Kustomize {#Kustomize}
+
+Kustomize provides a BuildPlan via the Output field which contains one KustomizeBuild from package core.
+
+```go
+type Kustomize struct {
+    ComponentFields `json:",inline"`
+    // Kustomization represents the kustomize build plan for holos to render.
+    Kustomization core.KustomizeBuild
 }
 ```
 
@@ -148,6 +189,10 @@ type Platform struct {
     // Output represents the core Platform spec for the holos cli to iterate over
     // and render each listed Component, injecting the Model.
     Output core.Platform
+    // Domain represents the primary domain the Platform operates in.  This field
+    // is intended as a sensible default for component authors to reference and
+    // platform operators to define.
+    Domain string `cue:"string | *\"holos.localhost\""`
 }
 ```
 
@@ -161,7 +206,7 @@ type StandardFleets struct {
     // Workload represents a Fleet of zero or more workload Clusters.
     Workload Fleet `json:"workload" cue:"{name: \"workload\"}"`
     // Management represents a Fleet with one Cluster named management.
-    Management Fleet `json:"management" cue:"{name: \"management\", clusters: management: _}"`
+    Management Fleet `json:"management" cue:"{name: \"management\"}"`
 }
 ```
 

doc/md/guides/expose-a-service.mdx

@@ -1,95 +0,0 @@
----
-description: Use Holos to expose a Service with the Gateway API.
-slug: /guides/expose-a-service
-sidebar_position: 300
----
-
-import Tabs from '@theme/Tabs';
-import TabItem from '@theme/TabItem';
-import Admonition from '@theme/Admonition';
-
-# Expose a Service
-
-In this guide, you'll learn how to expose a service with Holos using the Gateway
-API.
-
-:::warning TODO
-Complete this section once the steps are complete.
-:::
-
-The [Concepts](/docs/concepts) page defines capitalized terms such as Platform
-and Component.
-
-## What you'll need {#requirements}
-
-:::warning TODO
-Complete this section once the steps are complete.
-:::
-
-You'll need the following tools installed to complete this guide.
-
-1. [holos](/docs/install) - to build the Platform.
-2. [helm](https://helm.sh/docs/intro/install/) - to render Holos Components that
-wrap upstream Helm charts.
-
-Optionally, if you'd like to apply the rendered manifests to a real Cluster,
-first complete the [localhost Guide](../local-cluster).
-
-## Create a Git Repository
-
-Start by initializing an empty Git repository. Holos operates on local files
-stored in a Git repository.
-
-<Tabs groupId="init">
-  <TabItem value="command" label="Command">
-    ```bash
-    mkdir expose-a-service
-    cd expose-a-service
-    git init
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    Initialized empty Git repository in /expose-a-service/.git/
-    ```
-  </TabItem>
-</Tabs>
-
-This guide assumes you will run commands from the root directory of the Git
-repository unless stated otherwise.
-
-## Generate the Platform {#Generate-Platform}
-
-Start by generating a platform used as the basis for our guides.
-
-```bash
-holos generate platform guide
-```
-
-Commit the generated platform config to the repository.
-
-<Tabs groupId="commit-platform">
-  <TabItem value="command" label="Command">
-    ```bash
-    git add .
-    git commit -m "holos generate platform guide - $(holos --version)"
-    ```
-  </TabItem>
-  <TabItem value="output" label="Output">
-    ```txt
-    [main (root-commit) 0b17b7f] holos generate platform guide - 0.93.3
-     213 files changed, 72349 insertions(+)
-     ...
-    ```
-  </TabItem>
-</Tabs>
-
-## Manage httpbin {#manage-httpbin}
-
-The platform you generated is currently empty. Run the following command to
-generate a Holos Component for the
-[httpbin](https://github.com/mccutchen/go-httpbin) service.
-
-httpbin is a simple backend service useful for end-to-end testing.  In this
-guide, we use httpbin as a example of a service your organization develops and
-deploy onto your Platform.

doc/md/guides/local-cluster.mdx

@@ -1,7 +1,7 @@
 ---
 description: Build a local Cluster to use with these guides.
 slug: /guides/local-cluster
-sidebar_position: 200
+sidebar_position: 300
 ---
 
 import Tabs from '@theme/Tabs';
@@ -10,15 +10,97 @@ import Admonition from '@theme/Admonition';
 
 # Local Cluster
 
-In this guide you'll set up a Cluster on your local host to apply and explore
-the configuration described in our other guides.  After completing this guide
-you'll have a standard Kubernetes API server with proper DNS and TLS
-certificates.  You'll be able to easily reset the cluster to a known good state
-to iterate on your own Platform.
+In this guide we'll set up a local k3d cluster to apply and explore the
+configuration described in our other guides.  After completing this guide you'll
+have a standard Kubernetes API server with proper DNS and TLS certificates.
+You'll be able to easily reset the cluster to a known good state to iterate on
+your own Platform.
 
 The [Concepts](/docs/concepts) page defines capitalized terms such as Platform
 and Component.
 
+## Reset the Cluster
+
+If you've already followed this guide, reset the cluster by running the
+following commands.  Skip this section if you're creating a cluster for the
+first time.
+
+First, delete the cluster.
+
+<Tabs groupId="k3d-cluster-delete">
+  <TabItem value="command" label="Command">
+```bash
+k3d cluster delete workload
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt showLineNumbers
+INFO[0000] Deleting cluster 'workload'
+INFO[0000] Deleting cluster network 'k3d-workload'
+INFO[0000] Deleting 1 attached volumes...
+INFO[0000] Removing cluster details from default kubeconfig...
+INFO[0000] Removing standalone kubeconfig file (if there is one)...
+INFO[0000] Successfully deleted cluster workload!
+```
+  </TabItem>
+</Tabs>
+
+Then create the cluster again.
+
+<Tabs groupId="k3d-cluster-create">
+  <TabItem value="command" label="Command">
+```bash
+k3d cluster create workload \
+  --registry-use k3d-registry.holos.localhost:5100 \
+  --port "443:443@loadbalancer" \
+  --k3s-arg "--disable=traefik@server:0"
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt showLineNumbers
+INFO[0000] portmapping '443:443' targets the loadbalancer: defaulting to [servers:*:proxy agents:*:proxy]
+INFO[0000] Prep: Network
+INFO[0000] Created network 'k3d-workload'
+INFO[0000] Created image volume k3d-workload-images
+INFO[0000] Starting new tools node...
+INFO[0000] Starting node 'k3d-workload-tools'
+INFO[0001] Creating node 'k3d-workload-server-0'
+INFO[0001] Creating LoadBalancer 'k3d-workload-serverlb'
+INFO[0001] Using the k3d-tools node to gather environment information
+INFO[0001] HostIP: using network gateway 172.17.0.1 address
+INFO[0001] Starting cluster 'workload'
+INFO[0001] Starting servers...
+INFO[0001] Starting node 'k3d-workload-server-0'
+INFO[0003] All agents already running.
+INFO[0003] Starting helpers...
+INFO[0003] Starting node 'k3d-workload-serverlb'
+INFO[0009] Injecting records for hostAliases (incl. host.k3d.internal) and for 3 network members into CoreDNS configmap...
+INFO[0012] Cluster 'workload' created successfully!
+INFO[0012] You can now use it like this:
+kubectl cluster-info
+```
+  </TabItem>
+</Tabs>
+
+Finally, add your trusted certificate authority.
+
+<Tabs groupId="apply-local-ca">
+  <TabItem value="command" label="Command">
+```bash
+kubectl apply --server-side=true -f "$(mkcert -CAROOT)/namespace.yaml"
+kubectl apply --server-side=true -n cert-manager -f "$(mkcert -CAROOT)/local-ca.yaml"
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt showLineNumbers
+namespace/cert-manager serverside-applied
+secret/local-ca serverside-applied
+```
+  </TabItem>
+</Tabs>
+
+You're back to the same state as the first time you completed this guide.
+
 ## What you'll need {#requirements}
 
 You'll need the following tools installed to complete this guide.
@@ -150,10 +232,11 @@ cp -p "${CAROOT}/rootCA.pem" ca.crt
 cp -p "${CAROOT}/rootCA.pem" tls.crt
 cp -p "${CAROOT}/rootCA-key.pem" tls.key
 kubectl create secret generic --from-file=.  --dry-run=client -o yaml local-ca > ../local-ca.yaml
+echo 'type: kubernetes.io/tls' >> ../local-ca.yaml
+
 cd ..
 
-echo 'type: kubernetes.io/tls' >> local-ca.yaml
-kubectl apply --server-side=true -f- <<EOF
+cat <<EOF > namespace.yaml
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -164,8 +247,12 @@ spec:
   finalizers:
   - kubernetes
 EOF
+kubectl apply --server-side=true -f namespace.yaml
 kubectl apply -n cert-manager --server-side=true -f local-ca.yaml
 
+# Save the Secret to easily reset the cluster later.
+install -m 0644 namespace.yaml "${CAROOT}/namespace.yaml"
+install -m 0600 local-ca.yaml "${CAROOT}/local-ca.yaml"
 ```
 
 :::warning
@@ -184,12 +271,6 @@ with:
 k3d cluster delete workload
 ```
 
-## Reset {#reset}
-
-If you'd like to reset to a known good state, execute the [Clean Up](#clean-up)
-section, then [Create the Cluster](#create-the-cluster) and the [Setup Root
-CA](#setup-root-ca) tasks.
-
 ## Next Steps
 
 Now that you have a real cluster, apply and explore the manifests Holos renders

doc/md/guides/manage-a-project.mdx

@@ -0,0 +1,106 @@
+---
+description: Self service platform resource management for project teams.
+slug: /guides/manage-a-project
+sidebar_position: 200
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import Admonition from '@theme/Admonition';
+
+# Manage a Project
+
+In this guide we'll explore how Holos easily, safely, and consistently manages
+platform resources for teams to develop the projects they're working on.
+
+Intended Audience: Platform Engineers and Software Engineers.
+
+Goal is to demonstrate how the platform team can consistently, easily, and
+safely provide platform resources to software engineers.
+
+Assumption is software engineers have a container they want to deploy onto the
+platform and make accessible.  We'll use httpbin as a stand-in for the dev
+team's container.
+
+Project is roughly equivalent to Dev Team for the purpose of this guide, but in
+practice multiple teams work on a given project over the lifetime of the
+project, so we structure the files into projects instead of teams.
+
+## What you'll need {#requirements}
+
+You'll need the following tools installed to complete this guide.
+
+1. [holos](/docs/install) - to build the Platform.
+2. [helm](https://helm.sh/docs/intro/install/) - to render Helm Components.
+3. [kubectl](https://kubernetes.io/docs/tasks/tools/) - to render Kustomize Components.
+
+If you'd like to apply the manifests we render in this guide complete the
+following optional, but recommended, steps.
+
+a. Complete the [Local Cluster] guide to set up a local cluster to work with.
+b. You'll need a GitHub account to fork the repository associated with this
+guide.
+
+## Fork the Guide Repository
+
+<Tabs groupId="fork">
+  <TabItem value="command" label="Command">
+```bash
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt showLineNumbers
+```
+  </TabItem>
+</Tabs>
+
+This guide assumes you will run commands from the root directory of this
+repository unless stated otherwise.
+
+[Quickstart]: /docs/quickstart
+[Local Cluster]: /docs/guides/local-cluster
+
+## Render the Platform
+
+So we can build the basic platform.  Don't dwell on the platform bits.
+
+## Apply the Manifests
+
+Deploy ArgoCD, but not any of the Application resources.
+
+## Browse to ArgoCD
+
+Note there is nothing here yet.
+
+## Switch to your Fork
+
+Note all of the Applications change consistently.
+
+## Apply the Applications
+
+Note how ArgoCD takes over management, no longer need to k apply.
+
+## Create a Project
+
+Project is a conceptual, not technical, thing in Holos.  Mainly about how components are laid out in the filesystem tree.
+
+We use a schematic built into holos as an example, the platform team could use the same or provide a similar template and instructions for development teams to self-serve.
+
+## Render the Platform
+
+Notice:
+
+1. Project is registered with the platform at the root.
+2. HTTPRoute and Namespace resources are added close to the root in `projects`
+3. Deployment and Service resources are added at the leaf in `projects/httpbin/backend`
+
+## Update the image tag
+
+Add a basic schematic to demonstrate this.  May need to add two new flags for image url and image tag to the generate subcommand, but should just be two new fields on the struct.
+
+## Dive Deeper
+
+Set the stage for constraints.  Ideas: Limit what resources can be added,
+namespaces can be operated in, enforce labels, etc...
+
+Simple, consistent, easy constraints.

doc/md/guides/quickstart.mdx

@@ -263,7 +263,7 @@ following contents:
 
     #ArgoConfig: {
       Enabled: true
-      RepoURL: "https://example.com/holos-quickstart.git"
+      RepoURL: "https://github.com/holos-run/holos-quickstart-guide"
     }
     ```
   </TabItem>

doc/website/src/css/custom.css

@@ -5,10 +5,10 @@
  */
 
 /* Enable wrapping by default for mobile */
-pre code {
+/* pre code {
   white-space: pre-wrap;
   overflow-wrap: anywhere;
-}
+} */
 
 /* You can override the default Infima variables here. */
 :root {

internal/generate/components/cue/argocd/argocd.cue

@@ -1,4 +1,4 @@
 package holos
 
 // Produce a kubectl kustomize build plan.
-(#Kustomize & {Name: "{{ .Name }}"}).Output
+(#Kustomize & {Name: "{{ .Name }}"}).BuildPlan

internal/generate/components/cue/configmap/configmap.cue

@@ -18,4 +18,4 @@ let Objects = {
 }
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan

internal/generate/components/cue/namespaces/namespaces.cue

@@ -8,4 +8,4 @@ let Objects = {
 }
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan

internal/generate/components/helm/cert-manager/cert-manager.cue

@@ -17,4 +17,4 @@ let Chart = {
 }
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan

internal/generate/components/helm/podinfo-oci/podinfo.cue

@@ -12,4 +12,4 @@ let Chart = {
 }
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan

internal/generate/components/v1alpha3/app-projects/platform/app-projects.cue

@@ -0,0 +1,11 @@
+package holos
+
+// Manage the Component on every Cluster in the Platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/app-projects": {
+			path:    "projects/platform/components/app-projects"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/app-projects/projects/app-projects.cue

@@ -0,0 +1,17 @@
+package holos
+
+import ap "argoproj.io/appproject/v1alpha1"
+
+// Registration point for AppProjects
+#AppProjects: [Name=string]: ap.#AppProject & {
+	metadata: name:      Name
+	metadata: namespace: #ArgoCD.Namespace
+	spec: description:   string | *"Holos managed AppProject"
+	spec: clusterResourceWhitelist: [{group: "*", kind: "*"}]
+	spec: destinations: [{namespace: "*", server: "*"}]
+	spec: sourceRepos: ["*"]
+}
+
+// Define at least the platform project.  Other components can register projects
+// the same way from the root of the configuration.
+#AppProjects: platform: _

internal/generate/components/v1alpha3/app-projects/projects/platform/components/app-projects/app-projects.cue

@@ -0,0 +1,9 @@
+package holos
+
+let Objects = {
+	Name: "app-projects"
+	Resources: AppProject: #AppProjects
+}
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan

internal/generate/components/v1alpha3/app-projects/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "app-projects",
+  "short": "#AppProjects registration point",
+  "long": "Manage ArgoCD AppProject resources centrally."
+}

internal/generate/components/v1alpha3/argocd-config-manage-a-project-guide/projects/argocd-config-manage-a-project-guide.cue

@@ -0,0 +1,6 @@
+package holos
+
+#ArgoConfig: {
+	Enabled: true
+	RepoURL: "https://github.com/holos-run/holos-manage-a-project-guide"
+}

internal/generate/components/v1alpha3/argocd-config-manage-a-project-guide/projects/platform/argocd-config-manage-a-project-guide.cue

@@ -0,0 +1,3 @@
+package holos
+
+#ArgoConfig: AppProject: #AppProjects.platform.metadata.name

internal/generate/components/v1alpha3/argocd-config-manage-a-project-guide/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "argocd-config-manage-a-project-guide",
+  "short": "generate applications for the manage-a-project guide",
+  "long": "https://github.com/holos-run/holos-manage-a-project-guide"
+}

internal/generate/components/v1alpha3/argocd/platform/argocd.cue

@@ -0,0 +1,15 @@
+package holos
+
+// Manage the Component on every Cluster in the Platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/argocd-crds": {
+			path:    "projects/platform/components/argocd/crds"
+			cluster: Cluster.name
+		}
+		#Platform: Components: "\(Cluster.name)/argocd": {
+			path:    "projects/platform/components/argocd/argocd"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/argocd/projects/argocd.cue

@@ -0,0 +1,13 @@
+package holos
+
+// #ArgoCD represents platform wide configuration
+#ArgoCD: {
+	Version:   "2.12.3"
+	Namespace: "argocd"
+}
+
+// Register namespaces
+#Namespaces: (#ArgoCD.Namespace): _
+
+// Register the HTTPRoute to the backend Service
+#HTTPRoutes: argocd: _backendRefs: "argocd-server": namespace: #ArgoCD.Namespace

internal/generate/components/v1alpha3/argocd/projects/platform/components/argocd/argocd/argocd.cue

@@ -0,0 +1,60 @@
+package holos
+
+import "strings"
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "argocd"
+	Namespace: #ArgoCD.Namespace
+	Version:   "7.5.2"
+
+	Repo: name: "argocd"
+	Repo: url:  "https://argoproj.github.io/argo-helm"
+
+	Chart: chart: name:    "argo-cd"
+	Chart: chart: release: Name
+	// Upstream uses a Kubernetes Job to create the argocd-redis Secret.  Enable
+	// hooks to enable the Job.
+	Chart: enableHooks: true
+
+	Resources: [_]: [_]: metadata: namespace: Namespace
+	// Grant the Gateway namespace the ability to refer to the backend service
+	// from HTTPRoute resources.
+	Resources: ReferenceGrant: (#Istio.Gateway.Namespace): #ReferenceGrant
+
+	EnableKustomizePostProcessor: true
+	// Force all resources into the component namespace, some resources in the
+	// helm chart may not specify the namespace so they may get mis-applied
+	// depending on the kubectl (client-go) context.
+	KustomizeFiles: "kustomization.yaml": namespace: Namespace
+
+	Values: #Values & {
+		kubeVersionOverride: "1.29.0"
+		// handled in the argo-crds component
+		crds: install: false
+		// Configure the same fqdn the HTTPRoute is configured with.
+		global: domain: #HTTPRoutes.argocd.spec.hostnames[0]
+		dex: enabled:   false
+		// the platform handles mutual tls to the backend
+		configs: params: "server.insecure": true
+
+		configs: cm: {
+			"admin.enabled":           false
+			"oidc.config":             "{}"
+			"users.anonymous.enabled": "true"
+		}
+
+		// Refer to https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
+		let Policy = [
+			"g, argocd-view, role:readonly",
+			"g, prod-cluster-view, role:readonly",
+			"g, prod-cluster-edit, role:readonly",
+			"g, prod-cluster-admin, role:admin",
+		]
+
+		configs: rbac: "policy.csv":     strings.Join(Policy, "\n")
+		configs: rbac: "policy.default": "role:admin"
+	}
+}

internal/generate/components/v1alpha3/argocd/projects/platform/components/argocd/crds/argocd-crds.cue

@@ -0,0 +1,33 @@
+package holos
+
+import (
+	"encoding/yaml"
+	ks "sigs.k8s.io/kustomize/api/types"
+)
+
+(#Kubernetes & {Name: "argocd-crds"}).BuildPlan
+
+// Holos stages BuildPlan resources as an intermediate step of the rendering
+// pipeline.  The purpose is to provide the resources to kustomize for
+// post-processing.
+let BuildPlanResources = "build-plan-resources.yaml"
+
+let Kustomization = ks.#Kustomization & {
+	apiVersion: "kustomize.config.k8s.io/v1beta1"
+	kind:       "Kustomization"
+	resources: [
+		// Kustomize the intermediate build plan resources.
+		BuildPlanResources,
+		// Mix-in external resources.
+		"https://github.com/argoproj/argo-cd//manifests/crds/?ref=v\(#ArgoCD.Version)",
+	]
+}
+
+// Generate a kustomization.yaml directly from CUE so we can provide the correct
+// version.
+spec: components: kubernetesObjectsList: [{
+	// intermediate build plan resources to kustomize.  Necessary to activate the
+	// kustomization post-rendering step in holos.
+	kustomize: resourcesFile: BuildPlanResources
+	kustomize: kustomizeFiles: "kustomization.yaml": yaml.Marshal(Kustomization)
+}]

internal/generate/components/v1alpha3/argocd/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "argocd",
+  "short": "declaritive gitops for kubernetes",
+  "long": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes."
+}

internal/generate/components/v1alpha3/cert-manager/cert-manager.gen.cue

@@ -0,0 +1,20 @@
+package holos
+
+// Platform wide configuration
+#CertManager: {
+	Version:   "{{ .Version }}"
+	Namespace: "{{ .Namespace }}"
+}
+
+// Register the namespace
+#Namespaces: (#CertManager.Namespace): _
+
+// Manage the component on every cluster in the platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/{{ .Name }}": {
+			path:    "components/cert-manager"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/cert-manager/components/cert-manager/cert-manager.cue

@@ -0,0 +1,16 @@
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "{{ .Name }}"
+	Version:   #CertManager.Version
+	Namespace: #CertManager.Namespace
+
+	Repo: name: "{{ .RepoName }}"
+	Repo: url:  "{{ .RepoURL }}"
+
+	Values: installCRDs: true
+	Values: startupapicheck: enabled: false
+}

internal/generate/components/v1alpha3/cert-manager/schematic.json

@@ -0,0 +1,10 @@
+{
+  "name": "cert-manager",
+  "short": "cloud native X.509 certificate management for kubernetes",
+  "long": "cert-manager creates tls certificates for workloads in your kubernetes cluster and renews the certificates before they expire.",
+  "chart": "",
+  "reponame": "jetstack",
+  "repourl": "https://charts.jetstack.io",
+  "version": "1.15.3",
+  "namespace": "cert-manager"
+}

internal/generate/components/v1alpha3/gateway-api/components/gateway-api/gateway-api.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Produce a kubectl kustomize build plan.
+(#Kustomize & {Name: "gateway-api"}).BuildPlan

internal/generate/components/v1alpha3/gateway-api/components/gateway-api/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- standard/gateway.networking.k8s.io_gatewayclasses.yaml
+- standard/gateway.networking.k8s.io_gateways.yaml
+- standard/gateway.networking.k8s.io_grpcroutes.yaml
+- standard/gateway.networking.k8s.io_httproutes.yaml
+- standard/gateway.networking.k8s.io_referencegrants.yaml

internal/generate/components/v1alpha3/gateway-api/components/gateway-api/standard/gateway.networking.k8s.io_gatewayclasses.yaml

@@ -0,0 +1,524 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997
+    gateway.networking.k8s.io/bundle-version: v1.1.0
+    gateway.networking.k8s.io/channel: standard
+  creationTimestamp: null
+  name: gatewayclasses.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: GatewayClass
+    listKind: GatewayClassList
+    plural: gatewayclasses
+    shortNames:
+    - gc
+    singular: gatewayclass
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.controllerName
+      name: Controller
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+      name: Accepted
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .spec.description
+      name: Description
+      priority: 1
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          GatewayClass describes a class of Gateways available to the user for creating
+          Gateway resources.
+
+
+          It is recommended that this resource be used as a template for Gateways. This
+          means that a Gateway is based on the state of the GatewayClass at the time it
+          was created and changes to the GatewayClass or associated parameters are not
+          propagated down to existing Gateways. This recommendation is intended to
+          limit the blast radius of changes to GatewayClass or associated parameters.
+          If implementations choose to propagate GatewayClass changes to existing
+          Gateways, that MUST be clearly documented by the implementation.
+
+
+          Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+          add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+          associated GatewayClass. This ensures that a GatewayClass associated with a
+          Gateway is not deleted while in use.
+
+
+          GatewayClass is a Cluster level resource.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of GatewayClass.
+            properties:
+              controllerName:
+                description: |-
+                  ControllerName is the name of the controller that is managing Gateways of
+                  this class. The value of this field MUST be a domain prefixed path.
+
+
+                  Example: "example.net/gateway-controller".
+
+
+                  This field is not mutable and cannot be empty.
+
+
+                  Support: Core
+                maxLength: 253
+                minLength: 1
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              description:
+                description: Description helps describe a GatewayClass with more details.
+                maxLength: 64
+                type: string
+              parametersRef:
+                description: |-
+                  ParametersRef is a reference to a resource that contains the configuration
+                  parameters corresponding to the GatewayClass. This is optional if the
+                  controller does not require any additional configuration.
+
+
+                  ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+                  or an implementation-specific custom resource. The resource can be
+                  cluster-scoped or namespace-scoped.
+
+
+                  If the referent cannot be found, the GatewayClass's "InvalidParameters"
+                  status condition will be true.
+
+
+                  A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+                  the merging behavior is implementation specific.
+                  It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+
+                  Support: Implementation-specific
+                properties:
+                  group:
+                    description: Group is the group of the referent.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the referent.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the referent.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace is the namespace of the referent.
+                      This field is required when referring to a Namespace-scoped resource and
+                      MUST be unset when referring to a Cluster-scoped resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - controllerName
+            type: object
+          status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: Waiting
+                status: Unknown
+                type: Accepted
+            description: |-
+              Status defines the current state of GatewayClass.
+
+
+              Implementations MUST populate status on all GatewayClass resources which
+              specify their controller name.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Accepted
+                description: |-
+                  Conditions is the current status from the controller for
+                  this GatewayClass.
+
+
+                  Controllers should prefer to publish conditions using values
+                  of GatewayClassConditionType for the type of each Condition.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.controllerName
+      name: Controller
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+      name: Accepted
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .spec.description
+      name: Description
+      priority: 1
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          GatewayClass describes a class of Gateways available to the user for creating
+          Gateway resources.
+
+
+          It is recommended that this resource be used as a template for Gateways. This
+          means that a Gateway is based on the state of the GatewayClass at the time it
+          was created and changes to the GatewayClass or associated parameters are not
+          propagated down to existing Gateways. This recommendation is intended to
+          limit the blast radius of changes to GatewayClass or associated parameters.
+          If implementations choose to propagate GatewayClass changes to existing
+          Gateways, that MUST be clearly documented by the implementation.
+
+
+          Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+          add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+          associated GatewayClass. This ensures that a GatewayClass associated with a
+          Gateway is not deleted while in use.
+
+
+          GatewayClass is a Cluster level resource.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of GatewayClass.
+            properties:
+              controllerName:
+                description: |-
+                  ControllerName is the name of the controller that is managing Gateways of
+                  this class. The value of this field MUST be a domain prefixed path.
+
+
+                  Example: "example.net/gateway-controller".
+
+
+                  This field is not mutable and cannot be empty.
+
+
+                  Support: Core
+                maxLength: 253
+                minLength: 1
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
+              description:
+                description: Description helps describe a GatewayClass with more details.
+                maxLength: 64
+                type: string
+              parametersRef:
+                description: |-
+                  ParametersRef is a reference to a resource that contains the configuration
+                  parameters corresponding to the GatewayClass. This is optional if the
+                  controller does not require any additional configuration.
+
+
+                  ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+                  or an implementation-specific custom resource. The resource can be
+                  cluster-scoped or namespace-scoped.
+
+
+                  If the referent cannot be found, the GatewayClass's "InvalidParameters"
+                  status condition will be true.
+
+
+                  A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+                  the merging behavior is implementation specific.
+                  It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+
+                  Support: Implementation-specific
+                properties:
+                  group:
+                    description: Group is the group of the referent.
+                    maxLength: 253
+                    pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                    type: string
+                  kind:
+                    description: Kind is kind of the referent.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                    type: string
+                  name:
+                    description: Name is the name of the referent.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace is the namespace of the referent.
+                      This field is required when referring to a Namespace-scoped resource and
+                      MUST be unset when referring to a Cluster-scoped resource.
+                    maxLength: 63
+                    minLength: 1
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - group
+                - kind
+                - name
+                type: object
+            required:
+            - controllerName
+            type: object
+          status:
+            default:
+              conditions:
+              - lastTransitionTime: "1970-01-01T00:00:00Z"
+                message: Waiting for controller
+                reason: Waiting
+                status: Unknown
+                type: Accepted
+            description: |-
+              Status defines the current state of GatewayClass.
+
+
+              Implementations MUST populate status on all GatewayClass resources which
+              specify their controller name.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Accepted
+                description: |-
+                  Conditions is the current status from the controller for
+                  this GatewayClass.
+
+
+                  Controllers should prefer to publish conditions using values
+                  of GatewayClassConditionType for the type of each Condition.
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

internal/generate/components/v1alpha3/gateway-api/components/gateway-api/standard/gateway.networking.k8s.io_referencegrants.yaml

@@ -0,0 +1,383 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2997
+    gateway.networking.k8s.io/bundle-version: v1.1.0
+    gateway.networking.k8s.io/channel: standard
+  creationTimestamp: null
+  name: referencegrants.gateway.networking.k8s.io
+spec:
+  group: gateway.networking.k8s.io
+  names:
+    categories:
+    - gateway-api
+    kind: ReferenceGrant
+    listKind: ReferenceGrantList
+    plural: referencegrants
+    shortNames:
+    - refgrant
+    singular: referencegrant
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated
+      and will be removed in a future release of the API. Please upgrade to v1beta1.
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ReferenceGrant identifies kinds of resources in other namespaces that are
+          trusted to reference the specified kinds of resources in the same namespace
+          as the policy.
+
+
+          Each ReferenceGrant can be used to represent a unique trust relationship.
+          Additional Reference Grants can be used to add to the set of trusted
+          sources of inbound references for the namespace they are defined within.
+
+
+          A ReferenceGrant is required for all cross-namespace references in Gateway API
+          (with the exception of cross-namespace Route-Gateway attachment, which is
+          governed by the AllowedRoutes configuration on the Gateway, and cross-namespace
+          Service ParentRefs on a "consumer" mesh Route, which defines routing rules
+          applicable only to workloads in the Route namespace). ReferenceGrants allowing
+          a reference from a Route to a Service are only applicable to BackendRefs.
+
+
+          ReferenceGrant is a form of runtime verification allowing users to assert
+          which cross-namespace object references are permitted. Implementations that
+          support ReferenceGrant MUST NOT permit cross-namespace references which have
+          no grant, and MUST respond to the removal of a grant by revoking the access
+          that the grant allowed.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of ReferenceGrant.
+            properties:
+              from:
+                description: |-
+                  From describes the trusted namespaces and kinds that can reference the
+                  resources described in "To". Each entry in this list MUST be considered
+                  to be an additional place that references can be valid from, or to put
+                  this another way, entries MUST be combined using OR.
+
+
+                  Support: Core
+                items:
+                  description: ReferenceGrantFrom describes trusted namespaces and
+                    kinds.
+                  properties:
+                    group:
+                      description: |-
+                        Group is the group of the referent.
+                        When empty, the Kubernetes core API group is inferred.
+
+
+                        Support: Core
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: |-
+                        Kind is the kind of the referent. Although implementations may support
+                        additional resources, the following types are part of the "Core"
+                        support level for this field.
+
+
+                        When used to permit a SecretObjectReference:
+
+
+                        * Gateway
+
+
+                        When used to permit a BackendObjectReference:
+
+
+                        * GRPCRoute
+                        * HTTPRoute
+                        * TCPRoute
+                        * TLSRoute
+                        * UDPRoute
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace is the namespace of the referent.
+
+
+                        Support: Core
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - namespace
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+              to:
+                description: |-
+                  To describes the resources that may be referenced by the resources
+                  described in "From". Each entry in this list MUST be considered to be an
+                  additional place that references can be valid to, or to put this another
+                  way, entries MUST be combined using OR.
+
+
+                  Support: Core
+                items:
+                  description: |-
+                    ReferenceGrantTo describes what Kinds are allowed as targets of the
+                    references.
+                  properties:
+                    group:
+                      description: |-
+                        Group is the group of the referent.
+                        When empty, the Kubernetes core API group is inferred.
+
+
+                        Support: Core
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: |-
+                        Kind is the kind of the referent. Although implementations may support
+                        additional resources, the following types are part of the "Core"
+                        support level for this field:
+
+
+                        * Secret when used to permit a SecretObjectReference
+                        * Service when used to permit a BackendObjectReference
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: |-
+                        Name is the name of the referent. When unspecified, this policy
+                        refers to all resources of the specified Group and Kind in the local
+                        namespace.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - from
+            - to
+            type: object
+        type: object
+    served: false
+    storage: false
+    subresources: {}
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ReferenceGrant identifies kinds of resources in other namespaces that are
+          trusted to reference the specified kinds of resources in the same namespace
+          as the policy.
+
+
+          Each ReferenceGrant can be used to represent a unique trust relationship.
+          Additional Reference Grants can be used to add to the set of trusted
+          sources of inbound references for the namespace they are defined within.
+
+
+          All cross-namespace references in Gateway API (with the exception of cross-namespace
+          Gateway-route attachment) require a ReferenceGrant.
+
+
+          ReferenceGrant is a form of runtime verification allowing users to assert
+          which cross-namespace object references are permitted. Implementations that
+          support ReferenceGrant MUST NOT permit cross-namespace references which have
+          no grant, and MUST respond to the removal of a grant by revoking the access
+          that the grant allowed.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of ReferenceGrant.
+            properties:
+              from:
+                description: |-
+                  From describes the trusted namespaces and kinds that can reference the
+                  resources described in "To". Each entry in this list MUST be considered
+                  to be an additional place that references can be valid from, or to put
+                  this another way, entries MUST be combined using OR.
+
+
+                  Support: Core
+                items:
+                  description: ReferenceGrantFrom describes trusted namespaces and
+                    kinds.
+                  properties:
+                    group:
+                      description: |-
+                        Group is the group of the referent.
+                        When empty, the Kubernetes core API group is inferred.
+
+
+                        Support: Core
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: |-
+                        Kind is the kind of the referent. Although implementations may support
+                        additional resources, the following types are part of the "Core"
+                        support level for this field.
+
+
+                        When used to permit a SecretObjectReference:
+
+
+                        * Gateway
+
+
+                        When used to permit a BackendObjectReference:
+
+
+                        * GRPCRoute
+                        * HTTPRoute
+                        * TCPRoute
+                        * TLSRoute
+                        * UDPRoute
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace is the namespace of the referent.
+
+
+                        Support: Core
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  - namespace
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+              to:
+                description: |-
+                  To describes the resources that may be referenced by the resources
+                  described in "From". Each entry in this list MUST be considered to be an
+                  additional place that references can be valid to, or to put this another
+                  way, entries MUST be combined using OR.
+
+
+                  Support: Core
+                items:
+                  description: |-
+                    ReferenceGrantTo describes what Kinds are allowed as targets of the
+                    references.
+                  properties:
+                    group:
+                      description: |-
+                        Group is the group of the referent.
+                        When empty, the Kubernetes core API group is inferred.
+
+
+                        Support: Core
+                      maxLength: 253
+                      pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                      type: string
+                    kind:
+                      description: |-
+                        Kind is the kind of the referent. Although implementations may support
+                        additional resources, the following types are part of the "Core"
+                        support level for this field:
+
+
+                        * Secret when used to permit a SecretObjectReference
+                        * Service when used to permit a BackendObjectReference
+                      maxLength: 63
+                      minLength: 1
+                      pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                      type: string
+                    name:
+                      description: |-
+                        Name is the name of the referent. When unspecified, this policy
+                        refers to all resources of the specified Group and Kind in the local
+                        namespace.
+                      maxLength: 253
+                      minLength: 1
+                      type: string
+                  required:
+                  - group
+                  - kind
+                  type: object
+                maxItems: 16
+                minItems: 1
+                type: array
+            required:
+            - from
+            - to
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

internal/generate/components/v1alpha3/gateway-api/gateway-api.gen.cue

@@ -0,0 +1,11 @@
+package holos
+
+// Manage on every Cluster in the Platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/gateway-api": {
+			path:    "components/gateway-api"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/gateway-api/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "gateway-api",
+  "short": "gateway api custom resource definitions",
+  "long": "Gateway API represents the next generation of Kubernetes Ingress, Load Balancing, and Service Mesh APIs."
+}

internal/generate/components/v1alpha3/httpbin-routes/components/httpbin/routes/httpbin-routes.cue

@@ -0,0 +1,37 @@
+package holos
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan
+
+let Objects = {
+	Name:      "{{ .Name }}"
+	Namespace: #Istio.Gateway.Namespace
+
+	Resources: [_]: [_]: metadata: namespace: Namespace
+	Resources: HTTPRoute: (#HTTPRouteClone & {Name: "httpbin"}).BuildPlan
+}
+
+#HTTPRouteClone: {
+	Name: string
+	let Host = "\(Name).\(#Platform.Domain)"
+	Output: "\(Name)": {
+		metadata: namespace: _
+		metadata: name:      Name
+		metadata: labels: app: Name
+		spec: hostnames: [Host]
+		spec: parentRefs: [{
+			name:      "default"
+			namespace: metadata.namespace
+		}]
+		spec: rules: [
+			{
+				matches: [{path: {type: "PathPrefix", value: "/"}}]
+				backendRefs: [{
+					name:      Name
+					namespace: #HTTPBin.Namespace
+					port:      #HTTPBin.Port
+				}]
+			},
+		]
+	}
+}

internal/generate/components/v1alpha3/httpbin-routes/httpbin-routes.gen.cue

@@ -0,0 +1,9 @@
+package holos
+
+// Manage the component on workload clusters
+for Cluster in #Fleets.workload.clusters {
+	#Platform: Components: "\(Cluster.name)/{{ .Name }}": {
+		path:    "components/httpbin/routes"
+		cluster: Cluster.name
+	}
+}

internal/generate/components/v1alpha3/httpbin-routes/schematic.json

@@ -0,0 +1,6 @@
+{
+  "name": "httpbin-routes",
+  "short": "expose httpbin with httproute resources",
+  "long": "expose httpbin with httproute resources",
+  "namespace": "istio-ingress"
+}

internal/generate/components/v1alpha3/httpbin-workload/components/httpbin/workload/httpbin-workload.cue

@@ -0,0 +1,61 @@
+package holos
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan
+
+let Objects = {
+	Name:      "{{ .Name }}"
+	Namespace: #HTTPBin.Namespace
+
+	// Constrain resources to the httpbin namespace
+	Resources: [_]: [_]: metadata: namespace: #HTTPBin.Namespace
+
+	Resources: {
+		Deployment: httpbin: {
+			metadata: name: "httpbin"
+			metadata: labels: app: metadata.name
+			spec: {
+				selector: matchLabels: {
+					app:                          metadata.labels.app
+					"app.kubernetes.io/instance": app
+				}
+
+				template: {
+					metadata: labels: selector.matchLabels
+					spec: securityContext: seccompProfile: type: "RuntimeDefault"
+					spec: containers: [{
+						name:  "httpbin"
+						image: "quay.io/holos/mccutchen/go-httpbin"
+						ports: [{containerPort: 8080}]
+						securityContext: {
+							seccompProfile: type: "RuntimeDefault"
+							allowPrivilegeEscalation: false
+							runAsNonRoot:             true
+							runAsUser:                8192
+							runAsGroup:               8192
+							capabilities: drop: ["ALL"]
+						}}]
+				}
+			}
+		}
+
+		Service: httpbin: {
+			metadata: labels: Deployment.httpbin.metadata.labels
+			spec: {
+				selector: Deployment.httpbin.spec.selector.matchLabels
+				_ports: http: {
+					port:       #HTTPBin.Port
+					targetPort: Deployment.httpbin.spec.template.spec.containers[0].ports[0].containerPort
+					protocol:   "TCP"
+					name:       "http"
+				}
+				ports: [for x in _ports {x}]
+			}
+		}
+
+		// Allow istio-ingress to refer to Services from HTTPRoutes
+		ReferenceGrant: httpbin: #ReferenceGrant & {
+			metadata: labels: Deployment.httpbin.metadata.labels
+		}
+	}
+}

internal/generate/components/v1alpha3/httpbin-workload/httpbin-workload.gen.cue

@@ -0,0 +1,18 @@
+package holos
+
+// Platform wide configuration
+#HTTPBin: {
+	Namespace: "{{ .Namespace }}"
+	Port:      80
+}
+
+// Register the namespace
+#Namespaces: (#HTTPBin.Namespace): _
+
+// Manage the component on workload clusters
+for Cluster in #Fleets.workload.clusters {
+	#Platform: Components: "\(Cluster.name)/{{ .Name }}": {
+		path:    "components/httpbin/workload"
+		cluster: Cluster.name
+	}
+}

internal/generate/components/v1alpha3/httpbin-workload/schematic.json

@@ -0,0 +1,6 @@
+{
+  "name": "httpbin-workload",
+  "short": "manages the httpbin deployment and service",
+  "long": "httpbin is useful to inspect requests and responses",
+  "namespace": "httpbin"
+}

internal/generate/components/v1alpha3/httproutes/platform/httproutes.cue

@@ -0,0 +1,9 @@
+package holos
+
+// Manage on workload clusters
+for Cluster in #Fleets.workload.clusters {
+	#Platform: Components: "\(Cluster.name)/httproutes": {
+		path:    "projects/platform/components/httproutes"
+		cluster: Cluster.name
+	}
+}

internal/generate/components/v1alpha3/httproutes/projects/httproutes.cue

@@ -0,0 +1,34 @@
+package holos
+
+import v1 "gateway.networking.k8s.io/httproute/v1"
+
+// #HTTPRoutes defines managed HTTPRoute resources for the platform.  These
+// resources are managed in the istio-ingress namespace.  Other components
+// define the routes they need close to the root of configuration.
+#HTTPRoutes: {
+	// For the guides, we simplify this down to a flat namespace.
+	[Name=string]: v1.#HTTPRoute & {
+		let HOST = Name + "." + #Platform.Domain
+
+		_backendRefs: [NAME=string]: {
+			name:      NAME
+			namespace: string
+			port:      number | *80
+		}
+
+		metadata: name:      Name
+		metadata: namespace: #Istio.Gateway.Namespace
+		metadata: labels: app: Name
+		spec: hostnames: [HOST]
+		spec: parentRefs: [{
+			name:      "default"
+			namespace: metadata.namespace
+		}]
+		spec: rules: [
+			{
+				matches: [{path: {type: "PathPrefix", value: "/"}}]
+				backendRefs: [for x in _backendRefs {x}]
+			},
+		]
+	}
+}

internal/generate/components/v1alpha3/httproutes/projects/platform/components/httproutes/httproutes.cue

@@ -0,0 +1,9 @@
+package holos
+
+let Objects = {
+	Name: "httproutes"
+	Resources: HTTPRoute: #HTTPRoutes
+}
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan

internal/generate/components/v1alpha3/httproutes/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "httproutes",
+  "short": "#HTTPRoutes registration point",
+  "long": "Provides the #HTTPRoutes registration point to manage httproutes in the istio-ingress namespace."
+}

internal/generate/components/v1alpha3/istio-gateway/components/istio/gateway/gateway.cue

@@ -0,0 +1,61 @@
+package holos
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan
+
+let Objects = {
+	Name:      "{{ .Name }}"
+	Namespace: #Istio.Gateway.Namespace
+
+	Resources: {
+		// The default gateway with all listeners attached to tls certs.
+		Gateway: default: {
+			metadata: namespace: Namespace
+
+			let Listeners = {
+				http: {
+					name:     "http"
+					protocol: "HTTP"
+					port:     80
+					allowedRoutes: namespaces: from: "Same"
+				}
+				https: {
+					name:     "https"
+					protocol: "HTTPS"
+					port:     443
+					allowedRoutes: namespaces: from: "Same"
+					tls: mode: "Terminate"
+					tls: certificateRefs: [{
+						kind: "Secret"
+						name: "gateway-cert"
+					}]
+				}
+			}
+
+			spec: listeners: [for x in Listeners {x}]
+		}
+
+		// Manage a simple cert for example.com and *.example.com
+		Certificate: "gateway-cert": {
+			metadata: name:      "gateway-cert"
+			metadata: namespace: Namespace
+			spec: commonName:    #Platform.Domain
+			spec: dnsNames: [spec.commonName, "*.\(spec.commonName)"]
+			spec: secretName: metadata.name
+			spec: issuerRef: {
+				kind: "ClusterIssuer"
+				name: "local-ca"
+			}
+		}
+
+		// Manage a service account to prevent ArgoCD from pruning it.
+		ServiceAccount: "default-istio": {
+			metadata: namespace: Namespace
+			metadata: labels: {
+				"gateway.istio.io/managed":               "istio.io-gateway-controller"
+				"gateway.networking.k8s.io/gateway-name": "default"
+				"istio.io/gateway-name":                  "default"
+			}
+		}
+	}
+}

internal/generate/components/v1alpha3/istio-gateway/components/istio/gateway/readme.md

@@ -0,0 +1,7 @@
+# Gateway API
+
+This component uses the [Gateway API][1] to manage an istio Gateway.  This will
+become the default method in upstream istio so it is the preferred method in
+Holos.
+
+[1]: https://gateway-api.sigs.k8s.io/

internal/generate/components/v1alpha3/istio-gateway/istio-gateway.gen.cue

@@ -0,0 +1,17 @@
+package holos
+
+// #Istio represents platform wide configuration
+#Istio: Gateway: Namespace: "istio-ingress"
+
+// Register the Namespaces
+#Namespaces: (#Istio.Gateway.Namespace): _
+
+// Manage istio on workload clusters
+for Cluster in #Fleets.workload.clusters {
+	#Platform: Components: {
+		"\(Cluster.name)/{{ .Name }}": {
+			path:    "components/istio/gateway"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/istio-gateway/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "istio-gateway",
+  "short": "kubernetes ingress gateway api",
+  "long": "Gateway API ingress gateway with certificate management"
+}

internal/generate/components/v1alpha3/istio-k3d/istio-k3d.gen.cue

@@ -0,0 +1,11 @@
+package holos
+
+// If you are using k3d with the default Flannel CNI, you must append some
+// values to your installation command, as k3d uses nonstandard locations for
+// CNI configuration and binaries.
+//
+// See https://istio.io/latest/docs/ambient/install/platform-prerequisites/#k3d
+#Istio: Values: cni: {
+	cniConfDir: "/var/lib/rancher/k3s/agent/etc/cni/net.d"
+	cniBinDir:  "/bin"
+}

internal/generate/components/v1alpha3/istio-k3d/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "istio-k3d",
+  "short": "configure istio for the k3d flannel cni",
+  "long": "If you are using k3d with the default Flannel CNI, you must append some values to your installation command, as k3d uses nonstandard locations for CNI configuration and binaries.  Refer to https://istio.io/latest/docs/ambient/install/platform-prerequisites/#k3d"
+}

internal/generate/components/v1alpha3/istio/components/istio/base/istio-base.cue

@@ -0,0 +1,17 @@
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "istio-base"
+	Version:   #Istio.Version
+	Namespace: #Istio.System.Namespace
+
+	Chart: chart: name: "base"
+
+	Repo: name: "istio"
+	Repo: url:  "https://istio-release.storage.googleapis.com/charts"
+
+	Values: #Istio.Values
+}

internal/generate/components/v1alpha3/istio/components/istio/base/values.gen.cue

@@ -0,0 +1,48 @@
+package holos
+
+// imported from the 1.23.1 base chart
+// cue import components/istio/base/vendor/base/values.yaml
+
+#Istio: Values: {
+	// "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
+	// For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
+	defaults: {
+		global: {
+
+			// ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
+			// to use for pulling any images in pods that reference this ServiceAccount.
+			// Must be set for any cluster configured with private docker registry.
+			imagePullSecrets: []
+
+			// Used to locate istiod.
+			istioNamespace:     "istio-system"
+			externalIstiod:     false
+			remotePilotAddress: ""
+
+			// Platform where Istio is deployed. Possible values are: "openshift", "gcp".
+			// An empty value means it is a vanilla Kubernetes distribution, therefore no special
+			// treatment will be considered.
+			platform: ""
+
+			// Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+			// This is intended only for use with external istiod.
+			ipFamilyPolicy: ""
+			ipFamilies: []
+		}
+		base: {
+			// Used for helm2 to add the CRDs to templates.
+			enableCRDTemplates: false
+
+			// Validation webhook configuration url
+			// For example: https://$remotePilotAddress:15017/validate
+			validationURL: ""
+			// Validation webhook caBundle value. Useful when running pilot with a well known cert
+			validationCABundle: ""
+
+			// For istioctl usage to disable istio config crds in base
+			enableIstioConfigCRDs: true
+		}
+		defaultRevision: "default"
+		experimental: stableValidationPolicy: false
+	}
+}

internal/generate/components/v1alpha3/istio/components/istio/cni/cni.cue

@@ -0,0 +1,17 @@
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "istio-cni"
+	Version:   #Istio.Version
+	Namespace: #Istio.System.Namespace
+
+	Chart: chart: name: "cni"
+
+	Repo: name: "istio"
+	Repo: url:  "https://istio-release.storage.googleapis.com/charts"
+
+	Values: #Istio.Values
+}

internal/generate/components/v1alpha3/istio/components/istio/cni/values.gen.cue

@@ -0,0 +1,148 @@
+package holos
+
+// imported from the 1.23.1 cni chart
+// cue import components/istio/cni/vendor/cni/values.yaml
+
+#Istio: Values: {
+	// "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
+	// For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
+	defaults: {
+		cni: {
+			hub:        ""
+			tag:        ""
+			variant:    ""
+			image:      "install-cni"
+			pullPolicy: ""
+
+			// Same as `global.logging.level`, but will override it if set
+			logging: {
+				level: ""
+			}
+
+			// Configuration file to insert istio-cni plugin configuration
+			// by default this will be the first file found in the cni-conf-dir
+			// Example
+			// cniConfFileName: 10-calico.conflist
+			// CNI bin and conf dir override settings
+			// defaults:
+			cniBinDir:       "" // Auto-detected based on version; defaults to /opt/cni/bin.
+			cniConfDir:      "/etc/cni/net.d"
+			cniConfFileName: ""
+			// This directory must exist on the node, if it does not, consult your container runtime
+			// documentation for the appropriate path.
+			cniNetnsDir: null // Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'.
+			excludeNamespaces: ["kube-system"]
+
+			// Allows user to set custom affinity for the DaemonSet
+			affinity: {}
+
+			// Custom annotations on pod level, if you need them
+			podAnnotations: {}
+
+			// Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")?
+			// Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case
+			chained: true
+
+			// Custom configuration happens based on the CNI provider.
+			// Possible values: "default", "multus"
+			provider: "default"
+
+			// Configure ambient settings
+			ambient: {
+				// If enabled, ambient redirection will be enabled
+				enabled: false
+				// Set ambient config dir path: defaults to /etc/ambient-config
+				configDir: ""
+				// If enabled, and ambient is enabled, DNS redirection will be enabled
+				dnsCapture: false
+				// If enabled, and ambient is enabled, enables ipv6 support
+				ipv6: true
+			}
+			repair: {
+				enabled: true
+				hub:     ""
+				tag:     ""
+
+				// Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used.
+				// This defines the action the controller will take when a pod is detected as broken.
+				// labelPods will label all pods with <brokenPodLabelKey>=<brokenPodLabelValue>.
+				// This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them).
+				// Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts.
+				labelPods: false
+				// deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready.
+				// Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod.
+				deletePods: false
+				// repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started.
+				// Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
+				// This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
+				repairPods:          true
+				initContainerName:   "istio-validation"
+				brokenPodLabelKey:   "cni.istio.io/uninitialized"
+				brokenPodLabelValue: "true"
+			}
+
+			// Set to `type: RuntimeDefault` to use the default profile if available.
+			seccompProfile: {}
+			resources: requests: {
+				cpu:    "100m"
+				memory: "100Mi"
+			}
+			resourceQuotas: {
+				enabled: false
+				pods:    5000
+			}
+
+			// The number of pods that can be unavailable during rolling update (see
+			// `updateStrategy.rollingUpdate.maxUnavailable` here:
+			// https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec).
+			// May be specified as a number of pods or as a percent of the total number
+			// of pods at the start of the update.
+			rollingMaxUnavailable: 1
+		}
+
+		// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+		revision: ""
+
+		// For Helm compatibility.
+		ownerName: ""
+		global: {
+			// Default hub for Istio images.
+			// Releases are published to docker hub under 'istio' project.
+			// Dev builds from prow are on gcr.io
+			hub: "docker.io/istio"
+
+			// Default tag for Istio images.
+			tag: "1.23.1"
+
+			// Variant of the image to use.
+			// Currently supported are: [debug, distroless]
+			variant: ""
+
+			// Specify image pull policy if default behavior isn't desired.
+			// Default behavior: latest images will be Always else IfNotPresent.
+			imagePullPolicy: ""
+
+			// change cni scope level to control logging out of istio-cni-node DaemonSet
+			logging: {
+				level: "info"
+			}
+			logAsJson: false
+
+			// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+			// to use for pulling any images in pods that reference this ServiceAccount.
+			// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+			// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+			// Must be set for any cluster configured with private docker registry.
+			// - private-registry-key
+			imagePullSecrets: []
+
+			// Default resources allocated
+			defaultResources: {
+				requests: {
+					cpu:    "100m"
+					memory: "100Mi"
+				}
+			}
+		}
+	}
+}

internal/generate/components/v1alpha3/istio/components/istio/istiod/istiod.cue

@@ -0,0 +1,17 @@
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "istiod"
+	Version:   #Istio.Version
+	Namespace: #Istio.System.Namespace
+
+	Chart: chart: name: "istiod"
+
+	Repo: name: "istio"
+	Repo: url:  "https://istio-release.storage.googleapis.com/charts"
+
+	Values: #Istio.Values
+}

internal/generate/components/v1alpha3/istio/components/istio/istiod/values.gen.cue

@@ -0,0 +1,539 @@
+package holos
+
+// imported from the 1.23.1 istiod chart
+// cue import components/istio/istiod/vendor/istiod/values.yaml
+
+#Istio: Values: {
+	// "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
+	// For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
+	defaults: {
+
+		//.Values.pilot for discovery and mesh wide config
+		//# Discovery Settings
+		pilot: {
+			autoscaleEnabled: true
+			autoscaleMin:     1
+			autoscaleMax:     5
+			autoscaleBehavior: {}
+			replicaCount:          1
+			rollingMaxSurge:       "100%"
+			rollingMaxUnavailable: "25%"
+			hub:                   ""
+			tag:                   ""
+			variant:               ""
+
+			// Can be a full hub/image:tag
+			image:         "pilot"
+			traceSampling: 1.0
+
+			// Resources for a small pilot install
+			resources: {
+				requests: {
+					cpu:    "500m"
+					memory: "2048Mi"
+				}
+			}
+
+			// Set to `type: RuntimeDefault` to use the default profile if available.
+			seccompProfile: {}
+
+			// Whether to use an existing CNI installation
+			cni: {
+				enabled:  false
+				provider: "default"
+			}
+
+			// Additional container arguments
+			extraContainerArgs: []
+			env: {}
+
+			// Settings related to the untaint controller
+			// This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+			// It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+			taint: {
+				// Controls whether or not the untaint controller is active
+				enabled: false
+				// What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+				namespace: ""
+			}
+			affinity: {}
+			tolerations: []
+			cpu: targetAverageUtilization: 80
+			// targetAverageUtilization: 80
+			memory: {}
+
+			// Additional volumeMounts to the istiod container
+			volumeMounts: []
+
+			// Additional volumes to the istiod pod
+			volumes: []
+			nodeSelector: {}
+			podAnnotations: {}
+			serviceAnnotations: {}
+			serviceAccountAnnotations: {}
+			topologySpreadConstraints: []
+
+			// You can use jwksResolverExtraRootCA to provide a root certificate
+			// in PEM format. This will then be trusted by pilot when resolving
+			// JWKS URIs.
+			jwksResolverExtraRootCA: ""
+
+			// The following is used to limit how long a sidecar can be connected
+			// to a pilot. It balances out load across pilot instances at the cost of
+			// increasing system churn.
+			keepaliveMaxServerConnectionAge: "30m"
+
+			// Additional labels to apply to the deployment.
+			deploymentLabels: {}
+
+			//# Mesh config settings
+			// Install the mesh config map, generated from values.yaml.
+			// If false, pilot wil use default values (by default) or user-supplied values.
+			configMap: true
+
+			// Additional labels to apply on the pod level for monitoring and logging configuration.
+			podLabels: {}
+
+			// Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+			ipFamilyPolicy: ""
+			ipFamilies: []
+
+			// Ambient mode only.
+			// Set this if you install ztunnel to a different namespace from `istiod`.
+			// If set, `istiod` will allow connections from trusted node proxy ztunnels
+			// in the provided namespace.
+			// If unset, `istiod` will assume the trusted node proxy ztunnel resides
+			// in the same namespace as itself.
+			trustedZtunnelNamespace: ""
+		}
+		sidecarInjectorWebhook: {
+			// You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+			// always skip the injection on pods that match that label selector, regardless of the global policy.
+			// See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+			neverInjectSelector: []
+			alwaysInjectSelector: []
+
+			// injectedAnnotations are additional annotations that will be added to the pod spec after injection
+			// This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+			//
+			// annotations:
+			//   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+			//   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+			//
+			// The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+			// the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+			// injectedAnnotations:
+			//   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+			//   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+			injectedAnnotations: {}
+
+			// This enables injection of sidecar in all namespaces,
+			// with the exception of namespaces with "istio-injection:disabled" annotation
+			// Only one environment should have this enabled.
+			enableNamespacesByDefault: false
+
+			// Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+			// once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+			// Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+			reinvocationPolicy:  "Never"
+			rewriteAppHTTPProbe: true
+
+			// Templates defines a set of custom injection templates that can be used. For example, defining:
+			//
+			// templates:
+			//   hello: |
+			//     metadata:
+			//       labels:
+			//         hello: world
+			//
+			// Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+			// being injected with the hello=world labels.
+			// This is intended for advanced configuration only; most users should use the built in template
+			templates: {}
+
+			// Default templates specifies a set of default templates that are used in sidecar injection.
+			// By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+			// To inject other additional templates, define it using the `templates` option, and add it to
+			// the default templates list.
+			// For example:
+			//
+			// templates:
+			//   hello: |
+			//     metadata:
+			//       labels:
+			//         hello: world
+			//
+			// defaultTemplates: ["sidecar", "hello"]
+			defaultTemplates: []
+		}
+		istiodRemote: {
+			// Sidecar injector mutating webhook configuration clientConfig.url value.
+			// For example: https://$remotePilotAddress:15017/inject
+			// The host should not refer to a service running in the cluster; use a service reference by specifying
+			// the clientConfig.service field instead.
+			injectionURL: ""
+
+			// Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+			// Override to pass env variables, for example: /inject/cluster/remote/net/network2
+			injectionPath:     "/inject"
+			injectionCABundle: ""
+		}
+		telemetry: {
+			enabled: true
+			v2: {
+				// For Null VM case now.
+				// This also enables metadata exchange.
+				enabled: true
+				// Indicate if prometheus stats filter is enabled or not
+				prometheus: {
+					enabled: true
+				}
+				// stackdriver filter settings.
+				stackdriver: {
+					enabled: false
+				}
+			}
+		}
+		// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+		revision: ""
+
+		// Revision tags are aliases to Istio control plane revisions
+		revisionTags: []
+
+		// For Helm compatibility.
+		ownerName: ""
+
+		// meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+		// See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+		meshConfig: {
+			enablePrometheusMerge: true
+		}
+		experimental: stableValidationPolicy: false
+		global: {
+			// Used to locate istiod.
+			istioNamespace: "istio-system"
+			// List of cert-signers to allow "approve" action in the istio cluster role
+			//
+			// certSigners:
+			//   - clusterissuers.cert-manager.io/istio-ca
+			certSigners: []
+			// enable pod disruption budget for the control plane, which is used to
+			// ensure Istio control plane components are gradually upgraded or recovered.
+			defaultPodDisruptionBudget: {
+				// The values aren't mutable due to a current PodDisruptionBudget limitation
+				// minAvailable: 1
+				enabled: true
+			}
+
+			// A minimal set of requested resources to applied to all deployments so that
+			// Horizontal Pod Autoscaler will be able to function (if set).
+			// Each component can overwrite these default values by adding its own resources
+			// block in the relevant section below and setting the desired resources values.
+			defaultResources: {
+				//   memory: 128Mi
+				// limits:
+				//   cpu: 100m
+				//   memory: 128Mi
+				requests: {
+					cpu: "10m"
+				}
+			}
+
+			// Default hub for Istio images.
+			// Releases are published to docker hub under 'istio' project.
+			// Dev builds from prow are on gcr.io
+			hub: "docker.io/istio"
+			// Default tag for Istio images.
+			tag: "1.23.1"
+			// Variant of the image to use.
+			// Currently supported are: [debug, distroless]
+			variant: ""
+
+			// Specify image pull policy if default behavior isn't desired.
+			// Default behavior: latest images will be Always else IfNotPresent.
+			imagePullPolicy: ""
+
+			// ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+			// to use for pulling any images in pods that reference this ServiceAccount.
+			// For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+			// ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+			// Must be set for any cluster configured with private docker registry.
+			// - private-registry-key
+			imagePullSecrets: []
+
+			// Enabled by default in master for maximising testing.
+			istiod: {
+				enableAnalysis: false
+			}
+
+			// To output all istio components logs in json format by adding --log_as_json argument to each container argument
+			logAsJson: false
+
+			// Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+			// The control plane has different scopes depending on component, but can configure default log level across all components
+			// If empty, default scope and level will be used as configured in code
+			logging: {
+				level: "default:info"
+			}
+			omitSidecarInjectorConfigMap: false
+
+			// Configure whether Operator manages webhook configurations. The current behavior
+			// of Istiod is to manage its own webhook configurations.
+			// When this option is set as true, Istio Operator, instead of webhooks, manages the
+			// webhook configurations. When this option is set as false, webhooks manage their
+			// own webhook configurations.
+			operatorManageWebhooks: false
+
+			// Custom DNS config for the pod to resolve names of services in other
+			// clusters. Use this to add additional search domains, and other settings.
+			// see
+			// https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+			// This does not apply to gateway pods as they typically need a different
+			// set of DNS settings than the normal application pods (e.g., in
+			// multicluster scenarios).
+			// NOTE: If using templates, follow the pattern in the commented example below.
+			//podDNSSearchNamespaces:
+			//- global
+			// Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+			// system-node-critical, it is better to configure this in order to make sure your Istio pods
+			// will not be killed because of low priority class.
+			// Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+			// for more detail.
+			priorityClassName: ""
+			proxy: {
+				image: "proxyv2"
+
+				// This controls the 'policy' in the sidecar injector.
+				autoInject: "enabled"
+
+				// CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+				// cluster domain. Default value is "cluster.local".
+				clusterDomain: "cluster.local"
+
+				// Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+				// not set, then the global "logLevel" will be used.
+				componentLogLevel: "misc:error"
+
+				// If set, newly injected sidecars will have core dumps enabled.
+				enableCoreDump: false
+
+				// istio ingress capture allowlist
+				// examples:
+				//     Redirect only selected ports:            --includeInboundPorts="80,8080"
+				excludeInboundPorts: ""
+				includeInboundPorts: "*"
+
+				// istio egress capture allowlist
+				// https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+				// example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+				// would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+				// be allowed by the sidecar
+				includeIPRanges:      "*"
+				excludeIPRanges:      ""
+				includeOutboundPorts: ""
+				excludeOutboundPorts: ""
+
+				// Log level for proxy, applies to gateways and sidecars.
+				// Expected values are: trace|debug|info|warning|error|critical|off
+				logLevel: "warning"
+
+				// Specify the path to the outlier event log.
+				// Example: /dev/stdout
+				outlierLogPath: ""
+
+				//If set to true, istio-proxy container will have privileged securityContext
+				privileged: false
+
+				// The number of successive failed probes before indicating readiness failure.
+				readinessFailureThreshold: 4
+
+				// The initial delay for readiness probes in seconds.
+				readinessInitialDelaySeconds: 0
+
+				// The period between readiness probes.
+				readinessPeriodSeconds: 15
+
+				// Enables or disables a startup probe.
+				// For optimal startup times, changing this should be tied to the readiness probe values.
+				//
+				// If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+				// This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+				// and doesn't spam the readiness endpoint too much
+				//
+				// If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+				// This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+				startupProbe: {
+					enabled:          true
+					failureThreshold: 600 // 10 minutes
+				}
+
+				// Resources for the sidecar.
+				resources: {
+					requests: {
+						cpu:    "100m"
+						memory: "128Mi"
+					}
+					limits: {
+						cpu:    "2000m"
+						memory: "1024Mi"
+					}
+				}
+
+				// Default port for Pilot agent health checks. A value of 0 will disable health checking.
+				statusPort: 15020
+
+				// Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+				// If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+				tracer: "none"
+			}
+			proxy_init: {
+				// Base name for the proxy_init container, used to configure iptables.
+				image: "proxyv2"
+			}
+
+			// configure remote pilot and istiod service and endpoint
+			remotePilotAddress: ""
+
+			//#############################################################################################
+			// The following values are found in other charts. To effectively modify these values, make   #
+			// make sure they are consistent across your Istio helm charts                                #
+			//#############################################################################################
+			// The customized CA address to retrieve certificates for the pods in the cluster.
+			// CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+			// If not set explicitly, default to the Istio discovery address.
+			caAddress: ""
+
+			// Configure a remote cluster data plane controlled by an external istiod.
+			// When set to true, istiod is not deployed locally and only a subset of the other
+			// discovery charts are enabled.
+			externalIstiod: false
+
+			// Configure a remote cluster as the config cluster for an external istiod.
+			configCluster: false
+
+			// configValidation enables the validation webhook for Istio configuration.
+			configValidation: true
+
+			// Mesh ID means Mesh Identifier. It should be unique within the scope where
+			// meshes will interact with each other, but it is not required to be
+			// globally/universally unique. For example, if any of the following are true,
+			// then two meshes must have different Mesh IDs:
+			// - Meshes will have their telemetry aggregated in one place
+			// - Meshes will be federated together
+			// - Policy will be written referencing one mesh from the other
+			//
+			// If an administrator expects that any of these conditions may become true in
+			// the future, they should ensure their meshes have different Mesh IDs
+			// assigned.
+			//
+			// Within a multicluster mesh, each cluster must be (manually or auto)
+			// configured to have the same Mesh ID value. If an existing cluster 'joins' a
+			// multicluster mesh, it will need to be migrated to the new mesh ID. Details
+			// of migration TBD, and it may be a disruptive operation to change the Mesh
+			// ID post-install.
+			//
+			// If the mesh admin does not specify a value, Istio will use the value of the
+			// mesh's Trust Domain. The best practice is to select a proper Trust Domain
+			// value.
+			meshID: ""
+
+			// Configure the mesh networks to be used by the Split Horizon EDS.
+			//
+			// The following example defines two networks with different endpoints association methods.
+			// For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+			// mapped to network1. The gateway for this network example is specified by its public IP
+			// address and port.
+			// The second network, `network2`, in this example is defined differently with all endpoints
+			// retrieved through the specified Multi-Cluster registry being mapped to network2. The
+			// gateway is also defined differently with the name of the gateway service on the remote
+			// cluster. The public IP for the gateway will be determined from that remote service (only
+			// LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+			// it still need to be configured manually).
+			//
+			// meshNetworks:
+			//   network1:
+			//     endpoints:
+			//     - fromCidr: "192.168.0.1/24"
+			//     gateways:
+			//     - address: 1.1.1.1
+			//       port: 80
+			//   network2:
+			//     endpoints:
+			//     - fromRegistry: reg1
+			//     gateways:
+			//     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+			//       port: 443
+			//
+			meshNetworks: {}
+
+			// Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+			mountMtlsCerts: false
+			multiCluster: {
+				// Set to true to connect two kubernetes clusters via their respective
+				// ingressgateway services when pods in each cluster cannot directly
+				// talk to one another. All clusters should be using Istio mTLS and must
+				// have a shared root CA for this model to work.
+				enabled: false
+				// Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+				// to properly label proxies
+				clusterName: ""
+			}
+
+			// Network defines the network this cluster belong to. This name
+			// corresponds to the networks in the map of mesh networks.
+			network: ""
+
+			// Configure the certificate provider for control plane communication.
+			// Currently, two providers are supported: "kubernetes" and "istiod".
+			// As some platforms may not have kubernetes signing APIs,
+			// Istiod is the default
+			pilotCertProvider: "istiod"
+			sds: {
+				// The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+				// When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+				// JWT is intended for the CA.
+				token: {
+					aud: "istio-ca"
+				}
+			}
+			sts: {
+				// The service port used by Security Token Service (STS) server to handle token exchange requests.
+				// Setting this port to a non-zero value enables STS server.
+				servicePort: 0
+			}
+
+			// The name of the CA for workload certificates.
+			// For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+			// will be used as the certificates for workloads.
+			// The default value is "" and when caName="", the CA will be configured by other
+			// mechanisms (e.g., environmental variable CA_PROVIDER).
+			caName: ""
+
+			// whether to use autoscaling/v2 template for HPA settings
+			// for internal usage only, not to be configured by users.
+			autoscalingv2API: true
+		}
+		base: {
+			// For istioctl usage to disable istio config crds in base
+			enableIstioConfigCRDs: true
+		}
+
+		// `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead
+		istio_cni: {
+			// `chained` has been deprecated and will be removed in a future release. use `provider` instead
+			chained:  true
+			provider: "default"
+		}
+
+		// Gateway Settings
+		gateways: {
+			// Define the security context for the pod.
+			// If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+			// On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+			securityContext: {}
+
+			// Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+			seccompProfile: {}
+		}
+	}
+}

internal/generate/components/v1alpha3/istio/components/istio/ztunnel/values.gen.cue

@@ -0,0 +1,107 @@
+package holos
+
+// imported from the 1.23.1 ztunnel chart
+// cue import components/istio/ztunnel/vendor/ztunnel/values.yaml
+
+#Istio: Values: {
+	// "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally.
+	// For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`.
+	defaults: {
+		// Hub to pull from. Image will be `Hub/Image:Tag-Variant`
+		hub: "docker.io/istio"
+		// Tag to pull from. Image will be `Hub/Image:Tag-Variant`
+		tag: "1.23.1"
+		// Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version.
+		variant: ""
+
+		// Image name to pull from. Image will be `Hub/Image:Tag-Variant`
+		// If Image contains a "/", it will replace the entire `image` in the pod.
+		image: "ztunnel"
+
+		// Labels to apply to all top level resources
+		labels: {}
+		// Annotations to apply to all top level resources
+		annotations: {}
+
+		// Additional volumeMounts to the ztunnel container
+		volumeMounts: []
+
+		// Additional volumes to the ztunnel pod
+		volumes: []
+
+		// Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments).
+		podAnnotations: {
+			"prometheus.io/port":   "15020"
+			"prometheus.io/scrape": "true"
+		}
+
+		// Additional labels to apply on the pod level
+		podLabels: {}
+
+		// Pod resource configuration
+		resources: {
+			requests: {
+				cpu: "200m"
+				// Ztunnel memory scales with the size of the cluster and traffic load
+				// While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections.
+				memory: "512Mi"
+			}
+		}
+
+		// List of secret names to add to the service account as image pull secrets
+		imagePullSecrets: []
+
+		// A `key: value` mapping of environment variables to add to the pod
+		env: {}
+
+		// Override for the pod imagePullPolicy
+		imagePullPolicy: ""
+
+		// Settings for multicluster
+		multiCluster: {
+			// The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent
+			// with Istiod configuration.
+			clusterName: ""
+		}
+
+		// meshConfig defines runtime configuration of components.
+		// For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other
+		// components.
+		// TODO: https://github.com/istio/istio/issues/43248
+		meshConfig: {
+			defaultConfig: proxyMetadata: {}
+		}
+
+		// This value defines:
+		// 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value)
+		// 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec)
+		// Default K8S value is 30 seconds
+		terminationGracePeriodSeconds: 30
+
+		// Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+		// Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly.
+		revision: ""
+
+		// The customized CA address to retrieve certificates for the pods in the cluster.
+		// CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+		caAddress: ""
+
+		// The customized XDS address to retrieve configuration.
+		// This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret.
+		// By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-<revision>.<istioNamespace>.svc:15012
+		xdsAddress: ""
+
+		// Used to locate the XDS and CA, if caAddress or xdsAddress are not set.
+		istioNamespace: "istio-system"
+
+		// Configuration log level of ztunnel binary, default is info.
+		// Valid values are: trace, debug, info, warn, error
+		logLevel: "info"
+
+		// Set to `type: RuntimeDefault` to use the default profile if available.
+		// TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead
+		//seLinuxOptions:
+		//  type: spc_t
+		seLinuxOptions: {}
+	}
+}

internal/generate/components/v1alpha3/istio/components/istio/ztunnel/ztunnel.cue

@@ -0,0 +1,17 @@
+package holos
+
+// Produce a helm chart build plan.
+(#Helm & Chart).BuildPlan
+
+let Chart = {
+	Name:      "istio-ztunnel"
+	Version:   #Istio.Version
+	Namespace: #Istio.System.Namespace
+
+	Chart: chart: name: "ztunnel"
+
+	Repo: name: "istio"
+	Repo: url:  "https://istio-release.storage.googleapis.com/charts"
+
+	Values: #Istio.Values
+}

internal/generate/components/v1alpha3/istio/istio.gen.cue

@@ -0,0 +1,39 @@
+package holos
+
+// #Istio represents platform wide configuration
+#Istio: {
+	Version: "1.23.1"
+	System: Namespace: "istio-system"
+
+	// Constrain Helm values for safer, easier upgrades and consistency across
+	// platform components.
+	Values: global: istioNamespace: System.Namespace
+
+	// Configure ambient mode
+	Values: profile: "ambient"
+}
+
+// Register the Namespaces
+#Namespaces: (#Istio.System.Namespace): _
+
+// Manage istio on workload clusters
+for Cluster in #Fleets.workload.clusters {
+	#Platform: Components: {
+		"\(Cluster.name)/istio-base": {
+			path:    "components/istio/base"
+			cluster: Cluster.name
+		}
+		"\(Cluster.name)/istiod": {
+			path:    "components/istio/istiod"
+			cluster: Cluster.name
+		}
+		"\(Cluster.name)/istio-cni": {
+			path:    "components/istio/cni"
+			cluster: Cluster.name
+		}
+		"\(Cluster.name)/istio-ztunnel": {
+			path:    "components/istio/ztunnel"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/istio/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "istio",
+  "short": "istio service mesh",
+  "long": "Easily build cloud native workloads securely and reliably with Istio."
+}

internal/generate/components/v1alpha3/local-ca/components/local-ca/local-ca.cue

@@ -0,0 +1,20 @@
+package holos
+
+import ci "cert-manager.io/clusterissuer/v1"
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan
+
+let Objects = {
+	Name:      "local-ca"
+	Namespace: #CertManager.Namespace
+
+	Resources: ClusterIssuer: LocalCA: ci.#ClusterIssuer & {
+		metadata: name:      "local-ca"
+		metadata: namespace: #CertManager.Namespace
+
+		// The secret name must align with the local cluster guide at
+		// https://holos.run/docs/guides/local-cluster/
+		spec: ca: secretName: "local-ca"
+	}
+}

internal/generate/components/v1alpha3/local-ca/local-ca.gen.cue

@@ -0,0 +1,11 @@
+package holos
+
+// Manage the component on every cluster in the platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/{{ .Name }}": {
+			path:    "components/local-ca"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/local-ca/schematic.json

@@ -0,0 +1,6 @@
+{
+  "name": "local-ca",
+  "short": "manages a cluster issuer for use with our guides",
+  "long": "manages a cluster issuer that uses the mkcert ca private key to issue certs",
+  "namespace": "cert-manager"
+}

internal/generate/components/v1alpha3/namespaces/components/namespaces/namespaces.cue

@@ -0,0 +1,9 @@
+package holos
+
+let Objects = {
+	Name: "namespaces"
+	Resources: Namespace: #Namespaces
+}
+
+// Produce a kubernetes objects build plan.
+(#Kubernetes & Objects).BuildPlan

internal/generate/components/v1alpha3/namespaces/namespaces.gen.cue

@@ -0,0 +1,21 @@
+package holos
+
+import corev1 "k8s.io/api/core/v1"
+
+// #Namespaces defines all managed namespaces in the Platform.
+// Holos adopts the sig-multicluster position of namespace sameness.
+#Namespaces: {
+	[Name=string]: corev1.#Namespace & {
+		metadata: name: Name
+	}
+}
+
+// Manage the Component on every Cluster in the Platform
+for Fleet in #Fleets {
+	for Cluster in Fleet.clusters {
+		#Platform: Components: "\(Cluster.name)/namespaces": {
+			path:    "components/namespaces"
+			cluster: Cluster.name
+		}
+	}
+}

internal/generate/components/v1alpha3/namespaces/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "namespaces",
+  "short": "manage namespaces consistently",
+  "long": "Provides the #Namespaces root struct for components to register with."
+}

internal/generate/components/v1alpha3/podinfo/components/podinfo/podinfo.gen.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan
 
 let Chart = {
 	Name:      "{{ .Name }}"

internal/generate/components/v1alpha3/referencegrant/referencegrant.gen.cue

@@ -0,0 +1,17 @@
+package holos
+
+import rg "gateway.networking.k8s.io/referencegrant/v1beta1"
+
+#ReferenceGrant: rg.#ReferenceGrant & {
+	metadata: name:      #Istio.Gateway.Namespace
+	metadata: namespace: string
+	spec: from: [{
+		group:     "gateway.networking.k8s.io"
+		kind:      "HTTPRoute"
+		namespace: #Istio.Gateway.Namespace
+	}]
+	spec: to: [{
+		group: ""
+		kind:  "Service"
+	}]
+}

internal/generate/components/v1alpha3/referencegrant/schematic.json

@@ -0,0 +1,4 @@
+{
+  "name": "referencegrant",
+  "short": "provides #ReferenceGrant at the root"
+}

internal/generate/components/v1alpha3/workload-cluster/schematic.json

@@ -0,0 +1,5 @@
+{
+  "name": "workload-cluter",
+  "short": "define a workload cluster for the guides",
+  "long": "Define a workload cluster named workload for use with the documentation."
+}

internal/generate/components/v1alpha3/workload-cluster/workload-cluster.gen.cue

@@ -0,0 +1,4 @@
+package holos
+
+// Manage a workload cluster named workload for use with the guides.
+#Fleets: workload: clusters: workload: _

internal/generate/platforms/cue.mod/gen/gateway.networking.k8s.io/gateway/v1/types_gen.cue

@@ -668,5 +668,5 @@ import (
 				}
 			}
 		}
-	}] & [_, ...]
+	}]
 }

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/schema/v1alpha3/definitions_go_gen.cue

@@ -13,12 +13,27 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
+// Component represents the fields common the different kinds of component.  All
+// components have a name, support mixing in resources, and produce a BuildPlan.
+#ComponentFields: {
+	// Name represents the Component name.
+	Name: string
+
+	// Resources are kubernetes api objects to mix into the output.
+	Resources: {...} @go(,map[string]any)
+
+	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
+	ArgoConfig: #ArgoConfig
+
+	// BuildPlan represents the derived BuildPlan for the Holos cli to render.
+	BuildPlan: core.#BuildPlan
+}
+
 // Helm provides a BuildPlan via the Output field which contains one HelmChart
 // from package core.  Useful as a convenience wrapper to render a HelmChart
 // with optional mix-in resources and Kustomization post-processing.
 #Helm: {
-	// Name represents the chart name.
-	Name: string
+	#ComponentFields
 
 	// Version represents the chart version.
 	Version: string
@@ -26,9 +41,6 @@ import (
 	// Namespace represents the helm namespace option when rendering the chart.
 	Namespace: string
 
-	// Resources are kubernetes api objects to mix into the output.
-	Resources: {...} & {...} @go(,map[string]any)
-
 	// Repo represents the chart repository
 	Repo: {
 		name: string @go(Name)
@@ -62,12 +74,24 @@ import (
 	// KustomizeResources represents additional resources files to include in the
 	// kustomize resources list.
 	KustomizeResources: {...} & {[string]: {...}} @go(,map[string]any)
+}
 
-	// ArgoConfig represents the ArgoCD GitOps configuration for this Component.
-	ArgoConfig: #ArgoConfig
+// Kustomize provides a BuildPlan via the Output field which contains one
+// KustomizeBuild from package core.
+#Kustomize: {
+	#ComponentFields
 
-	// Output represents the derived BuildPlan for the Holos cli to render.
-	Output: core.#BuildPlan
+	// Kustomization represents the kustomize build plan for holos to render.
+	Kustomization: core.#KustomizeBuild
+}
+
+// Kubernetes provides a BuildPlan via the Output field which contains inline
+// API Objects provided directly from CUE.
+#Kubernetes: {
+	#ComponentFields
+
+	// Objects represents the kubernetes api objects for the Component.
+	Objects: core.#KubernetesObjects
 }
 
 // ArgoConfig represents the ArgoCD GitOps configuration for a Component.
@@ -94,6 +118,9 @@ import (
 	// Application.spec.source.targetRevision field.  Defaults to the branch named
 	// main.
 	TargetRevision: string & (string | *"main")
+
+	// AppProject represents the ArgoCD Project to associate the Application with.
+	AppProject: string & (string | *"default")
 }
 
 // Cluster represents a cluster managed by the Platform.
@@ -127,7 +154,7 @@ import (
 	workload: #Fleet & {name: "workload"} @go(Workload)
 
 	// Management represents a Fleet with one Cluster named management.
-	management: #Fleet & {name: "management", clusters: management: _} @go(Management)
+	management: #Fleet & {name: "management"} @go(Management)
 }
 
 // Platform is a convenience structure to produce a core Platform specification
@@ -148,4 +175,9 @@ import (
 	// Output represents the core Platform spec for the holos cli to iterate over
 	// and render each listed Component, injecting the Model.
 	Output: core.#Platform
+
+	// Domain represents the primary domain the Platform operates in.  This field
+	// is intended as a sensible default for component authors to reference and
+	// platform operators to define.
+	Domain: string & (string | *"holos.localhost")
 }

internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/core/v1alpha3/apiobjects.cue

@@ -0,0 +1,16 @@
+package v1alpha3
+
+import "encoding/yaml"
+
+// #APIObjects defines the output format for kubernetes api objects.  The holos
+// cli expects the yaml representation of each api object in the apiObjectMap
+// field.
+#APIObjects: {
+	apiObjects: {...}
+
+	for kind, v in apiObjects {
+		for name, obj in v {
+			apiObjectMap: (kind): (name): yaml.Marshal(obj)
+		}
+	}
+}

internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/schema/v1alpha3/definitions.cue

@@ -4,41 +4,47 @@ import (
 	"encoding/yaml"
 	core "github.com/holos-run/holos/api/core/v1alpha3"
 	kc "sigs.k8s.io/kustomize/api/types"
-
-	corev1 "k8s.io/api/core/v1"
-	appsv1 "k8s.io/api/apps/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	batchv1 "k8s.io/api/batch/v1"
-
 	app "argoproj.io/application/v1alpha1"
 )
 
-#Resources: {
-	[Kind=string]: [InternalLabel=string]: {
-		kind: Kind
-		metadata: name: string | *InternalLabel
-	}
+#Platform: {
+	Name:  _
+	Model: _
+	Components: [string]: _
 
-	ClusterRole: [_]:        rbacv1.#ClusterRole
-	ClusterRoleBinding: [_]: rbacv1.#ClusterRoleBinding
-	ConfigMap: [_]:          corev1.#ConfigMap
-	CronJob: [_]:            batchv1.#CronJob
-	Deployment: [_]:         appsv1.#Deployment
-	Job: [_]:                batchv1.#Job
-	Namespace: [_]:          corev1.#Namespace
-	Role: [_]:               rbacv1.#Role
-	RoleBinding: [_]:        rbacv1.#RoleBinding
-	Service: [_]:            corev1.#Service
-	ServiceAccount: [_]:     corev1.#ServiceAccount
-	StatefulSet: [_]:        appsv1.#StatefulSet
-	...
+	// TODO: Rename this field to the kind of thing it produces like we renamed
+	// component Output to BuildPlan.
+	Output: metadata: name: Name
+	Output: spec: model:    Model
+	Output: spec: components: [for c in Components {c}]
+}
+
+#BuildPlan: core.#BuildPlan & {
+	_Name:       string
+	_Namespace?: string
+	_ArgoConfig: #ArgoConfig
+
+	if _ArgoConfig.Enabled {
+		let NAME = "gitops/\(_Name)"
+
+		// Render the ArgoCD Application for GitOps as an additional Component of
+		// the BuildPlan.
+		spec: components: resources: (NAME): {
+			metadata: name: NAME
+			if _Namespace != _|_ {
+				metadata: namespace: _Namespace
+			}
+
+			deployFiles: (#Argo & {ComponentName: _Name, ArgoConfig: _ArgoConfig}).deployFiles
+		}
+	}
 }
 
 #Helm: {
 	Name:      string
 	Version:   string
 	Namespace: string
-	Resources: #Resources
+	Resources: _
 
 	Repo: {
 		name: string | *""
@@ -51,7 +57,7 @@ import (
 		metadata: name:      string | *Name
 		metadata: namespace: string | *Namespace
 		chart: name:         string | *Name
-		chart: release:      chart.name
+		chart: release:      string | *chart.name
 		chart: version:      string | *Version
 		chart: repository:   Repo
 
@@ -71,7 +77,7 @@ import (
 			}
 		}
 
-		apiObjectMap: (#APIObjects & {apiObjects: Resources}).apiObjectMap
+		apiObjectMap: (core.#APIObjects & {apiObjects: Resources}).apiObjectMap
 	}
 
 	// EnableKustomizePostProcessor processes helm output with kustomize if true.
@@ -105,8 +111,7 @@ import (
 	// ArgoConfig represents the ArgoCD GitOps integration for this Component.
 	ArgoConfig: _
 
-	// output represents the build plan provided to the holos cli.
-	Output: #BuildPlan & {
+	BuildPlan: #BuildPlan & {
 		_Name:       Name
 		_Namespace:  Namespace
 		_ArgoConfig: ArgoConfig
@@ -114,24 +119,35 @@ import (
 	}
 }
 
-#BuildPlan: core.#BuildPlan & {
-	_Name:       string
-	_Namespace?: string
-	_ArgoConfig: #ArgoConfig
+#Kustomize: {
+	Name: _
+	Resources: {...}
+	Kustomization: metadata: name: string | *Name
+	Kustomization: apiObjectMap: (core.#APIObjects & {apiObjects: Resources}).apiObjectMap
 
-	if _ArgoConfig.Enabled {
-		let NAME = "gitops/\(_Name)"
+	// ArgoConfig represents the ArgoCD GitOps integration for this Component.
+	ArgoConfig: _
 
-		// Render the ArgoCD Application for GitOps as an additional Component of
-		// the BuildPlan.
-		spec: components: resources: (NAME): {
-			metadata: name: NAME
-			if _Namespace != _|_ {
-				metadata: namespace: _Namespace
-			}
+	BuildPlan: #BuildPlan & {
+		_Name:       Name
+		_ArgoConfig: ArgoConfig
+		spec: components: kustomizeBuildList: [Kustomization]
+	}
+}
 
-			deployFiles: (#Argo & {ComponentName: _Name, ArgoConfig: _ArgoConfig}).deployFiles
-		}
+#Kubernetes: {
+	Name: _
+	Resources: {...}
+	Objects: metadata: name: string | *Name
+	Objects: apiObjectMap: (core.#APIObjects & {apiObjects: Resources}).apiObjectMap
+
+	// ArgoConfig represents the ArgoCD GitOps integration for this Component.
+	ArgoConfig: _
+
+	BuildPlan: #BuildPlan & {
+		_Name:       Name
+		_ArgoConfig: ArgoConfig
+		spec: components: kubernetesObjectsList: [Objects]
 	}
 }
 
@@ -146,7 +162,7 @@ import (
 		metadata: namespace: "argocd"
 		spec: {
 			destination: server: "https://kubernetes.default.svc"
-			project: "default"
+			project: ArgoConfig.AppProject
 			source: {
 				path:           "\(ArgoConfig.DeployRoot)/deploy/clusters/\(ArgoConfig.ClusterName)/components/\(ComponentName)"
 				repoURL:        ArgoConfig.RepoURL
@@ -176,35 +192,3 @@ import (
 		maxDuration: string | *"3m0s"
 	}
 }
-
-// #APIObjects defines the output format for kubernetes api objects.  The holos
-// cli expects the yaml representation of each api object in the apiObjectMap
-// field.
-#APIObjects: core.#APIObjects & {
-	// apiObjects represents the un-marshalled form of each kubernetes api object
-	// managed by a holos component.
-	apiObjects: {
-		[Kind=string]: {
-			[string]: {
-				kind: Kind
-				...
-			}
-		}
-	}
-
-	// apiObjectMap holds the marshalled representation of apiObjects
-	for kind, v in apiObjects {
-		for name, obj in v {
-			apiObjectMap: (kind): (name): yaml.Marshal(obj)
-		}
-	}
-}
-
-#Platform: {
-	Name:  _
-	Model: _
-	Components: [string]: _
-	Output: metadata: name: Name
-	Output: spec: model:    Model
-	Output: spec: components: [for c in Components {c}]
-}

internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/v1alpha1/apiobjects.cue

@@ -1,33 +1,12 @@
 package v1alpha1
 
-import "encoding/yaml"
-
-import core "k8s.io/api/core/v1"
-
 // #APIObjects defines the output format for kubernetes api objects.  The holos
 // cli expects the yaml representation of each api object in the apiObjectMap
 // field.
 #APIObjects: {
 	// apiObjects represents the un-marshalled form of each kubernetes api object
 	// managed by a holos component.
-	apiObjects: {
-		[Kind=string]: {
-			[string]: {
-				kind: Kind
-				...
-			}
-		}
-		ConfigMap: [string]: core.#ConfigMap & {apiVersion: "v1"}
-	}
-
+	apiObjects: [Kind=string]: [string]: kind: Kind
 	// apiObjectMap holds the marshalled representation of apiObjects
-	apiObjectMap: {
-		for kind, v in apiObjects {
-			"\(kind)": {
-				for name, obj in v {
-					"\(name)": yaml.Marshal(obj)
-				}
-			}
-		}
-	}
+	apiObjectsMap: [string]: [string]: string
 }

internal/generate/platforms/guide/resources.cue

@@ -0,0 +1,44 @@
+package holos
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	appsv1 "k8s.io/api/apps/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	batchv1 "k8s.io/api/batch/v1"
+
+	ci "cert-manager.io/clusterissuer/v1"
+	rgv1 "gateway.networking.k8s.io/referencegrant/v1beta1"
+	certv1 "cert-manager.io/certificate/v1"
+	hrv1 "gateway.networking.k8s.io/httproute/v1"
+	gwv1 "gateway.networking.k8s.io/gateway/v1"
+	ap "argoproj.io/appproject/v1alpha1"
+)
+
+#Resources: {
+	[Kind=string]: [InternalLabel=string]: {
+		kind: Kind
+		metadata: name: string | *InternalLabel
+	}
+
+	AppProject: [_]:         ap.#AppProject
+	Certificate: [_]:        certv1.#Certificate
+	ClusterIssuer: [_]:      ci.#ClusterIssuer
+	ClusterRole: [_]:        rbacv1.#ClusterRole
+	ClusterRoleBinding: [_]: rbacv1.#ClusterRoleBinding
+	ConfigMap: [_]:          corev1.#ConfigMap
+	CronJob: [_]:            batchv1.#CronJob
+	Deployment: [_]:         appsv1.#Deployment
+	HTTPRoute: [_]:          hrv1.#HTTPRoute
+	Job: [_]:                batchv1.#Job
+	Namespace: [_]:          corev1.#Namespace
+	ReferenceGrant: [_]:     rgv1.#ReferenceGrant
+	Role: [_]:               rbacv1.#Role
+	RoleBinding: [_]:        rbacv1.#RoleBinding
+	Service: [_]:            corev1.#Service
+	ServiceAccount: [_]:     corev1.#ServiceAccount
+	StatefulSet: [_]:        appsv1.#StatefulSet
+
+	Gateway: [_]: gwv1.#Gateway & {
+		spec: gatewayClassName: string | *"istio"
+	}
+}

internal/generate/platforms/guide/schema.gen.cue

@@ -2,14 +2,18 @@ package holos
 
 import schema "github.com/holos-run/holos/api/schema/v1alpha3"
 
-#Helm: schema.#Helm & {
+#Platform: schema.#Platform
+#Fleets:   schema.#StandardFleets
+
+_ComponentConfig: {
+	Resources:  #Resources
 	ArgoConfig: #ArgoConfig
 }
 
+#Helm:       schema.#Helm & _ComponentConfig
+#Kustomize:  schema.#Kustomize & _ComponentConfig
+#Kubernetes: schema.#Kubernetes & _ComponentConfig
+
 #ArgoConfig: schema.#ArgoConfig & {
 	ClusterName: _ClusterName
 }
-
-#Fleets: schema.#StandardFleets
-
-#Platform: schema.#Platform

internal/generate/platforms/holos/apps/dev/holos/app/dev-holos-app.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let Image = "quay.io/holos-run/holos:v0.83.1-7-gd9fe32b"
 

internal/generate/platforms/holos/apps/dev/holos/infra/dev-holos-infra.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 _AppInfo: spec: component: "infra"
 

internal/generate/platforms/holos/apps/dev/holos/routes/dev-holos-routes.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 _AppInfo: spec: component: "routes"
 

internal/generate/platforms/holos/components/argo/cd/argo-cd.cue

@@ -6,7 +6,7 @@ import (
 )
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan
 
 let Chart = {
 	Name:      "argo-cd"

internal/generate/platforms/holos/components/argo/crds/argocd-crds.cue

@@ -1,4 +1,4 @@
 package holos
 
 // Produce a kubectl kustomize build plan.
-(#Kustomize & {Name: "argo-crds"}).Output
+(#Kustomize & {Name: "argo-crds"}).BuildPlan

internal/generate/platforms/holos/components/argo/creds/argo-creds.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let Objects = {
 	Name:      "argo-creds"

internal/generate/platforms/holos/components/argo/routes/argocd-routes.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let Objects = {
 	Name:      "argocd-routes"

internal/generate/platforms/holos/components/backstage/management/certs/postgres-certs.cue

@@ -14,7 +14,7 @@ import (
 // Refer to [Using Cert Manager to Deploy TLS for Postgres on Kubernetes](https://www.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes)
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let SelfSigned = "\(_DBName)-selfsigned"
 let RootCA = "\(_DBName)-root-ca"

internal/generate/platforms/holos/components/backstage/workload/backend/backstage-backend.cue

@@ -3,7 +3,7 @@ package holos
 import "encoding/yaml"
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let ContainerPort = _Component.spec.port
 

internal/generate/platforms/holos/components/backstage/workload/database/postgres.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 // Restore from backup.  Flip this to true after the database is provisioned and
 // a backup has been taken.

internal/generate/platforms/holos/components/backstage/workload/routes/backstage-routes.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let Objects = {
 	Name:      "\(_Component.metadata.name)-routes"

internal/generate/platforms/holos/components/backstage/workload/secrets/secrets.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 let Objects = {
 	Name:      "backstage-secrets"

internal/generate/platforms/holos/components/cert-letsencrypt/letsencrypt.cue

@@ -3,7 +3,7 @@ package holos
 import ci "cert-manager.io/clusterissuer/v1"
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan
 
 // The cloudflare api token is platform scoped, not cluster scoped.
 #SecretName: "cloudflare-api-token-secret"

internal/generate/platforms/holos/components/cert-manager/cert-manager.cue

@@ -1,7 +1,7 @@
 package holos
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan
 
 let Chart = {
 	Name:      "cert-manager"

internal/generate/platforms/holos/components/certificates/certificates.cue

@@ -8,4 +8,4 @@ let Objects = {
 }
 
 // Produce a kubernetes objects build plan.
-(#Kubernetes & Objects).Output
+(#Kubernetes & Objects).BuildPlan

internal/generate/platforms/holos/components/crossplane/controller/crossplane.cue

@@ -8,7 +8,7 @@ import (
 )
 
 // Produce a helm chart build plan.
-(#Helm & Chart).Output
+(#Helm & Chart).BuildPlan
 
 // https://github.com/crossplane/crossplane/releases
 let CrossplaneVersion = "1.16.0"

internal/generate/platforms/holos/components/crossplane/crds/crossplane_crds.cue

@@ -1,4 +1,4 @@
 package holos
 
 // Produce a kubectl kustomize build plan.
-(#Kustomize & {Name: "crossplane_crds"}).Output
+(#Kustomize & {Name: "crossplane_crds"}).BuildPlan