docs: support brew install (#327)

Previously errors were not logged, giving no indication what went wrong.
This patch changes the error handler to log errors from helm.

.cspell.json

@@ -6,10 +6,12 @@
   ],
   "words": [
     "acmesolver",
+    "acraccesstoken",
     "acraccesstokens",
     "admissionregistration",
     "alertmanager",
     "alertmanagers",
+    "anchore",
     "anthos",
     "apiextensions",
     "apimachinery",
@@ -74,9 +76,11 @@
     "deploymentruntimeconfig",
     "destinationrule",
     "destinationrules",
+    "devel",
     "devicecode",
     "dnsmasq",
     "dscacheutil",
+    "ecrauthorizationtoken",
     "ecrauthorizationtokens",
     "edns",
     "endpointslices",
@@ -95,6 +99,7 @@
     "fullname",
     "gatewayclass",
     "gatewayclasses",
+    "gcraccesstoken",
     "gcraccesstokens",
     "gendoc",
     "generationbehavior",
@@ -103,6 +108,7 @@
     "genproto",
     "ggnpl",
     "ghaction",
+    "githubaccesstoken",
     "githubaccesstokens",
     "gitops",
     "GOBIN",
@@ -133,6 +139,7 @@
     "httproute",
     "httproutes",
     "iampolicygenerator",
+    "incpatch",
     "Infima",
     "intstr",
     "isatty",
@@ -149,6 +156,7 @@
     "kubelet",
     "kubelogin",
     "kubernetesobjects",
+    "kubeversion",
     "Kustomization",
     "Kustomizations",
     "kustomize",
@@ -251,6 +259,7 @@
     "rolebinding",
     "rootfs",
     "ropc",
+    "sboms",
     "seccomp",
     "secretargs",
     "SECRETKEY",
@@ -300,6 +309,7 @@
     "typemeta",
     "udev",
     "uibutton",
+    "Unmarshal",
     "unstage",
     "untar",
     "upbound",
@@ -311,6 +321,7 @@
     "userservice",
     "validatingwebhookconfiguration",
     "validatingwebhookconfigurations",
+    "vaultdynamicsecret",
     "vaultdynamicsecrets",
     "virtualservice",
     "virtualservices",

.github/workflows/release.yaml

@@ -35,6 +35,9 @@ jobs:
         with:
           go-version: stable
 
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+
       # Necessary to run these outside of goreleaser, otherwise
       # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
       - name: Install Tools
@@ -54,11 +57,19 @@ jobs:
       - name: Git diff
         run: git diff
 
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yaml

@@ -6,7 +6,7 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj
 
-version: 1
+version: 2
 
 before:
   hooks:
@@ -50,3 +50,39 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+brews:
+  - name: holos
+    repository:
+      owner: holos-run
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://holos.run"
+    description: "Holos CLI"
+    dependencies:
+      - name: helm
+        type: optional
+      - name: kubectl
+        type: optional
+    install: |
+      bin.install "holos"
+      bash_output = Utils.safe_popen_read(bin/"holos", "completion", "bash")
+      (bash_completion/"holos").write bash_output
+      zsh_output = Utils.safe_popen_read(bin/"holos", "completion", "zsh")
+      (zsh_completion/"_holos").write zsh_output
+      fish_output = Utils.safe_popen_read(bin/"holos", "completion", "fish")
+      (fish_completion/"holos.fish").write fish_output
+    test: |
+      system "#{bin}/holos version"

api/author/v1alpha5/definitions.go

@@ -81,6 +81,10 @@ type Helm struct {
 	EnableHooks bool `cue:"true | *false"`
 	// Namespace sets the helm chart namespace flag if provided.
 	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
 
 	// BuildPlan represents the derived BuildPlan produced for the holos render
 	// component command.

api/core/v1alpha5/types.go

@@ -133,6 +133,10 @@ type Helm struct {
 	EnableHooks bool `json:"enableHooks,omitempty"`
 	// Namespace represents the helm namespace flag
 	Namespace string `json:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty"`
 }
 
 // Values represents [Helm] Chart values generated from CUE.

cmd/holos/main_test.go

@@ -28,6 +28,10 @@ func TestSchemas_v1alpha5(t *testing.T) {
 	testscript.Run(t, params(filepath.Join("v1alpha5", "schemas")))
 }
 
+func TestIssues_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "issues")))
+}
+
 func TestCLI(t *testing.T) {
 	testscript.Run(t, params("cli"))
 }

cmd/holos/tests/cli/first-impression.txt

@@ -0,0 +1,2 @@
+# https://github.com/holos-run/holos/issues/334
+exec holos

cmd/holos/tests/v1alpha5/issues/helm-pull-errors.txt

@@ -0,0 +1,38 @@
+# https://github.com/holos-run/holos/issues/332
+env HOME=$WORK
+# Mock with a stub helm command
+env PATH=$WORK/bin:$PATH
+chmod 755 bin/helm
+# Initialize the platform
+exec holos init platform v1alpha5 --force
+# when helm update returns an error
+! exec holos render platform ./platform
+# holos should log the helm error to stderr
+stderr 'Error: chart "podinfo" matching 0.0.0 not found in podinfo index'
+-- bin/helm --
+#! /bin/bash
+echo 'Error: chart "podinfo" matching 0.0.0 not found in podinfo index' >&2
+exit 2
+-- platform/podinfo.cue --
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+-- components/podinfo/podinfo.cue --
+package holos
+
+// Produce a helm chart build plan.
+holos: HelmChart.BuildPlan
+
+HelmChart: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "0.0.0"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+}

cmd/holos/tests/v1alpha5/schemas/capabilities.txt

@@ -0,0 +1,144 @@
+# https://github.com/holos-run/holos/issues/330
+exec holos init platform v1alpha5 --force
+exec helm template ./components/capabilities/vendor/0.1.0/capabilities
+cmp stdout want/helm-template.yaml
+exec holos render platform ./platform
+# When no capabilities are specified
+cmp deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+# With APIVersions specified
+cmp deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+# With KubeVersion specified
+cmp deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+# With both APIVersions and KubeVersion specified
+cmp deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+-- want/with-both-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-kubeversion-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/when-no-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- platform/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+Platform: Components: capabilities: {
+        name: "capabilities"
+        path: "components/capabilities"
+}
+Platform: Components: specified: {
+        name: "specified"
+        path: "components/capabilities"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+Platform: Components: kubeversion1: {
+        name: "kubeversion1"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+}
+Platform: Components: kubeversion2: {
+        name: "kubeversion2"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+-- components/capabilities/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+        Name: string @tag(holos_component_name, type=string)
+        Chart: name: "capabilities"
+        Chart: version: "0.1.0"
+        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
+        APIVersions: json.Unmarshal(_APIVersions)
+        KubeVersion: string | *"v1.31.0" @tag(kubeVersion, type=string)
+}
+-- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
+apiVersion: v2
+name: capabilities
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+-- components/capabilities/vendor/0.1.0/capabilities/templates/service.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Capabilities.APIVersions.Has "foo/v1" }}
+  name: has-foo-v1
+{{- else }}
+  name: has-foo-v1beta1
+{{- end }}
+  annotations:
+    kubeVersion: {{ .Capabilities.KubeVersion }}
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+-- want/helm-template.yaml --
+---
+# Source: capabilities/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: has-foo-v1beta1
+  annotations:
+    kubeVersion: v1.31.0
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http

doc/md/api/author.md

@@ -83,6 +83,10 @@ type Helm struct {
     EnableHooks bool `cue:"true | *false"`
     // Namespace sets the helm chart namespace flag if provided.
     Namespace string `json:",omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:",omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:",omitempty"`
 
     // BuildPlan represents the derived BuildPlan produced for the holos render
     // component command.

doc/md/api/core.md

@@ -241,6 +241,10 @@ type Helm struct {
     EnableHooks bool `json:"enableHooks,omitempty"`
     // Namespace represents the helm namespace flag
     Namespace string `json:"namespace,omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:"apiVersions,omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:"kubeVersion,omitempty"`
 }
 ```
 

doc/md/topics/argocd-application.mdx

@@ -0,0 +1,274 @@
+---
+slug: argocd-application
+title: ArgoCD Application
+description: Configuring an Application for each Component.
+sidebar_position: 110
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# ArgoCD Application
+
+## Overview
+
+This topic covers how to mix in an ArgoCD Application to all components.  We'll
+use the `Artifacts` field of [ComponentConfig] defined by the author schema.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-argocd-application && cd holos-argocd-application
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Creating a component
+
+Create a directory for the `podinfo` component.  Create an empty file and then
+add the following CUE configuration to it.
+
+<Tabs groupId="1D2C6013-3D19-4516-8147-5A6EE214CAFF">
+  <TabItem value="components/podinfo/podinfo.cue" label="Podinfo Helm Chart">
+```bash
+mkdir -p components/podinfo
+touch components/podinfo/podinfo.cue
+```
+```bash
+cat <<EOF >components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+}
+```
+```bash
+EOF
+```
+  </TabItem>
+</Tabs>
+
+Integrate the `podinfo` component into the platform.
+
+<Tabs groupId="tutorial-hello-register-podinfo-component">
+  <TabItem value="platform/podinfo.cue" label="Register Podinfo">
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+```bash
+EOF
+```
+  </TabItem>
+</Tabs>
+
+## Adding ArgoCD Application
+
+Configure Holos to render an [Application] by defining an [Artifact] for it in
+every BuildPlan holos produces.  We're unifying our custom configuration with
+the existing `#ComponentConfig` defined in `schema.cue`.
+
+```bash
+cat <<EOF >argocd-application.cue
+```
+```cue showLineNumbers
+package holos
+
+import (
+	"path"
+	app "argoproj.io/application/v1alpha1"
+)
+
+#ComponentConfig: {
+	Name:          _
+	OutputBaseDir: _
+
+	let ArtifactPath = path.Join([OutputBaseDir, "gitops", "\(Name).application.gen.yaml"], path.Unix)
+	let ResourcesPath = path.Join(["deploy", OutputBaseDir, "components", Name], path.Unix)
+
+	Artifacts: "\(Name)-application": {
+		artifact: ArtifactPath
+		generators: [{
+			kind:   "Resources"
+			output: artifact
+			resources: Application: (Name): app.#Application & {
+				metadata: name:      Name
+				metadata: namespace: "argocd"
+				spec: {
+					destination: server: "https://kubernetes.default.svc"
+					project: "default"
+					source: {
+						path:           ResourcesPath
+						repoURL:        "https://example.com/example.git"
+						targetRevision: "main"
+					}
+				}
+			}
+		}]
+	}
+}
+```
+```bash
+EOF
+```
+
+## Inspecting the BuildPlan
+
+Our customized `#ComponentConfig` results in the following `BuildPlan`.
+
+:::note
+The second artifact around line 40 contains the configured `Application`
+resource.
+:::
+
+<Tabs groupId="55075C71-02E8-4222-88C0-2D52C82D18FC">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression holos --out=yaml ./components/podinfo
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo
+spec:
+  artifacts:
+    - artifact: components/podinfo/podinfo.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values: {}
+            enableHooks: false
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo/podinfo.gen.yaml
+          kustomize:
+            kustomization:
+              labels:
+                - includeSelectors: false
+                  pairs: {}
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+              kind: Kustomization
+              apiVersion: kustomize.config.k8s.io/v1beta1
+    - artifact: gitops/podinfo.application.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo.application.gen.yaml
+          resources:
+            Application:
+              podinfo:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: podinfo
+                  namespace: argocd
+                spec:
+                  destination:
+                    server: https://kubernetes.default.svc
+                  project: default
+                  source:
+                    path: deploy/components/podinfo
+                    repoURL: https://example.com/example.git
+                    targetRevision: main
+source:
+  component:
+    name: podinfo
+    path: no-path
+    parameters: {}
+```
+  </TabItem>
+</Tabs>
+
+## Rendering manifests
+
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform ./platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+```
+  </TabItem>
+</Tabs>
+
+## Reviewing the Application
+
+The Artifact we added to `#ComponentConfig` will produce an ArgoCD Application
+resource for every component in the platform.  The output in this example is
+located at:
+
+```txt
+deploy/gitops/podinfo.application.gen.yaml
+```
+```yaml showLineNumbers
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: podinfo
+    namespace: argocd
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+    project: default
+    source:
+        path: deploy/components/podinfo
+        repoURL: https://example.com/example.git
+        targetRevision: main
+```
+
+[podinfo]: https://github.com/stefanprodan/podinfo
+[CUE Module]: https://cuelang.org/docs/reference/modules/
+[CUE Tags]: https://cuelang.org/docs/howto/inject-value-into-evaluation-using-tag-attribute/
+[Platform]: ../api/author.md#Platform
+[Component Parameters]: ../topics/component-parameters.mdx
+[Application]: https://argo-cd.readthedocs.io/en/stable/user-guide/application-specification/
+[ComponentConfig]: ../api/author.md#ComponentConfig
+[Artifact]: ../api/core.md#Artifact

doc/md/tutorial/cue-generator.mdx

@@ -1,15 +0,0 @@
----
-slug: cue-generator
-title: CUE Generator
-description: Render component manifests directly from CUE.
-sidebar_position: 50
----
-
-# CUE
-
-Key points to cover:
-
-1. Resources are validated against `#Resources` defined at the root.
-2. Custom Resource Definitions need to be imported with timoni.
-3. One component can have multiple generators, e.g. Helm and CUE together.  This
-is how resources are mixed in to helm charts.

doc/md/tutorial/cue.mdx

@@ -0,0 +1,267 @@
+---
+slug: cue
+title: CUE
+description: Render component manifests directly from CUE.
+sidebar_position: 50
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# CUE
+
+## Overview
+
+This tutorial demonstrates mixing additional resources into a component using
+CUE.  Holos components frequently mix in resources so we don't need to modify
+existing charts or manifests.  We'll add an [ExternalSecret] resource to the
+podinfo Helm chart we configured in the [Hello Holos] tutorial.
+
+Key concepts:
+
+1. Resources are validated against `#Resources` defined at the root.
+2. Custom Resource Definitions need to be imported with timoni.
+3. Helm, Kustomize, and CUE can be mixed in together in the same component.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  First, create
+and cd into a blank directory. Then use the `holos generate platform` command to
+generate a minimal platform.
+
+```shell
+mkdir holos-cue-tutorial && cd holos-cue-tutorial
+holos init platform v1alpha5
+```
+
+### Creating the component
+
+Create the directory for the `podinfo` component.  Create an empty file and then
+add the following CUE configuration to it.
+
+```bash
+mkdir -p components/podinfo
+touch components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+// export the component build plan to holos
+holos: Component.BuildPlan
+
+// Component is a Helm chart
+Component: #Helm & {
+	Name:      "podinfo"
+	Namespace: "default"
+	// Add metadata.namespace to all resources with kustomize.
+	KustomizeConfig: Kustomization: namespace: Namespace
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+}
+```
+
+Integrate the component with the platform.
+
+```bash
+touch platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+
+Render the platform.
+
+<Tabs groupId="tutorial-hello-render-manifests">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform ./platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+```
+  </TabItem>
+</Tabs>
+
+Add and commit the initial configuration.
+
+```bash
+git init . && git add . && git commit -m initial
+```
+
+### Mixing in Resources
+
+We use the [ComponentConfig] `Resources` field to mix in resources to any
+component kind.  This field is a convenient wrapper around the core [BuildPlan]
+[Resources] [Generator].
+
+Create the mixins.cue file.
+
+```bash
+touch components/podinfo/mixins.cue
+```
+```cue showLineNumbers
+package holos
+
+// Component fields are unified with podinfo.cue
+Component: {
+	// Concrete values are defined in podinfo.cue
+	Name:      string
+	Namespace: string
+
+	// Resources represents mix-in resources organized as a struct.
+	Resources: ExternalSecret: (Name): {
+		// Name is consistent with the component name.
+		metadata: name: Name
+		// Namespace is consistent with the component namespace.
+		metadata: namespace: Namespace
+		spec: {
+			// Ensure the target secret name is consistent.
+			target: name: metadata.name
+			// Ensure the name in the SecretStore is consistent.
+			dataFrom: [{extract: {key: metadata.name}}]
+			refreshInterval: "30s"
+			secretStoreRef: kind: "SecretStore"
+			secretStoreRef: name: "default"
+		}
+	}
+}
+```
+
+:::important
+Holos uses CUE to validate mixed in resources against a schema.  The `Resources`
+field validates against the `#Resources` definition in [resources.cue].
+:::
+
+### Importing CRDs
+
+Holos includes CUE schema definitions of the ExternalSecret custom resource
+definition (CRD).  These schemas are located in the `cue.mod` directory, written by
+the `holos init platform` command we executed at the start of this tutorial.
+
+Import your own custom resource definitions using [timoni].  We imported the
+ExternalSecret CRDs embedded into `holos` with the following command.
+
+<Tabs groupId="35B1A1A1-D7DF-4D27-A575-28556E182096">
+  <TabItem value="command" label="Command">
+```bash
+timoni mod vendor crds -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt
+2:22PM INF schemas vendored: external-secrets.io/clusterexternalsecret/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/clustersecretstore/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/clustersecretstore/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/externalsecret/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/externalsecret/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/pushsecret/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/secretstore/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/secretstore/v1beta1
+2:22PM INF schemas vendored: generators.external-secrets.io/acraccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/ecrauthorizationtoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/fake/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/gcraccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/githubaccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/password/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/uuid/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/vaultdynamicsecret/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/webhook/v1alpha1
+```
+  </TabItem>
+</Tabs>
+
+:::tip
+Take a look at
+[cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue] to see
+the imported definitions.
+:::
+
+Once imported, the last step is to add the resource kind to the `#Resources`
+struct.  This is most often accomplished by adding a new file which cue unifies
+with the existing [resources.cue] file.
+
+## Reviewing Changes
+
+Render the platform with the `ExternalSecret` mixed into the podinfo component.
+
+```shell
+holos render platform ./platform
+```
+
+Take a look at the diff to see the mixed in `ExternalSecret`.
+
+```shell
+git diff deploy
+```
+
+```diff
+diff --git a/deploy/components/podinfo/podinfo.gen.yaml b/deploy/components/podinfo/podinfo.gen.yaml
+index 6e4aec0..f79e9d0 100644
+--- a/deploy/components/podinfo/podinfo.gen.yaml
++++ b/deploy/components/podinfo/podinfo.gen.yaml
+@@ -112,3 +112,19 @@ spec:
+       volumes:
+       - emptyDir: {}
+         name: data
++---
++apiVersion: external-secrets.io/v1beta1
++kind: ExternalSecret
++metadata:
++  name: podinfo
++  namespace: default
++spec:
++  dataFrom:
++  - extract:
++      key: podinfo
++  refreshInterval: 30s
++  secretStoreRef:
++    kind: SecretStore
++    name: default
++  target:
++    name: podinfo
+```
+
+We saw how to mix in resources using the `Resources` field of the
+[ComponentConfig].  This technique approach works for every kind of component in
+Holos.  We did this without needing to fork the upstream Helm chart so we can
+easily update to new podinfo versions as they're released.
+
+## Trying Locally
+
+Optionally apply the manifests Holos rendered to a [Local Cluster].
+
+## Next Steps
+
+This tutorial uses the `#Resources` structure to map resource kinds to their
+schema definitions in CUE.  This structure is defined in `resources.cue` at the
+root of the tree.  Take a look at [resources.cue] to see this mapping structure.
+
+Continue to the next tutorial to learn how to define your own data structures
+similar to this `#Resources` structure.
+
+[Local Cluster]: ../topics/local-cluster.mdx
+[ExternalSecret]: https://external-secrets.io/latest/api/externalsecret/
+[Artifact]: ../api/core.md#Artifact
+[Resources]: ../api/core.md#Resources
+[Generator]: ../api/core.md#Generator
+[Hello Holos]: ./hello-holos.mdx
+[cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue#L13
+[ComponentConfig]: ../api/author.md#ComponentConfig
+[timoni]: https://timoni.sh/install/
+[resources.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/v1alpha5/resources.cue#L33

doc/md/tutorial/hello-holos.mdx

@@ -26,19 +26,83 @@ Chart as a Holos Component.
 
 ### Generating the structure
 
-Use `holos` to generate a minimal platform directory structure.  First, create
-and cd into a blank directory. Then use the `holos init platform` command to
-generate a minimal platform.
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-tutorial && cd holos-tutorial
+```
+
+Use the `holos init platform` command to initialize a minimal platform in the
+blank directory.
 
 ```shell
-mkdir holos-tutorial
-cd holos-tutorial
 holos init platform v1alpha5
 ```
 
-Holos creates a `platform` directory containing a `platform.gen.cue` file.  This
-file is the entry point for your new platform configuration.  You'll integrate
-components into the platform using the CUE code in this `platform` directory.
+Here's the filesystem tree we'll build in this tutorial.
+
+<Tabs groupId="80D04C6A-BC83-44D0-95CC-CE01B439B159">
+<TabItem value="tree" label="Tree">
+```text showLineNumbers
+holos-tutorial/
+├── components/
+│   └── podinfo/
+│       └── podinfo.cue
+├── cue.mod/
+├── platform/
+│   ├── platform.gen.cue
+│   └── podinfo.cue
+├── resources.cue
+├── schema.cue
+└── tags.cue
+```
+</TabItem>
+<TabItem value="details" label="Details">
+<div style={{display: "flex"}}>
+<div>
+```text showLineNumbers
+holos-tutorial/
+├── components/
+│   └── podinfo/
+│       └── podinfo.cue
+├── cue.mod/
+├── platform/
+│   ├── platform.gen.cue
+│   └── podinfo.cue
+├── resources.cue
+├── schema.cue
+└── tags.cue
+```
+</div>
+<div>
+- **Line 1** The platform root is the `holos-tutorial` directory we created.
+- **Line 2** This tutorial places components in `components/`.  They may reside
+anywhere.
+- **Line 3** A component is a collection of `*.cue` files at a path.
+- **Line 4** We'll create this file and configure the podinfo helm chart in the
+next section.
+- **Line 5** The CUE module directory.  Schema definitions for Kubernetes and
+Holos resources reside within the `cue.mod` directory.
+- **Line 6** The platform directory is the **main entrypoint** for the `holos
+render platform` command.
+- **Line 7** `platform.gen.cue` is initialized by `holos init platform` and
+contains the Platform spec.
+- **Line 8** `podinfo.cue` integrates podinfo with the platform by adding the
+component to the platform spec.  We'll add ths file after the next section.
+- **Line 9** `resources.cue` Defines the Kubernetes resources available to
+manage in CUE.
+- **Line 10** `schema.cue` Defines the configuration common to all component
+kinds.
+- **Line 11** `tags.cue` Defines where component parameter values are injected
+into the overall platform configuration.  We don't need to be concerned with
+this file until we cover component parameters.
+- **Lines 9-11** Initialized by `holos init platform`, user editable after
+initialization.
+</div>
+</div>
+</TabItem>
+</Tabs>
 
 ### Creating a component
 
@@ -66,15 +130,34 @@ HelmChart: #Helm & {
 			url:  "https://stefanprodan.github.io/podinfo"
 		}
 	}
+	// Holos marshals Values into values.yaml for Helm.
+	Values: {
+		// message is a string with a default value.  @tag indicates a value may
+		// be injected from the platform spec component parameters.
+		ui: {
+			message: string | *"Hello World" @tag(greeting, type=string)
+		}
+	}
 }
 ```
   </TabItem>
 </Tabs>
 
+:::important
+CUE loads all of `*.cue` files in the component directory to define component,
+similar to Go packages.
+:::
+
+:::note
+CUE _also_ loads all `*.cue` files from the component leaf directory to the
+platform root directory.  In this example, `#Helm` on line 6 is defined in
+`schema.cue` at the root.
+:::
+
 ### Integrating the component
 
-Integrate the `podinfo` component by creating a new file in the `platform`
-directory with the following CUE code:
+Integrate the `podinfo` component into the platform by creating a new cue file
+in the `platform` directory with the following content.
 
 <Tabs groupId="tutorial-hello-register-podinfo-component">
   <TabItem value="platform/podinfo.cue" label="Register Podinfo">
@@ -87,17 +170,24 @@ package holos
 Platform: Components: podinfo: {
 	name: "podinfo"
 	path: "components/podinfo"
+	// Inject a value into the component.
+	parameters: greeting: "Hello Holos!"
 }
 ```
   </TabItem>
 </Tabs>
 
+:::tip
+Component parameters may have any name as long as they don't start with
+`holos_`.
+:::
+
 ## Rendering manifests
 
 Render a manifest for `podinfo` using the `holos render platform ./platform`
-command.
+command.  The `platform/` directory is the main entrypoint for this command.
 
-<Tabs groupId="tutorial-hello-render-manifests">
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
   <TabItem value="command" label="Command">
 ```bash
 holos render platform ./platform
@@ -110,10 +200,19 @@ rendered podinfo in 1.938665041s
 rendered platform in 1.938759417s
 ```
   </TabItem>
-  <TabItem value="manifest" label="Rendered Manifest">
+</Tabs>
+
+:::important
+Holos rendered the following manifest file by executing `helm template` after
+caching `podinfo` locally.
+:::
+
 ```txt
 deploy/components/podinfo/podinfo.gen.yaml
 ```
+
+<Tabs groupId="0E9C231D-D0E8-410A-A4A0-601842A086A6">
+  <TabItem value="service" label="Service">
 ```yaml showLineNumbers
 apiVersion: v1
 kind: Service
@@ -137,7 +236,10 @@ spec:
   selector:
     app.kubernetes.io/name: podinfo
   type: ClusterIP
----
+```
+  </TabItem>
+  <TabItem value="deployment" label="Deployment">
+```yaml showLineNumbers
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -176,6 +278,8 @@ spec:
         - --random-delay=false
         - --random-error=false
         env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!
         - name: PODINFO_UI_COLOR
           value: '#34577c'
         image: ghcr.io/stefanprodan/podinfo:6.6.2
@@ -231,57 +335,34 @@ spec:
   </TabItem>
 </Tabs>
 
-Holos rendered the `deploy/components/podinfo/podinfo.gen.yaml` file by
-executing `helm template` after caching `podinfo` locally.
+Holos renders the component with the greeting injected from the platform spec.
+
+```shell
+grep -B2 Hello deploy/components/podinfo/podinfo.gen.yaml
+```
+```yaml
+        env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!
+```
 
 ## Breaking it down
 
-Here’s a quick review of the files we created and their purpose:
+We run `holos render platform ./platform` because the cue files in the platform
+directory export a [Platform] resource to `holos`.  The platform directory is
+the entrypoint to the platform rendering process.
 
-```text
-holos-tutorial/
-├── components/
-│   └── podinfo/
-│       └── podinfo.cue
-├── cue.mod/
-├── platform/
-│   ├── platform.gen.cue
-│   └── podinfo.cue
-├── resources.cue
-├── schema.cue
-└── tags.cue
-```
+Components are the building blocks for a Platform.  The `platform/podinfo.cue`
+file integrates the `podinfo` Component with the Platform.
 
-#### `components/podinfo/podinfo.cue`
+Holos requires two fields to integrate a component with the platform.
 
-Configures the `podinfo` Helm chart as a holos component.
+1. A unique name for the component.
+2. The component path to the directory containing the cue files exporting a
+`BuildPlan` defining the component.
 
-#### `cue.mod`
-
-[CUE Module] directory containing schema definitions for Kubernetes resources.
-
-#### `platform/platform.gen.cue`
-
-Exports the [Platform] spec from CUE to `holos` for processing.
-
-#### `platform/podinfo.cue`
-
-Integrates the `podinfo` Helm component into the platform.
-
-#### `resources.cue`
-
-Defines the `#Resources` schema of common Kubernetes resources.
-
-#### `schema.cue`
-
-Configures the `#Helm`, `#Kustomize`, and `#Kubernetes` common component kinds
-by composing the `#ComponentConfig` schema definition into each schema
-definition.  The component kinds behave consistently as a result.
-
-#### `tags.cue`
-
-Holds parameter values passed from `holos render platform` to `holos render
-component` injected via [CUE Tags].
+Component parameters are optional.  They allow re-use of the same component.
+Refer to the [Component Parameters] topic for more information.
 
 <Tabs groupId="67C1EE71-3EA8-4568-9F6D-0072BA09FF12">
   <TabItem value="overview" label="Rendering Overview">
@@ -296,63 +377,11 @@ component` injected via [CUE Tags].
   </TabItem>
 </Tabs>
 
-We run `holos render platform` against the `platform` directory because that
-directory exports a [Platform] resource to `holos`.  The platform directory is
-effectively the entrypoint into the rendering process.
-
-Components are the building blocks for a Platform, and without them `holos
-render platform` does nothing. The `platform/podinfo.cue` file integrates the
-`podinfo` Component with the Platform.
-
-Holos requires two things to integrate a component with the platform.
-
-1. A unique name for the component.
-2. The component filesystem path.
-
-:::important
-Components can be parameterized.
-:::
-
-The Platform spec can re-use the same component path providing it varying input
-parameters.  This is covered in the [Component Parameters] topic.
-
-:::tip
-Holos makes it easy to re-use a Helm chart with multiple customers and
-environments.  This is not well supported by Helm alone.
-:::
-
-The `components/podinfo/podinfo.cue` file unifies the `#Helm`
-definition, indicating that we're configuring a Helm chart, along with the
-`podinfo` chart's version and repository information.  If we wanted to customize
-the `podinfo` chart and change any of the chart's values, we would make those
-changes here.  For example, we could change the message being displayed by
-passing the `ui.message` value to the chart:
-
-```cue
-HelmChart: #Helm & {
-	Name: "podinfo"
-	Chart: {
-		version: "6.6.2"
-		repository: {
-			name: "podinfo"
-			url:  "https://stefanprodan.github.io/podinfo"
-		}
-	}
-	Values: {
-	    ui: message: "Hello Holos from Podinfo!"
-	}
-}
-```
-
-Holos repeats this process for every Component added to the Platform, and since `podinfo`
-is the only Component, we're done!
-
 ## Next Steps
 
-We've shown how to add a single Helm chart to the Platform, but what if you have
-more than one Helm chart and they all need to access the same data?  Continue on
-with the next tutorial to learn how Holos makes it easy to pass data to multiple
-components and Helm Charts.
+We've shown how to integrate one Helm chart to the Platform, but we haven't yet
+covered multiple Helm charts.  Continue on with the next tutorial to learn how
+Holos makes it easy to inject values into multiple components safely and easily.
 
 [podinfo]: https://github.com/stefanprodan/podinfo
 [CUE Module]: https://cuelang.org/docs/reference/modules/

doc/md/tutorial/setup.mdx

@@ -17,22 +17,54 @@ This tutorial will guide you through the installation of Holos and its
 dependencies, as well as the initialization of a minimal Platform that you can
 extend to meet your specific needs.
 
-## Installing Holos
+## Installing
 
 Holos is distributed as a single file executable that can be installed in a
 couple of ways.
 
+<Tabs groupId="FE2C74C8-B3A3-4AEA-BBD3-F57FAA654B6F">
+  <TabItem value="brew" label="Install with brew">
+```bash
+brew install holos-run/tap/holos
+```
+  </TabItem>
+  <TabItem value="go" label="Go">
+```bash
+go install github.com/holos-run/holos/cmd/holos@latest
+```
+  </TabItem>
+</Tabs>
+
+### Completion
+
+<Tabs groupId="65F79D28-2E57-4A90-8EBA-3D8758C80233">
+  <TabItem value="zsh" label="zsh">
+```bash
+source <(holos completion zsh)
+```
+  </TabItem>
+  <TabItem value="bash" label="bash">
+```bash
+source <(holos completion bash)
+```
+  </TabItem>
+  <TabItem value="fish" label="fish">
+```bash
+source <(holos completion fish)
+```
+  </TabItem>
+  <TabItem value="ksh" label="ksh">
+```bash
+source <(holos completion ksh)
+```
+  </TabItem>
+</Tabs>
+
 ### Releases
 
 Download `holos` from the [releases] page and place the executable into your
 shell path.
 
-### Go Install
-
-```shell
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
 ### Dependencies
 
 Holos integrates with the following tools that should be installed to enable
@@ -41,6 +73,13 @@ their functionality.
 - [Helm] to fetch and render Helm chart Components.
 - [Kubectl] to [kustomize] components.
 
+:::note
+Holos is tested with Helm version `v3.16.2`.
+:::
+
+Please try upgrading helm if you encounter `Error: chart requires kubeVersion
+...` errors.
+
 ## Next Steps
 
 You've got the structure of your platform configuration in place. Continue on to

doc/website/package.json

@@ -15,10 +15,10 @@
     "typecheck": "tsc"
   },
   "dependencies": {
-    "@docusaurus/core": "^3.6.0",
-    "@docusaurus/plugin-client-redirects": "^3.6.0",
-    "@docusaurus/preset-classic": "^3.6.0",
-    "@docusaurus/theme-mermaid": "^3.6.0",
+    "@docusaurus/core": "^3.6.1",
+    "@docusaurus/plugin-client-redirects": "^3.6.1",
+    "@docusaurus/preset-classic": "^3.6.1",
+    "@docusaurus/theme-mermaid": "^3.6.1",
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.3.0",
@@ -26,9 +26,9 @@
     "react-dom": "^18.0.0"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.6.0",
-    "@docusaurus/tsconfig": "^3.6.0",
-    "@docusaurus/types": "^3.6.0",
+    "@docusaurus/module-type-aliases": "^3.6.1",
+    "@docusaurus/tsconfig": "^3.6.1",
+    "@docusaurus/types": "^3.6.1",
     "@wcj/html-to-markdown-cli": "^2.1.1",
     "cspell": "^8.10.4",
     "html-to-markdown": "^1.0.0",

doc/website/src/diagrams/rendering-overview.mdx

@@ -17,7 +17,7 @@ graph LR
 
     Generators[<a href="/docs/v1alpha5/api/core/#Generator">Generators</a>]
     Transformers[<a href="/docs/v1alpha5/api/core/#Transformer">Transformers</a>]
-    Validators[<a href="/docs/v1alpha5/api/core/#Transformer">Validators</a><br/>TBD]
+    Validators[Validators]
     Files[Manifest<br/>Files]
 
     Platform --> Component

internal/builder/v1alpha5/builder.go

@@ -333,6 +333,12 @@ func (b *BuildPlan) helm(
 	if !g.Helm.EnableHooks {
 		args = append(args, "--no-hooks")
 	}
+	for _, apiVersion := range g.Helm.APIVersions {
+		args = append(args, "--api-versions", apiVersion)
+	}
+	if kubeVersion := g.Helm.KubeVersion; kubeVersion != "" {
+		args = append(args, "--kube-version", kubeVersion)
+	}
 	args = append(args,
 		"--include-crds",
 		"--values", valuesPath,
@@ -347,6 +353,7 @@ func (b *BuildPlan) helm(
 		stderr := helmOut.Stderr.String()
 		lines := strings.Split(stderr, "\n")
 		for _, line := range lines {
+			log.DebugContext(ctx, line)
 			if strings.HasPrefix(line, "Error:") {
 				err = fmt.Errorf("%s: %w", line, err)
 			}
@@ -514,7 +521,15 @@ func (b *BuildPlan) cacheChart(
 	}
 	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, cn)
 	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
+		stderr := helmOut.Stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			log.DebugContext(ctx, line)
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
+		return errors.Format("could not run helm pull: %w", err)
 	}
 	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
 

internal/cli/render/render.go

@@ -274,17 +274,18 @@ func (t tags) Tags() []string {
 }
 
 func (t tags) String() string {
-	return strings.Join(t.Tags(), ",")
+	return strings.Join(t.Tags(), " ")
 }
 
+// Set sets a value.  Only one value per flag is supported.  For example
+// --inject=foo=bar --inject=bar=baz.  For JSON values, --inject=foo=bar,bar=baz
+// is not supported.
 func (t tags) Set(value string) error {
-	for _, item := range strings.Split(value, ",") {
-		parts := strings.SplitN(item, "=", 2)
-		if len(parts) != 2 {
-			return errors.Format("invalid format, must be tag=value")
-		}
-		t[parts[0]] = parts[1]
+	parts := strings.SplitN(value, "=", 2)
+	if len(parts) != 2 {
+		return errors.Format("invalid format, must be tag=value")
 	}
+	t[parts[0]] = parts[1]
 	return nil
 }
 

internal/cli/root.go

@@ -118,7 +118,7 @@ func newOrgCmd(feature holos.Flagger) (cmd *cobra.Command) {
 }
 
 func newCueCmd() (cmd *cobra.Command) {
-	cueCmd, _ := cue.New(os.Args[2:])
+	cueCmd, _ := cue.New(os.Args[1:])
 	cmd = cueCmd.Command
 	return
 }

internal/generate/platforms/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -106,7 +106,6 @@ import (
 			sourceRef?: struct.MaxFields(1) & {
 				// GeneratorRef points to a generator custom resource.
 				//
-				//
 				// Deprecated: The generatorRef is not implemented in .data[].
 				// this will be removed with v1.
 				generatorRef?: {
@@ -336,6 +335,7 @@ import (
 
 	// The labels to select by to find the Namespaces to create the
 	// ExternalSecrets in.
+	// Deprecated: Use NamespaceSelectors instead.
 	namespaceSelector?: {
 		// matchExpressions is a list of label selector requirements. The
 		// requirements are ANDed.
@@ -368,8 +368,42 @@ import (
 		}
 	}
 
+	// A list of labels to select by to find the Namespaces to create
+	// the ExternalSecrets in. The selectors are ORed.
+	namespaceSelectors?: [...{
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn,
+			// the values array must be non-empty. If the operator is Exists
+			// or DoesNotExist,
+			// the values array must be empty. This array is replaced during a
+			// strategic
+			// merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels
+		// map is equivalent to an element of matchExpressions, whose key
+		// field is "key", the
+		// operator is "In", and the values array contains only "value".
+		// The requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}]
+
 	// Choose namespaces by name. This field is ORed with anything
-	// that NamespaceSelector ends up choosing.
+	// that NamespaceSelectors ends up choosing.
 	namespaces?: [...string]
 
 	// The time in which the controller should reconcile its objects

internal/generate/platforms/cue.mod/gen/external-secrets.io/clustersecretstore/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
@@ -745,6 +745,36 @@ import (
 			vault: string
 		}
 
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
 		// Vault configures this store to sync secrets using Hashi
 		// provider
 		vault?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/clustersecretstore/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -55,6 +55,9 @@ import (
 	// Used to constraint a ClusterSecretStore to specific namespaces.
 	// Relevant only to ClusterSecretStore
 	conditions?: [...{
+		// Choose namespaces by using regex matching
+		namespaceRegexes?: [...string]
+
 		// Choose namespace using a labelSelector
 		namespaceSelector?: {
 			// matchExpressions is a list of label selector requirements. The
@@ -394,6 +397,9 @@ import (
 			// AWS External ID set on assumed IAM roles
 			externalID?: string
 
+			// Prefix adds a prefix to all retrieved values.
+			prefix?: string
+
 			// AWS Region to be used for the provider
 			region: string
 
@@ -445,10 +451,28 @@ import (
 		// Vault provider
 		azurekv?: {
 			// Auth configures how the operator authenticates with Azure.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			authSecretRef?: {
-				// The Azure clientId of the service principle used for
+				// The Azure ClientCertificate of the service principle used for
 				// authentication.
+				clientCertificate?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure clientId of the service principle or managed identity
+				// used for authentication.
 				clientId?: {
 					// The key of the entry in the Secret resource's `data` field to
 					// be used. Some instances of this field may be
@@ -480,6 +504,23 @@ import (
 					// to the namespace of the referent.
 					namespace?: string
 				}
+
+				// The Azure tenantId of the managed identity used for
+				// authentication.
+				tenantId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
 			}
 
 			// Auth type defines how to authenticate to the keyvault service.
@@ -523,13 +564,225 @@ import (
 			}
 
 			// TenantID configures the Azure Tenant to send requests to.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			tenantId?: string
 
 			// Vault Url from which the secrets to be fetched from.
 			vaultUrl: string
 		}
 
+		// Beyondtrust configures this store to sync secrets using
+		// Password Safe provider.
+		beyondtrust?: {
+			// Auth configures how the operator authenticates with
+			// Beyondtrust.
+			auth: {
+				// Content of the certificate (cert.pem) for use when
+				// authenticating with an OAuth client Id using a Client
+				// Certificate.
+				certificate?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+
+				// Certificate private key (key.pem). For use when authenticating
+				// with an OAuth client Id
+				certificateKey?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientId: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientSecret: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+			}
+
+			// Auth configures how API server works.
+			server: {
+				apiUrl: string
+
+				// Timeout specifies a time limit for requests made by this
+				// Client. The timeout includes connection time, any redirects,
+				// and reading the response body. Defaults to 45 seconds.
+				clientTimeOutSeconds?: int
+
+				// The secret retrieval type. SECRET = Secrets Safe (credential,
+				// text, file). MANAGED_ACCOUNT = Password Safe account
+				// associated with a system.
+				retrievalType?: string
+
+				// A character that separates the folder names.
+				separator?: string
+				verifyCA:   bool
+			}
+		}
+
+		// BitwardenSecretsManager configures this store to sync secrets
+		// using BitwardenSecretsManager provider
+		bitwardensecretsmanager?: {
+			apiURL?: string
+			auth: {
+				secretRef: {
+					// AccessToken used for the bitwarden instance.
+					credentials: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			bitwardenServerSDKURL?: string
+
+			// Base64 encoded certificate for the bitwarden server sdk. The
+			// sdk MUST run with HTTPS to make sure no MITM attack
+			// can be performed.
+			caBundle?: string
+
+			// see:
+			// https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
+			caProvider?: {
+				// The key where the CA certificate can be found in the Secret or
+				// ConfigMap.
+				key?: string
+
+				// The name of the object located at the provider type.
+				name: string
+
+				// The namespace the Provider type is in.
+				// Can only be defined when used in a ClusterSecretStore.
+				namespace?: string
+
+				// The type of provider to use such as "Secret", or "ConfigMap".
+				type: "Secret" | "ConfigMap"
+			}
+			identityURL?: string
+
+			// OrganizationID determines which organization this secret store
+			// manages.
+			organizationID: string
+
+			// ProjectID determines which project this secret store manages.
+			projectID: string
+		}
+
+		// Chef configures this store to sync secrets with chef server
+		chef?: {
+			auth: {
+				secretRef: {
+					// SecretKey is the Signing Key in PEM format, used for
+					// authentication.
+					privateKeySecretRef: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// ServerURL is the chef server URL used to connect to. If using
+			// orgs you should include your org in the url and terminate the
+			// url with a "/"
+			serverUrl: string
+
+			// UserName should be the user ID on the chef server
+			username: string
+		}
+
 		// Conjur configures this store to sync secrets using conjur
 		// provider
 		conjur?: {
@@ -574,6 +827,11 @@ import (
 				jwt?: {
 					account: string
 
+					// Optional HostID for JWT authentication. This may be used
+					// depending
+					// on how the Conjur JWT authenticator policy is configured.
+					hostId?: string
+
 					// Optional SecretRef that refers to a key in a Secret resource
 					// containing JWT token to
 					// authenticate with Conjur using the JWT authentication method.
@@ -705,6 +963,33 @@ import (
 			urlTemplate?: string
 		}
 
+		// Device42 configures this store to sync secrets using the
+		// Device42 provider
+		device42?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// URL configures the Device42 instance URL.
+			host: string
+		}
+
 		// Doppler configures this store to sync secrets using the Doppler
 		// provider
 		doppler?: {
@@ -758,6 +1043,33 @@ import (
 			}]
 		}
 
+		// Fortanix configures this store to sync secrets using the
+		// Fortanix provider
+		fortanix?: {
+			apiKey?: {
+				// SecretRef is a reference to a secret containing the SDKMS API
+				// Key.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of SDKMS API. Defaults to
+			// `sdkms.fortanix.com`.
+			apiUrl?: string
+		}
+
 		// GCPSM configures this store to sync secrets using Google Cloud
 		// Platform Secret Manager provider
 		gcpsm?: {
@@ -806,6 +1118,9 @@ import (
 				}
 			}
 
+			// Location optionally defines a location for a secret
+			location?: string
+
 			// ProjectID project where secret is located
 			projectID?: string
 		}
@@ -896,6 +1211,55 @@ import (
 			serviceUrl?: string
 		}
 
+		// Infisical configures this store to sync secrets using the
+		// Infisical provider
+		infisical?: {
+			auth: {
+				universalAuthCredentials?: {
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientId: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientSecret: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			hostAPI?: string | *"https://app.infisical.com/api"
+			secretsScope: {
+				environmentSlug: string
+				projectSlug:     string
+				recursive?:      bool | *false
+				secretsPath?:    string | *"/"
+			}
+		}
+
 		// KeeperSecurity configures this store to sync secrets using the
 		// KeeperSecurity provider
 		keepersecurity?: {
@@ -923,7 +1287,7 @@ import (
 		kubernetes?: {
 			// Auth configures how secret-manager authenticates with a
 			// Kubernetes instance.
-			auth: struct.MaxFields(1) & {
+			auth?: struct.MaxFields(1) & {
 				// has both clientCert and clientKey as secretKeySelector
 				cert?: {
 					// A reference to a specific 'key' within a Secret resource,
@@ -999,6 +1363,22 @@ import (
 				}
 			}
 
+			// A reference to a secret that contains the auth information.
+			authRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
 			// Remote namespace to fetch the secrets from
 			remoteNamespace?: string | *"default"
 
@@ -1030,6 +1410,61 @@ import (
 			}
 		}
 
+		// Onboardbase configures this store to sync secrets using the
+		// Onboardbase provider
+		onboardbase?: {
+			// APIHost use this to configure the host url for the API for
+			// selfhosted installation, default is
+			// https://public.onboardbase.com/api/v1/
+			apiHost: string | *"https://public.onboardbase.com/api/v1/"
+
+			// Auth configures how the Operator authenticates with the
+			// Onboardbase API
+			auth: {
+				// OnboardbaseAPIKey is the APIKey generated by an admin account.
+				// It is used to recognize and authorize access to a project and
+				// environment within onboardbase
+				apiKeyRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// OnboardbasePasscode is the passcode attached to the API Key
+				passcodeRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Environment is the name of an environmnent within a project to
+			// pull the secrets from
+			environment: string | *"development"
+
+			// Project is an onboardbase project that the secrets should be
+			// pulled from
+			project: string | *"development"
+		}
+
 		// OnePassword configures this store to sync secrets using the
 		// 1Password Cloud provider
 		onepassword?: {
@@ -1158,6 +1593,149 @@ import (
 			// located.
 			vault: string
 		}
+		passbolt?: {
+			// Auth defines the information necessary to authenticate against
+			// Passbolt Server
+			auth: {
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				passwordSecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				privateKeySecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Host defines the Passbolt Server to connect to
+			host: string
+		}
+
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
+		// Previder configures this store to sync secrets using the
+		// Previder provider
+		previder?: {
+			auth: {
+				secretRef?: {
+					// The AccessToken is used for authentication
+					accessToken: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			baseUri?: string
+		}
+
+		// Pulumi configures this store to sync secrets using the Pulumi
+		// provider
+		pulumi?: {
+			accessToken: {
+				// SecretRef is a reference to a secret containing the Pulumi API
+				// token.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of the Pulumi API.
+			apiUrl?: string | *"https://api.pulumi.com/api/esc"
+
+			// Environment are YAML documents composed of static key-value
+			// pairs, programmatic expressions,
+			// dynamically retrieved values from supported providers including
+			// all major clouds,
+			// and other Pulumi ESC environments.
+			// To create a new environment, visit
+			// https://www.pulumi.com/docs/esc/environments/ for more
+			// information.
+			environment: string
+
+			// Organization are a space to collaborate on shared projects and
+			// stacks.
+			// To create a new organization, visit https://app.pulumi.com/ and
+			// click "New Organization".
+			organization: string
+
+			// Project is the name of the Pulumi ESC project the environment
+			// belongs to.
+			project: string
+		}
 
 		// Scaleway
 		scaleway?: {
@@ -1222,6 +1800,63 @@ import (
 			}
 		}
 
+		// SecretServer configures this store to sync secrets using
+		// SecretServer provider
+		// https://docs.delinea.com/online-help/secret-server/start.htm
+		secretserver?: {
+			// Password is the secret server account password.
+			password: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+
+			// ServerURL
+			// URL to your secret server installation
+			serverURL: string
+
+			// Username is the secret server account username.
+			username: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+		}
+
 		// Senhasegura configures this store to sync secrets using
 		// senhasegura provider
 		senhasegura?: {
@@ -1632,6 +2267,17 @@ import (
 					username: string
 				}
 
+				// Name of the vault namespace to authenticate to. This can be
+				// different than the namespace your secret is in.
+				// Namespaces is a set of features within Vault Enterprise that
+				// allows
+				// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+				// More about namespaces can be found here
+				// https://www.vaultproject.io/docs/enterprise/namespaces
+				// This will default to Vault.Namespace field if set, or empty
+				// otherwise
+				namespace?: string
+
 				// TokenSecretRef authenticates with Vault by presenting a token.
 				tokenSecretRef?: {
 					// The key of the entry in the Secret resource's `data` field to
@@ -1717,6 +2363,11 @@ import (
 			// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 			forwardInconsistent?: bool
 
+			// Headers to be added in Vault request
+			headers?: {
+				[string]: string
+			}
+
 			// Name of the vault namespace. Namespaces is a set of features
 			// within Vault Enterprise that allows
 			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -87,7 +87,6 @@ import (
 		sourceRef?: struct.MaxFields(1) & {
 			// GeneratorRef points to a generator custom resource.
 			//
-			//
 			// Deprecated: The generatorRef is not implemented in .data[].
 			// this will be removed with v1.
 			generatorRef?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -1,10 +1,13 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
-import "strings"
+import (
+	"strings"
+	"struct"
+)
 
 #PushSecret: {
 	// APIVersion defines the versioned schema of this representation
@@ -48,6 +51,9 @@ import "strings"
 #PushSecretSpec: {
 	// Secret Data that should be pushed to providers
 	data?: [...{
+		// Used to define a conversion Strategy for the secret keys
+		conversionStrategy?: "None" | "ReverseUnicode" | *"None"
+
 		// Match a given Secret Key to be pushed to the provider.
 		match: {
 			// Remote Refs to push to providers.
@@ -118,8 +124,22 @@ import "strings"
 		// Optionally, sync to the SecretStore of the given name
 		name?: string
 	}]
-	selector: {
-		secret: {
+
+	// The Secret Selector (k8s source) for the Push Secret
+	selector: struct.MaxFields(1) & {
+		// Point to a generator to create a Secret.
+		generatorRef?: {
+			// Specify the apiVersion of the generator resource
+			apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+			// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+			// etc.
+			kind: string
+
+			// Specify the name of the generator resource
+			name: string
+		}
+		secret?: {
 			// Name of the Secret. The Secret must exist in the same namespace
 			// as the PushSecret manifest.
 			name: string
@@ -168,4 +188,8 @@ import "strings"
 		}]
 		type?: string
 	}
+
+	// UpdatePolicy to handle Secrets in the provider. Possible
+	// Values: "Replace/IfNotExists". Defaults to "Replace".
+	updatePolicy?: "Replace" | "IfNotExists" | *"Replace"
 }

internal/generate/platforms/cue.mod/gen/external-secrets.io/secretstore/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
@@ -744,6 +744,36 @@ import (
 			vault: string
 		}
 
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
 		// Vault configures this store to sync secrets using Hashi
 		// provider
 		vault?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/secretstore/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -54,6 +54,9 @@ import (
 	// Used to constraint a ClusterSecretStore to specific namespaces.
 	// Relevant only to ClusterSecretStore
 	conditions?: [...{
+		// Choose namespaces by using regex matching
+		namespaceRegexes?: [...string]
+
 		// Choose namespace using a labelSelector
 		namespaceSelector?: {
 			// matchExpressions is a list of label selector requirements. The
@@ -98,7 +101,7 @@ import (
 	controller?: string
 
 	// Used to configure the provider. Only one provider may be set
-	provider: {
+	provider: struct.MaxFields(1) & {
 		// Akeyless configures this store to sync secrets using Akeyless
 		// Vault provider
 		akeyless?: {
@@ -393,6 +396,9 @@ import (
 			// AWS External ID set on assumed IAM roles
 			externalID?: string
 
+			// Prefix adds a prefix to all retrieved values.
+			prefix?: string
+
 			// AWS Region to be used for the provider
 			region: string
 
@@ -444,10 +450,28 @@ import (
 		// Vault provider
 		azurekv?: {
 			// Auth configures how the operator authenticates with Azure.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			authSecretRef?: {
-				// The Azure clientId of the service principle used for
+				// The Azure ClientCertificate of the service principle used for
 				// authentication.
+				clientCertificate?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure clientId of the service principle or managed identity
+				// used for authentication.
 				clientId?: {
 					// The key of the entry in the Secret resource's `data` field to
 					// be used. Some instances of this field may be
@@ -479,6 +503,23 @@ import (
 					// to the namespace of the referent.
 					namespace?: string
 				}
+
+				// The Azure tenantId of the managed identity used for
+				// authentication.
+				tenantId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
 			}
 
 			// Auth type defines how to authenticate to the keyvault service.
@@ -522,13 +563,225 @@ import (
 			}
 
 			// TenantID configures the Azure Tenant to send requests to.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			tenantId?: string
 
 			// Vault Url from which the secrets to be fetched from.
 			vaultUrl: string
 		}
 
+		// Beyondtrust configures this store to sync secrets using
+		// Password Safe provider.
+		beyondtrust?: {
+			// Auth configures how the operator authenticates with
+			// Beyondtrust.
+			auth: {
+				// Content of the certificate (cert.pem) for use when
+				// authenticating with an OAuth client Id using a Client
+				// Certificate.
+				certificate?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+
+				// Certificate private key (key.pem). For use when authenticating
+				// with an OAuth client Id
+				certificateKey?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientId: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientSecret: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+			}
+
+			// Auth configures how API server works.
+			server: {
+				apiUrl: string
+
+				// Timeout specifies a time limit for requests made by this
+				// Client. The timeout includes connection time, any redirects,
+				// and reading the response body. Defaults to 45 seconds.
+				clientTimeOutSeconds?: int
+
+				// The secret retrieval type. SECRET = Secrets Safe (credential,
+				// text, file). MANAGED_ACCOUNT = Password Safe account
+				// associated with a system.
+				retrievalType?: string
+
+				// A character that separates the folder names.
+				separator?: string
+				verifyCA:   bool
+			}
+		}
+
+		// BitwardenSecretsManager configures this store to sync secrets
+		// using BitwardenSecretsManager provider
+		bitwardensecretsmanager?: {
+			apiURL?: string
+			auth: {
+				secretRef: {
+					// AccessToken used for the bitwarden instance.
+					credentials: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			bitwardenServerSDKURL?: string
+
+			// Base64 encoded certificate for the bitwarden server sdk. The
+			// sdk MUST run with HTTPS to make sure no MITM attack
+			// can be performed.
+			caBundle?: string
+
+			// see:
+			// https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
+			caProvider?: {
+				// The key where the CA certificate can be found in the Secret or
+				// ConfigMap.
+				key?: string
+
+				// The name of the object located at the provider type.
+				name: string
+
+				// The namespace the Provider type is in.
+				// Can only be defined when used in a ClusterSecretStore.
+				namespace?: string
+
+				// The type of provider to use such as "Secret", or "ConfigMap".
+				type: "Secret" | "ConfigMap"
+			}
+			identityURL?: string
+
+			// OrganizationID determines which organization this secret store
+			// manages.
+			organizationID: string
+
+			// ProjectID determines which project this secret store manages.
+			projectID: string
+		}
+
+		// Chef configures this store to sync secrets with chef server
+		chef?: {
+			auth: {
+				secretRef: {
+					// SecretKey is the Signing Key in PEM format, used for
+					// authentication.
+					privateKeySecretRef: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// ServerURL is the chef server URL used to connect to. If using
+			// orgs you should include your org in the url and terminate the
+			// url with a "/"
+			serverUrl: string
+
+			// UserName should be the user ID on the chef server
+			username: string
+		}
+
 		// Conjur configures this store to sync secrets using conjur
 		// provider
 		conjur?: {
@@ -573,6 +826,11 @@ import (
 				jwt?: {
 					account: string
 
+					// Optional HostID for JWT authentication. This may be used
+					// depending
+					// on how the Conjur JWT authenticator policy is configured.
+					hostId?: string
+
 					// Optional SecretRef that refers to a key in a Secret resource
 					// containing JWT token to
 					// authenticate with Conjur using the JWT authentication method.
@@ -704,6 +962,33 @@ import (
 			urlTemplate?: string
 		}
 
+		// Device42 configures this store to sync secrets using the
+		// Device42 provider
+		device42?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// URL configures the Device42 instance URL.
+			host: string
+		}
+
 		// Doppler configures this store to sync secrets using the Doppler
 		// provider
 		doppler?: {
@@ -757,6 +1042,33 @@ import (
 			}]
 		}
 
+		// Fortanix configures this store to sync secrets using the
+		// Fortanix provider
+		fortanix?: {
+			apiKey?: {
+				// SecretRef is a reference to a secret containing the SDKMS API
+				// Key.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of SDKMS API. Defaults to
+			// `sdkms.fortanix.com`.
+			apiUrl?: string
+		}
+
 		// GCPSM configures this store to sync secrets using Google Cloud
 		// Platform Secret Manager provider
 		gcpsm?: {
@@ -805,6 +1117,9 @@ import (
 				}
 			}
 
+			// Location optionally defines a location for a secret
+			location?: string
+
 			// ProjectID project where secret is located
 			projectID?: string
 		}
@@ -895,6 +1210,55 @@ import (
 			serviceUrl?: string
 		}
 
+		// Infisical configures this store to sync secrets using the
+		// Infisical provider
+		infisical?: {
+			auth: {
+				universalAuthCredentials?: {
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientId: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientSecret: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			hostAPI?: string | *"https://app.infisical.com/api"
+			secretsScope: {
+				environmentSlug: string
+				projectSlug:     string
+				recursive?:      bool | *false
+				secretsPath?:    string | *"/"
+			}
+		}
+
 		// KeeperSecurity configures this store to sync secrets using the
 		// KeeperSecurity provider
 		keepersecurity?: {
@@ -922,7 +1286,7 @@ import (
 		kubernetes?: {
 			// Auth configures how secret-manager authenticates with a
 			// Kubernetes instance.
-			auth: {
+			auth?: struct.MaxFields(1) & {
 				// has both clientCert and clientKey as secretKeySelector
 				cert?: {
 					// A reference to a specific 'key' within a Secret resource,
@@ -998,6 +1362,22 @@ import (
 				}
 			}
 
+			// A reference to a secret that contains the auth information.
+			authRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
 			// Remote namespace to fetch the secrets from
 			remoteNamespace?: string | *"default"
 
@@ -1029,6 +1409,61 @@ import (
 			}
 		}
 
+		// Onboardbase configures this store to sync secrets using the
+		// Onboardbase provider
+		onboardbase?: {
+			// APIHost use this to configure the host url for the API for
+			// selfhosted installation, default is
+			// https://public.onboardbase.com/api/v1/
+			apiHost: string | *"https://public.onboardbase.com/api/v1/"
+
+			// Auth configures how the Operator authenticates with the
+			// Onboardbase API
+			auth: {
+				// OnboardbaseAPIKey is the APIKey generated by an admin account.
+				// It is used to recognize and authorize access to a project and
+				// environment within onboardbase
+				apiKeyRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// OnboardbasePasscode is the passcode attached to the API Key
+				passcodeRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Environment is the name of an environmnent within a project to
+			// pull the secrets from
+			environment: string | *"development"
+
+			// Project is an onboardbase project that the secrets should be
+			// pulled from
+			project: string | *"development"
+		}
+
 		// OnePassword configures this store to sync secrets using the
 		// 1Password Cloud provider
 		onepassword?: {
@@ -1157,6 +1592,149 @@ import (
 			// located.
 			vault: string
 		}
+		passbolt?: {
+			// Auth defines the information necessary to authenticate against
+			// Passbolt Server
+			auth: {
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				passwordSecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				privateKeySecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Host defines the Passbolt Server to connect to
+			host: string
+		}
+
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
+		// Previder configures this store to sync secrets using the
+		// Previder provider
+		previder?: {
+			auth: {
+				secretRef?: {
+					// The AccessToken is used for authentication
+					accessToken: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			baseUri?: string
+		}
+
+		// Pulumi configures this store to sync secrets using the Pulumi
+		// provider
+		pulumi?: {
+			accessToken: {
+				// SecretRef is a reference to a secret containing the Pulumi API
+				// token.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of the Pulumi API.
+			apiUrl?: string | *"https://api.pulumi.com/api/esc"
+
+			// Environment are YAML documents composed of static key-value
+			// pairs, programmatic expressions,
+			// dynamically retrieved values from supported providers including
+			// all major clouds,
+			// and other Pulumi ESC environments.
+			// To create a new environment, visit
+			// https://www.pulumi.com/docs/esc/environments/ for more
+			// information.
+			environment: string
+
+			// Organization are a space to collaborate on shared projects and
+			// stacks.
+			// To create a new organization, visit https://app.pulumi.com/ and
+			// click "New Organization".
+			organization: string
+
+			// Project is the name of the Pulumi ESC project the environment
+			// belongs to.
+			project: string
+		}
 
 		// Scaleway
 		scaleway?: {
@@ -1221,6 +1799,63 @@ import (
 			}
 		}
 
+		// SecretServer configures this store to sync secrets using
+		// SecretServer provider
+		// https://docs.delinea.com/online-help/secret-server/start.htm
+		secretserver?: {
+			// Password is the secret server account password.
+			password: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+
+			// ServerURL
+			// URL to your secret server installation
+			serverURL: string
+
+			// Username is the secret server account username.
+			username: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+		}
+
 		// Senhasegura configures this store to sync secrets using
 		// senhasegura provider
 		senhasegura?: {
@@ -1631,6 +2266,17 @@ import (
 					username: string
 				}
 
+				// Name of the vault namespace to authenticate to. This can be
+				// different than the namespace your secret is in.
+				// Namespaces is a set of features within Vault Enterprise that
+				// allows
+				// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+				// More about namespaces can be found here
+				// https://www.vaultproject.io/docs/enterprise/namespaces
+				// This will default to Vault.Namespace field if set, or empty
+				// otherwise
+				namespace?: string
+
 				// TokenSecretRef authenticates with Vault by presenting a token.
 				tokenSecretRef?: {
 					// The key of the entry in the Secret resource's `data` field to
@@ -1716,6 +2362,11 @@ import (
 			// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 			forwardInconsistent?: bool
 
+			// Headers to be added in Vault request
+			headers?: {
+				[string]: string
+			}
+
 			// Name of the vault namespace. Namespaces is a set of features
 			// within Vault Enterprise that allows
 			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/acraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,164 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ACRAccessToken returns a Azure Container Registry token
+// that can be used for pushing/pulling images.
+// Note: by default it will return an ACR Refresh Token with full
+// access
+// (depending on the identity).
+// This can be scoped down to the repository level using
+// .spec.scope.
+// In case scope is defined it will return an ACR Access Token.
+//
+// See docs:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+#ACRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ACRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ACRAccessTokenSpec defines how to generate the access token
+	// e.g. how to authenticate and which registry to use.
+	// see:
+	// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+	spec!: #ACRAccessTokenSpec
+}
+
+// ACRAccessTokenSpec defines how to generate the access token
+// e.g. how to authenticate and which registry to use.
+// see:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+#ACRAccessTokenSpec: {
+	auth: {
+		managedIdentity?: {
+			// If multiple Managed Identity is assigned to the pod, you can
+			// select the one to be used
+			identityId?: string
+		}
+		servicePrincipal?: {
+			// Configuration used to authenticate with Azure using static
+			// credentials stored in a Kind=Secret.
+			secretRef: {
+				// The Azure clientId of the service principle used for
+				// authentication.
+				clientId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure ClientSecret of the service principle used for
+				// authentication.
+				clientSecret?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+		}
+		workloadIdentity?: {
+			// ServiceAccountRef specified the service account
+			// that should be used when authenticating with WorkloadIdentity.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// EnvironmentType specifies the Azure cloud environment endpoints
+	// to use for
+	// connecting and authenticating with Azure. By default it points
+	// to the public cloud AAD endpoint.
+	// The following endpoints are available, also see here:
+	// https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	environmentType?: "PublicCloud" | "USGovernmentCloud" | "ChinaCloud" | "GermanCloud" | *"PublicCloud"
+
+	// the domain name of the ACR registry
+	// e.g. foobarexample.azurecr.io
+	registry: string
+
+	// Define the scope for the access token, e.g. pull/push access
+	// for a repository.
+	// if not provided it will return a refresh token that has full
+	// scope.
+	// Note: you need to pin it down to the repository level, there is
+	// no wildcard available.
+	//
+	// examples:
+	// repository:my-repository:pull,push
+	// repository:my-repository:pull
+	//
+	// see docs for details:
+	// https://docs.docker.com/registry/spec/auth/scope/
+	scope?: string
+
+	// TenantID configures the Azure Tenant to send requests to.
+	// Required for ServicePrincipal auth type.
+	tenantId?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/ecrauthorizationtoken/v1alpha1/types_gen.cue

@@ -0,0 +1,142 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to
+// retrieve an
+// authorization token.
+// The authorization token is valid for 12 hours.
+// The authorizationToken returned is a base64 encoded string that
+// can be decoded
+// and used in a docker login command to authenticate to a
+// registry.
+// For more information, see Registry authentication
+// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth)
+// in the Amazon Elastic Container Registry User Guide.
+#ECRAuthorizationToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ECRAuthorizationToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #ECRAuthorizationTokenSpec
+}
+#ECRAuthorizationTokenSpec: {
+	// Auth defines how to authenticate with AWS
+	auth?: {
+		jwt?: {
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// AWSAuthSecretRef holds secret references for AWS credentials
+		// both AccessKeyID and SecretAccessKey must be defined in order
+		// to properly authenticate.
+		secretRef?: {
+			// The AccessKeyID is used for authentication
+			accessKeyIDSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SessionToken used for authentication
+			// This must be defined if AccessKeyID and SecretAccessKey are
+			// temporary credentials
+			// see:
+			// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+			sessionTokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// Region specifies the region to operate in.
+	region: string
+
+	// You can assume a role before making calls to the
+	// desired AWS service.
+	role?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/fake/v1alpha1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Fake generator is used for testing. It lets you define
+// a static set of credentials that is always returned.
+#Fake: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Fake"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// FakeSpec contains the static data.
+	spec!: #FakeSpec
+}
+
+// FakeSpec contains the static data.
+#FakeSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Data defines the static data returned
+	// by this generator.
+	data?: {
+		[string]: string
+	}
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/gcraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GCRAccessToken generates an GCP access token
+// that can be used to authenticate with GCR.
+#GCRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GCRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GCRAccessTokenSpec
+}
+#GCRAccessTokenSpec: {
+	// Auth defines the means for authenticating with GCP
+	auth: {
+		secretRef?: {
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+		workloadIdentity?: {
+			clusterLocation:   string
+			clusterName:       string
+			clusterProjectID?: string
+
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// ProjectID defines which project to use to authenticate with
+	projectID: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/githubaccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,72 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GithubAccessToken generates ghs_ accessToken
+#GithubAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GithubAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GithubAccessTokenSpec
+}
+#GithubAccessTokenSpec: {
+	appID: string
+	auth: {
+		privateKey: {
+			// A reference to a specific 'key' within a Secret resource,
+			// In some instances, `key` is a required field.
+			secretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+	installID: string
+
+	// URL configures the Github instance URL. Defaults to
+	// https://github.com/.
+	url?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/password/v1alpha1/types_gen.cue

@@ -0,0 +1,77 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Password generates a random password based on the
+// configuration parameters in spec.
+// You can specify the length, characterset and other attributes.
+#Password: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Password"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PasswordSpec controls the behavior of the password generator.
+	spec!: #PasswordSpec
+}
+
+// PasswordSpec controls the behavior of the password generator.
+#PasswordSpec: {
+	// set AllowRepeat to true to allow repeating characters.
+	allowRepeat: bool | *false
+
+	// Digits specifies the number of digits in the generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	digits?: int
+
+	// Length of the password to be generated.
+	// Defaults to 24
+	length: int | *24
+
+	// Set NoUpper to disable uppercase characters
+	noUpper: bool | *false
+
+	// SymbolCharacters specifies the special characters that should
+	// be used
+	// in the generated password.
+	symbolCharacters?: string
+
+	// Symbols specifies the number of symbol characters in the
+	// generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	symbols?: int
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/uuid/v1alpha1/types_gen.cue

@@ -0,0 +1,50 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// UUID generates a version 1 UUID
+// (e56657e3-764f-11ef-a397-65231a88c216).
+#UUID: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "UUID"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// UUIDSpec controls the behavior of the uuid generator.
+	spec!: #UUIDSpec
+}
+
+// UUIDSpec controls the behavior of the uuid generator.
+#UUIDSpec: {}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/vaultdynamicsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,625 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+#VaultDynamicSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "VaultDynamicSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #VaultDynamicSecretSpec
+}
+#VaultDynamicSecretSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Vault API method to use (GET/POST/other)
+	method?: string
+
+	// Parameters to pass to Vault write (for non-GET methods)
+	parameters?: _
+
+	// Vault path to obtain the dynamic secret from
+	path: string
+
+	// Vault provider common spec
+	provider: {
+		// Auth configures how secret-manager authenticates with the Vault
+		// server.
+		auth: {
+			// AppRole authenticates with Vault using the App Role auth
+			// mechanism,
+			// with the role and secret stored in a Kubernetes Secret
+			// resource.
+			appRole?: {
+				// Path where the App Role authentication backend is mounted
+				// in Vault, e.g: "approle"
+				path: string | *"approle"
+
+				// RoleID configured in the App Role authentication backend when
+				// setting
+				// up the authentication backend in Vault.
+				roleId?: string
+
+				// Reference to a key in a Secret that contains the App Role ID
+				// used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role id.
+				roleRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Reference to a key in a Secret that contains the App Role
+				// secret used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role secret.
+				secretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Cert authenticates with TLS Certificates by passing client
+			// certificate, private key and ca certificate
+			// Cert authentication method
+			cert?: {
+				// ClientCert is a certificate to authenticate using the Cert
+				// Vault
+				// authentication method
+				clientCert?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// SecretRef to a key in a Secret resource containing client
+				// private key to
+				// authenticate with Vault using the Cert authentication method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Iam authenticates with vault by passing a special AWS request
+			// signed with AWS IAM credentials
+			// AWS IAM authentication method
+			iam?: {
+				// AWS External ID set on assumed IAM roles
+				externalID?: string
+				jwt?: {
+					// A reference to a ServiceAccount resource.
+					serviceAccountRef?: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+				path?: string
+
+				// AWS region
+				region?: string
+
+				// This is the AWS role to be assumed before talking to vault
+				role?: string
+
+				// Specify credentials in a Secret object
+				secretRef?: {
+					// The AccessKeyID is used for authentication
+					accessKeyIDSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SecretAccessKey is used for authentication
+					secretAccessKeySecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SessionToken used for authentication
+					// This must be defined if AccessKeyID and SecretAccessKey are
+					// temporary credentials
+					// see:
+					// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+					sessionTokenSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault
+				// IAM auth method to mitigate against different types of replay
+				// attacks. More details here:
+				// https://developer.hashicorp.com/vault/docs/auth/aws
+				vaultAwsIamServerID?: string
+
+				// Vault Role. In vault, a role describes an identity with a set
+				// of permissions, groups, or policies you want to attach a user
+				// of the secrets engine
+				vaultRole: string
+			}
+
+			// Jwt authenticates with Vault by passing role and JWT token
+			// using the
+			// JWT/OIDC authentication method
+			jwt?: {
+				// Optional ServiceAccountToken specifies the Kubernetes service
+				// account for which to request
+				// a token for with the `TokenRequest` API.
+				kubernetesServiceAccountToken?: {
+					// Optional audiences field that will be used to request a
+					// temporary Kubernetes service
+					// account token for the service account referenced by
+					// `serviceAccountRef`.
+					// Defaults to a single audience `vault` it not specified.
+					// Deprecated: use serviceAccountRef.Audiences instead
+					audiences?: [...string]
+
+					// Optional expiration time in seconds that will be used to
+					// request a temporary
+					// Kubernetes service account token for the service account
+					// referenced by
+					// `serviceAccountRef`.
+					// Deprecated: this will be removed in the future.
+					// Defaults to 10 minutes.
+					expirationSeconds?: int
+
+					// Service account field containing the name of a kubernetes
+					// ServiceAccount.
+					serviceAccountRef: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the JWT authentication backend is mounted
+				// in Vault, e.g: "jwt"
+				path: string | *"jwt"
+
+				// Role is a JWT role to authenticate using the JWT/OIDC Vault
+				// authentication method
+				role?: string
+
+				// Optional SecretRef that refers to a key in a Secret resource
+				// containing JWT token to
+				// authenticate with Vault using the JWT/OIDC authentication
+				// method.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Kubernetes authenticates with Vault by passing the
+			// ServiceAccount
+			// token stored in the named Secret resource to the Vault server.
+			kubernetes?: {
+				// Path where the Kubernetes authentication backend is mounted in
+				// Vault, e.g:
+				// "kubernetes"
+				mountPath: string | *"kubernetes"
+
+				// A required field containing the Vault Role to assume. A Role
+				// binds a
+				// Kubernetes ServiceAccount with a set of Vault policies.
+				role: string
+
+				// Optional secret field containing a Kubernetes ServiceAccount
+				// JWT used
+				// for authenticating with Vault. If a name is specified without a
+				// key,
+				// `token` is the default. If one is not specified, the one bound
+				// to
+				// the controller will be used.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Optional service account field containing the name of a
+				// kubernetes ServiceAccount.
+				// If the service account is specified, the service account secret
+				// token JWT will be used
+				// for authenticating with Vault. If the service account selector
+				// is not supplied,
+				// the secretRef will be used instead.
+				serviceAccountRef?: {
+					// Audience specifies the `aud` claim for the service account
+					// token
+					// If the service account uses a well-known annotation for e.g.
+					// IRSA or GCP Workload Identity
+					// then this audiences will be appended to the list
+					audiences?: [...string]
+
+					// The name of the ServiceAccount resource being referred to.
+					name: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Ldap authenticates with Vault by passing username/password pair
+			// using
+			// the LDAP authentication method
+			ldap?: {
+				// Path where the LDAP authentication backend is mounted
+				// in Vault, e.g: "ldap"
+				path: string | *"ldap"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the LDAP
+				// user used to authenticate with Vault using the LDAP
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a LDAP user name used to authenticate using the
+				// LDAP Vault
+				// authentication method
+				username: string
+			}
+
+			// Name of the vault namespace to authenticate to. This can be
+			// different than the namespace your secret is in.
+			// Namespaces is a set of features within Vault Enterprise that
+			// allows
+			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+			// More about namespaces can be found here
+			// https://www.vaultproject.io/docs/enterprise/namespaces
+			// This will default to Vault.Namespace field if set, or empty
+			// otherwise
+			namespace?: string
+
+			// TokenSecretRef authenticates with Vault by presenting a token.
+			tokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// UserPass authenticates with Vault by passing username/password
+			// pair
+			userPass?: {
+				// Path where the UserPassword authentication backend is mounted
+				// in Vault, e.g: "user"
+				path: string | *"user"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the
+				// user used to authenticate with Vault using the UserPass
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a user name used to authenticate using the UserPass
+				// Vault
+				// authentication method
+				username: string
+			}
+		}
+
+		// PEM encoded CA bundle used to validate Vault server
+		// certificate. Only used
+		// if the Server URL is using HTTPS protocol. This parameter is
+		// ignored for
+		// plain HTTP protocol connection. If not set the system root
+		// certificates
+		// are used to validate the TLS connection.
+		caBundle?: string
+
+		// The provider for the CA bundle to use to validate Vault server
+		// certificate.
+		caProvider?: {
+			// The key where the CA certificate can be found in the Secret or
+			// ConfigMap.
+			key?: string
+
+			// The name of the object located at the provider type.
+			name: string
+
+			// The namespace the Provider type is in.
+			// Can only be defined when used in a ClusterSecretStore.
+			namespace?: string
+
+			// The type of provider to use such as "Secret", or "ConfigMap".
+			type: "Secret" | "ConfigMap"
+		}
+
+		// ForwardInconsistent tells Vault to forward read-after-write
+		// requests to the Vault
+		// leader instead of simply retrying within a loop. This can
+		// increase performance if
+		// the option is enabled serverside.
+		// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+		forwardInconsistent?: bool
+
+		// Headers to be added in Vault request
+		headers?: {
+			[string]: string
+		}
+
+		// Name of the vault namespace. Namespaces is a set of features
+		// within Vault Enterprise that allows
+		// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+		// More about namespaces can be found here
+		// https://www.vaultproject.io/docs/enterprise/namespaces
+		namespace?: string
+
+		// Path is the mount path of the Vault KV backend endpoint, e.g:
+		// "secret". The v2 KV secret engine version specific "/data" path
+		// suffix
+		// for fetching secrets from Vault is optional and will be
+		// appended
+		// if not present in specified path.
+		path?: string
+
+		// ReadYourWrites ensures isolated read-after-write semantics by
+		// providing discovered cluster replication states in each
+		// request.
+		// More information about eventual consistency in Vault can be
+		// found here
+		// https://www.vaultproject.io/docs/enterprise/consistency
+		readYourWrites?: bool
+
+		// Server is the connection address for the Vault server, e.g:
+		// "https://vault.example.com:8200".
+		server: string
+
+		// The configuration used for client side related TLS
+		// communication, when the Vault server
+		// requires mutual authentication. Only used if the Server URL is
+		// using HTTPS protocol.
+		// This parameter is ignored for plain HTTP protocol connection.
+		// It's worth noting this configuration is different from the "TLS
+		// certificates auth method",
+		// which is available under the `auth.cert` section.
+		tls?: {
+			// CertSecretRef is a certificate added to the transport layer
+			// when communicating with the Vault server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.crt'.
+			certSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// KeySecretRef to a key in a Secret resource containing client
+			// private key
+			// added to the transport layer when communicating with the Vault
+			// server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.key'.
+			keySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// Version is the Vault KV secret engine version. This can be
+		// either "v1" or
+		// "v2". Version defaults to "v2".
+		version?: "v1" | "v2" | *"v2"
+	}
+
+	// Result type defines which data is returned from the generator.
+	// By default it is the "data" section of the Vault API response.
+	// When using e.g. /auth/token/create the "data" section is empty
+	// but
+	// the "auth" section contains the generated token.
+	// Please refer to the vault docs regarding the result data
+	// structure.
+	resultType?: "Data" | "Auth" | *"Data"
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/webhook/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Webhook connects to a third party API server to handle the
+// secrets generation
+// configuration parameters in spec.
+// You can specify the server, the token, and additional body
+// parameters.
+// See documentation for the full API specification for requests
+// and responses.
+#Webhook: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Webhook"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// WebhookSpec controls the behavior of the external generator.
+	// Any body parameters should be passed to the server through the
+	// parameters field.
+	spec!: #WebhookSpec
+}
+
+// WebhookSpec controls the behavior of the external generator.
+// Any body parameters should be passed to the server through the
+// parameters field.
+#WebhookSpec: {
+	// Body
+	body?: string
+
+	// PEM encoded CA bundle used to validate webhook server
+	// certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is
+	// ignored for
+	// plain HTTP protocol connection. If not set the system root
+	// certificates
+	// are used to validate the TLS connection.
+	caBundle?: string
+
+	// The provider for the CA bundle to use to validate webhook
+	// server certificate.
+	caProvider?: {
+		// The key the value inside of the provider type to use, only used
+		// with "Secret" type
+		key?: string
+
+		// The name of the object located at the provider type.
+		name: string
+
+		// The namespace the Provider type is in.
+		namespace?: string
+
+		// The type of provider to use such as "Secret", or "ConfigMap".
+		type: "Secret" | "ConfigMap"
+	}
+
+	// Headers
+	headers?: {
+		[string]: string
+	}
+
+	// Webhook Method
+	method?: string
+	result: {
+		// Json path of return value
+		jsonPath?: string
+	}
+
+	// Secrets to fill in templates
+	// These secrets will be passed to the templating function as key
+	// value pairs under the given name
+	secrets?: [...{
+		// Name of this secret in templates
+		name: string
+
+		// Secret ref to fill in credentials
+		secretRef: {
+			// The key where the token is found.
+			key?: string
+
+			// The name of the Secret resource being referred to.
+			name?: string
+		}
+	}]
+
+	// Timeout
+	timeout?: string
+
+	// Webhook url to call
+	url: string
+}

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/author/v1alpha5/definitions_go_gen.cue

@@ -92,6 +92,12 @@ import "github.com/holos-run/holos/api/core/v1alpha5:core"
 	// Namespace sets the helm chart namespace flag if provided.
 	Namespace?: string
 
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions?: [...string] @go(,[]string)
+
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion?: string
+
 	// BuildPlan represents the derived BuildPlan produced for the holos render
 	// component command.
 	BuildPlan: core.#BuildPlan

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue

@@ -147,6 +147,12 @@ package core
 
 	// Namespace represents the helm namespace flag
 	namespace?: string @go(Namespace)
+
+	// APIVersions represents the helm template --api-versions flag
+	apiVersions?: [...string] @go(APIVersions,[]string)
+
+	// KubeVersion represents the helm template --kube-version flag
+	kubeVersion?: string @go(KubeVersion)
 }
 
 // Values represents [Helm] Chart values generated from CUE.

internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/author/v1alpha5/definitions.cue

@@ -106,9 +106,11 @@ import (
 		name:    string | *Name
 		release: string | *name
 	}
-	Values:      _
-	EnableHooks: _
-	Namespace?:  _
+	Values:       _
+	EnableHooks:  _
+	Namespace?:   _
+	APIVersions?: _
+	KubeVersion?: _
 
 	Artifacts: {
 		HolosComponent: {
@@ -134,6 +136,12 @@ import (
 						if Namespace != _|_ {
 							namespace: Namespace
 						}
+						if APIVersions != _|_ {
+							apiVersions: APIVersions
+						}
+						if KubeVersion != _|_ {
+							kubeVersion: KubeVersion
+						}
 					}
 				},
 				{

version/embedded/minor

@@ -1 +1 @@
-98
+99

version/embedded/patch

@@ -1 +1 @@
-1
+2