cli: gate grpc client and auth flags behind feature flag

Previously the holos render platform and component subcommands had flags
for oidc authentication and client access to the gRPC service.  These
flags aren't currently used, they're remnants from the json powered form
prototype.

This patch gates the flags behind a feature flag which is disabled by
default.

Result:

  holos render platform --help

render an entire platform

Usage:
  holos render platform DIRECTORY [flags]

Examples:
  holos render platform ./platform

Flags:
      --concurrency int   number of components to render concurrently (default 8)
  -v, --version           version for platform

Global Flags:
      --log-drop strings    log attributes to drop (example "user-agent,version")
      --log-format string   log format (text|json|console) (default "console")
      --log-level string    log level (debug|info|warn|error) (default "info")

---

  HOLOS_FEATURE_CLIENT=1 holos render platform --help

render an entire platform

Usage:
  holos render platform DIRECTORY [flags]

Examples:
  holos render platform ./platform

Flags:
      --concurrency int             number of components to render concurrently (default 8)
      --oidc-client-id string       oidc client id. (default "270319630705329162@holos_platform")
      --oidc-extra-scopes strings   optional oidc scopes
      --oidc-force-refresh          force refresh
      --oidc-issuer string          oidc token issuer url. (default "https://login.holos.run")
      --oidc-scopes strings         required oidc scopes (default openid,email,profile,groups,offline_access)
      --server string               server to connect to (default "https://app.holos.run:443")
  -v, --version                     version for platform

Global Flags:
      --log-drop strings    log attributes to drop (example "user-agent,version")
      --log-format string   log format (text|json|console) (default "console")
      --log-level string    log level (debug|info|warn|error) (default "info")

.cspell.json

@@ -6,10 +6,12 @@
   ],
   "words": [
     "acmesolver",
+    "acraccesstoken",
     "acraccesstokens",
     "admissionregistration",
     "alertmanager",
     "alertmanagers",
+    "anchore",
     "anthos",
     "apiextensions",
     "apimachinery",
@@ -55,6 +57,7 @@
     "Cmds",
     "CNCF",
     "CODEOWNERS",
+    "componentconfig",
     "configdir",
     "configmap",
     "configmapargs",
@@ -74,9 +77,11 @@
     "deploymentruntimeconfig",
     "destinationrule",
     "destinationrules",
+    "devel",
     "devicecode",
     "dnsmasq",
     "dscacheutil",
+    "ecrauthorizationtoken",
     "ecrauthorizationtokens",
     "edns",
     "endpointslices",
@@ -95,6 +100,7 @@
     "fullname",
     "gatewayclass",
     "gatewayclasses",
+    "gcraccesstoken",
     "gcraccesstokens",
     "gendoc",
     "generationbehavior",
@@ -103,6 +109,7 @@
     "genproto",
     "ggnpl",
     "ghaction",
+    "githubaccesstoken",
     "githubaccesstokens",
     "gitops",
     "GOBIN",
@@ -133,6 +140,7 @@
     "httproute",
     "httproutes",
     "iampolicygenerator",
+    "incpatch",
     "Infima",
     "intstr",
     "isatty",
@@ -149,6 +157,7 @@
     "kubelet",
     "kubelogin",
     "kubernetesobjects",
+    "kubeversion",
     "Kustomization",
     "Kustomizations",
     "kustomize",
@@ -251,6 +260,7 @@
     "rolebinding",
     "rootfs",
     "ropc",
+    "sboms",
     "seccomp",
     "secretargs",
     "SECRETKEY",
@@ -300,6 +310,7 @@
     "typemeta",
     "udev",
     "uibutton",
+    "Unmarshal",
     "unstage",
     "untar",
     "upbound",
@@ -311,6 +322,7 @@
     "userservice",
     "validatingwebhookconfiguration",
     "validatingwebhookconfigurations",
+    "vaultdynamicsecret",
     "vaultdynamicsecrets",
     "virtualservice",
     "virtualservices",

.github/workflows/release.yaml

@@ -35,6 +35,9 @@ jobs:
         with:
           go-version: stable
 
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@1ca97d9028b51809cf6d3c934c3e160716e1b605 # v0.17.5
+
       # Necessary to run these outside of goreleaser, otherwise
       # /home/runner/_work/holos/holos/internal/frontend/node_modules/.bin/protoc-gen-connect-query is not in PATH
       - name: Install Tools
@@ -54,11 +57,19 @@ jobs:
       - name: Git diff
         run: git diff
 
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          owner: ${{ github.repository_owner }}
+          app-id: ${{ vars.GORELEASER_APP_ID }}
+          private-key: ${{ secrets.GORELEASER_APP_PRIVATE_KEY }}
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yaml

@@ -6,7 +6,7 @@
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
 # vim: set ts=2 sw=2 tw=0 fo=cnqoj
 
-version: 1
+version: 2
 
 before:
   hooks:
@@ -50,3 +50,39 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}_source_code'
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+brews:
+  - name: holos
+    repository:
+      owner: holos-run
+      name: homebrew-tap
+      branch: main
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    directory: Formula
+    homepage: "https://holos.run"
+    description: "Holos CLI"
+    dependencies:
+      - name: helm
+        type: optional
+      - name: kubectl
+        type: optional
+    install: |
+      bin.install "holos"
+      bash_output = Utils.safe_popen_read(bin/"holos", "completion", "bash")
+      (bash_completion/"holos").write bash_output
+      zsh_output = Utils.safe_popen_read(bin/"holos", "completion", "zsh")
+      (zsh_completion/"_holos").write zsh_output
+      fish_output = Utils.safe_popen_read(bin/"holos", "completion", "fish")
+      (fish_completion/"holos.fish").write fish_output
+    test: |
+      system "#{bin}/holos --version"

api/author/v1alpha5/definitions.go

@@ -81,6 +81,10 @@ type Helm struct {
 	EnableHooks bool `cue:"true | *false"`
 	// Namespace sets the helm chart namespace flag if provided.
 	Namespace string `json:",omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:",omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:",omitempty"`
 
 	// BuildPlan represents the derived BuildPlan produced for the holos render
 	// component command.

api/core/v1alpha5/types.go

@@ -133,6 +133,10 @@ type Helm struct {
 	EnableHooks bool `json:"enableHooks,omitempty"`
 	// Namespace represents the helm namespace flag
 	Namespace string `json:"namespace,omitempty"`
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions []string `json:"apiVersions,omitempty"`
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion string `json:"kubeVersion,omitempty"`
 }
 
 // Values represents [Helm] Chart values generated from CUE.

cmd/holos/main_test.go

@@ -28,6 +28,10 @@ func TestSchemas_v1alpha5(t *testing.T) {
 	testscript.Run(t, params(filepath.Join("v1alpha5", "schemas")))
 }
 
+func TestIssues_v1alpha5(t *testing.T) {
+	testscript.Run(t, params(filepath.Join("v1alpha5", "issues")))
+}
+
 func TestCLI(t *testing.T) {
 	testscript.Run(t, params("cli"))
 }

cmd/holos/tests/cli/first-impression.txt

@@ -0,0 +1,2 @@
+# https://github.com/holos-run/holos/issues/334
+exec holos

cmd/holos/tests/v1alpha5/issues/helm-pull-errors.txt

@@ -0,0 +1,38 @@
+# https://github.com/holos-run/holos/issues/332
+env HOME=$WORK
+# Mock with a stub helm command
+env PATH=$WORK/bin:$PATH
+chmod 755 bin/helm
+# Initialize the platform
+exec holos init platform v1alpha5 --force
+# when helm update returns an error
+! exec holos render platform ./platform
+# holos should log the helm error to stderr
+stderr 'Error: chart "podinfo" matching 0.0.0 not found in podinfo index'
+-- bin/helm --
+#! /bin/bash
+echo 'Error: chart "podinfo" matching 0.0.0 not found in podinfo index' >&2
+exit 2
+-- platform/podinfo.cue --
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+-- components/podinfo/podinfo.cue --
+package holos
+
+// Produce a helm chart build plan.
+holos: HelmChart.BuildPlan
+
+HelmChart: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "0.0.0"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+}

cmd/holos/tests/v1alpha5/schemas/capabilities.txt

@@ -0,0 +1,144 @@
+# https://github.com/holos-run/holos/issues/330
+exec holos init platform v1alpha5 --force
+exec helm template ./components/capabilities/vendor/0.1.0/capabilities
+cmp stdout want/helm-template.yaml
+exec holos render platform ./platform
+# When no capabilities are specified
+cmp deploy/components/capabilities/capabilities.gen.yaml want/when-no-capabilities-specified.yaml
+# With APIVersions specified
+cmp deploy/components/specified/specified.gen.yaml want/with-capabilities-specified.yaml
+# With KubeVersion specified
+cmp deploy/components/kubeversion1/kubeversion1.gen.yaml want/with-kubeversion-specified.yaml
+# With both APIVersions and KubeVersion specified
+cmp deploy/components/kubeversion2/kubeversion2.gen.yaml want/with-both-specified.yaml
+-- want/with-both-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-kubeversion-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.20.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/when-no-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1beta1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- want/with-capabilities-specified.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    kubeVersion: v1.31.0
+  name: has-foo-v1
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+-- platform/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+Platform: Components: capabilities: {
+        name: "capabilities"
+        path: "components/capabilities"
+}
+Platform: Components: specified: {
+        name: "specified"
+        path: "components/capabilities"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+Platform: Components: kubeversion1: {
+        name: "kubeversion1"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+}
+Platform: Components: kubeversion2: {
+        name: "kubeversion2"
+        path: "components/capabilities"
+        parameters: kubeVersion: "v1.20.0"
+        parameters: apiVersions: json.Marshal(["foo/v1","bar/v1"])
+}
+-- components/capabilities/capabilities.cue --
+package holos
+
+import "encoding/json"
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+        Name: string @tag(holos_component_name, type=string)
+        Chart: name: "capabilities"
+        Chart: version: "0.1.0"
+        _APIVersions: string | *"[]" @tag(apiVersions, type=string)
+        APIVersions: json.Unmarshal(_APIVersions)
+        KubeVersion: string | *"v1.31.0" @tag(kubeVersion, type=string)
+}
+-- components/capabilities/vendor/0.1.0/capabilities/Chart.yaml --
+apiVersion: v2
+name: capabilities
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+-- components/capabilities/vendor/0.1.0/capabilities/templates/service.yaml --
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Capabilities.APIVersions.Has "foo/v1" }}
+  name: has-foo-v1
+{{- else }}
+  name: has-foo-v1beta1
+{{- end }}
+  annotations:
+    kubeVersion: {{ .Capabilities.KubeVersion }}
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+-- want/helm-template.yaml --
+---
+# Source: capabilities/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: has-foo-v1beta1
+  annotations:
+    kubeVersion: v1.31.0
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http

doc/md/api/author.md

@@ -83,6 +83,10 @@ type Helm struct {
     EnableHooks bool `cue:"true | *false"`
     // Namespace sets the helm chart namespace flag if provided.
     Namespace string `json:",omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:",omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:",omitempty"`
 
     // BuildPlan represents the derived BuildPlan produced for the holos render
     // component command.

doc/md/api/core.md

@@ -241,6 +241,10 @@ type Helm struct {
     EnableHooks bool `json:"enableHooks,omitempty"`
     // Namespace represents the helm namespace flag
     Namespace string `json:"namespace,omitempty"`
+    // APIVersions represents the helm template --api-versions flag
+    APIVersions []string `json:"apiVersions,omitempty"`
+    // KubeVersion represents the helm template --kube-version flag
+    KubeVersion string `json:"kubeVersion,omitempty"`
 }
 ```
 

doc/md/common/example-component-integrate.mdx

@@ -0,0 +1,16 @@
+Integrate the `podinfo` component into the platform.
+
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+```bash
+EOF
+```

doc/md/common/example-component.mdx

@@ -0,0 +1,34 @@
+Create a directory for the example `podinfo` component we'll use to render
+platform manifests.
+
+```bash
+mkdir -p components/podinfo
+```
+
+Create the CUE configuration for the example `podinfo` component.
+
+```bash
+cat <<EOF >components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name: "podinfo"
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+	Values: ui: {
+		message: string | *"Hello World" @tag(message, type=string)
+	}
+}
+```
+```bash
+EOF
+```

doc/md/topics/architecture.mdx

@@ -1,7 +1,7 @@
 ---
 description: Architecture diagrams.
 slug: architecture
-sidebar_position: 90
+sidebar_position: 100
 ---
 
 import RenderPlatformDiagram from '@site/src/diagrams/render-platform-sequence.mdx';

doc/md/topics/gitops/argocd-application.mdx

@@ -0,0 +1,224 @@
+---
+slug: argocd-application
+title: ArgoCD Application
+description: Configuring an Application for each Component.
+sidebar_position: 110
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+import CommonComponentIntegrate from '../../common/example-component-integrate.mdx';
+
+# ArgoCD Application
+
+## Overview
+
+This topic covers how to mix in an ArgoCD Application to all components.  We'll
+use the `Artifacts` field of [ComponentConfig] defined by the author schema.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-argocd-application && cd holos-argocd-application
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Creating an example Component
+
+<CommonComponent />
+<CommonComponentIntegrate />
+
+## Adding ArgoCD Application
+
+Configure Holos to render an [Application] by defining an [Artifact] for it in
+every BuildPlan holos produces.  We're unifying our custom configuration with
+the existing `#ComponentConfig` defined in `schema.cue`.
+
+```bash
+cat <<EOF >argocd-application.cue
+```
+```cue showLineNumbers
+package holos
+
+import (
+	"path"
+	app "argoproj.io/application/v1alpha1"
+)
+
+#ComponentConfig: {
+	Name:          _
+	OutputBaseDir: _
+
+	let ArtifactPath = path.Join([OutputBaseDir, "gitops", "\(Name).application.gen.yaml"], path.Unix)
+	let ResourcesPath = path.Join(["deploy", OutputBaseDir, "components", Name], path.Unix)
+
+	Artifacts: "\(Name)-application": {
+		artifact: ArtifactPath
+		generators: [{
+			kind:   "Resources"
+			output: artifact
+			resources: Application: (Name): app.#Application & {
+				metadata: name:      Name
+				metadata: namespace: "argocd"
+				spec: {
+					destination: server: "https://kubernetes.default.svc"
+					project: "default"
+					source: {
+						path:           ResourcesPath
+						repoURL:        "https://example.com/example.git"
+						targetRevision: "main"
+					}
+				}
+			}
+		}]
+	}
+}
+```
+```bash
+EOF
+```
+
+## Inspecting the BuildPlan
+
+Our customized `#ComponentConfig` results in the following `BuildPlan`.
+
+:::note
+The second artifact around line 40 contains the configured `Application`
+resource.
+:::
+
+<Tabs groupId="55075C71-02E8-4222-88C0-2D52C82D18FC">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression holos --out=yaml ./components/podinfo
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+kind: BuildPlan
+apiVersion: v1alpha5
+metadata:
+  name: podinfo
+spec:
+  artifacts:
+    - artifact: components/podinfo/podinfo.gen.yaml
+      generators:
+        - kind: Helm
+          output: helm.gen.yaml
+          helm:
+            chart:
+              name: podinfo
+              version: 6.6.2
+              release: podinfo
+              repository:
+                name: podinfo
+                url: https://stefanprodan.github.io/podinfo
+            values: {}
+            enableHooks: false
+        - kind: Resources
+          output: resources.gen.yaml
+          resources: {}
+      transformers:
+        - kind: Kustomize
+          inputs:
+            - helm.gen.yaml
+            - resources.gen.yaml
+          output: components/podinfo/podinfo.gen.yaml
+          kustomize:
+            kustomization:
+              labels:
+                - includeSelectors: false
+                  pairs: {}
+              resources:
+                - helm.gen.yaml
+                - resources.gen.yaml
+              kind: Kustomization
+              apiVersion: kustomize.config.k8s.io/v1beta1
+    - artifact: gitops/podinfo.application.gen.yaml
+      generators:
+        - kind: Resources
+          output: gitops/podinfo.application.gen.yaml
+          resources:
+            Application:
+              podinfo:
+                apiVersion: argoproj.io/v1alpha1
+                kind: Application
+                metadata:
+                  name: podinfo
+                  namespace: argocd
+                spec:
+                  destination:
+                    server: https://kubernetes.default.svc
+                  project: default
+                  source:
+                    path: deploy/components/podinfo
+                    repoURL: https://example.com/example.git
+                    targetRevision: main
+source:
+  component:
+    name: podinfo
+    path: no-path
+    parameters: {}
+```
+  </TabItem>
+</Tabs>
+
+## Rendering manifests
+
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform ./platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+```
+  </TabItem>
+</Tabs>
+
+## Reviewing the Application
+
+The Artifact we added to `#ComponentConfig` will produce an ArgoCD Application
+resource for every component in the platform.  The output in this example is
+located at:
+
+```txt
+deploy/gitops/podinfo.application.gen.yaml
+```
+```yaml showLineNumbers
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+    name: podinfo
+    namespace: argocd
+spec:
+    destination:
+        server: https://kubernetes.default.svc
+    project: default
+    source:
+        path: deploy/components/podinfo
+        repoURL: https://example.com/example.git
+        targetRevision: main
+```
+
+[podinfo]: https://github.com/stefanprodan/podinfo
+[CUE Module]: https://cuelang.org/docs/reference/modules/
+[CUE Tags]: https://cuelang.org/docs/howto/inject-value-into-evaluation-using-tag-attribute/
+[Application]: https://argo-cd.readthedocs.io/en/stable/user-guide/application-specification/
+[Component Parameters]: ../component-parameters.mdx
+[Platform]: ../../api/author.md#Platform
+[ComponentConfig]: ../../api/author.md#ComponentConfig
+[Artifact]: ../../api/core.md#Artifact

doc/md/topics/gitops/index.mdx

@@ -0,0 +1,19 @@
+---
+slug: .
+title: GitOps
+description: Managing resources with GitOps.
+sidebar_position: 120
+---
+import DocCardList from '@theme/DocCardList';
+
+# GitOps
+
+This section has self contained articles covering how to manage resources using
+GitOps tooling like [ArgoCD] and [Flux].
+
+---
+
+<DocCardList />
+
+[ArgoCD]: https://argo-cd.readthedocs.io/en/stable/
+[Flux]: https://fluxcd.io/

doc/md/topics/local-cluster.mdx

@@ -1,7 +1,7 @@
 ---
 description: Build a local cluster for use with Holos.
 slug: local-cluster
-sidebar_position: 100
+sidebar_position: 50
 ---
 
 import Tabs from '@theme/Tabs';

doc/md/topics/structures/clusters.mdx

@@ -0,0 +1,424 @@
+---
+slug: clusters
+title: Clusters
+description: Managing clusters - management and workload sets.
+sidebar_position: 100
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+import CommonComponent from '../../common/example-component.mdx';
+
+# Clusters
+
+## Overview
+
+This topic covers one common method to manage multiple clusters with Holos.  We'll
+define two schemas to hold cluster attributes.  First, a single `#Cluster` then
+a `#Clusters` collection.  We'll use a `Clusters: #Clusters` struct to look up
+configuration data using a key.  We'll use the cluster name as the lookup key
+identifying the cluster.
+
+We'll also organize sets of similar clusters by defining `#ClusterSet` and
+`#ClusterSets`.  We'll use a `ClusterSets:
+#ClusterSets` struct to configure a management cluster and iterate over all
+workload clusters.
+
+## The Code
+
+### Initializing the structure
+
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-multiple-clusters && cd holos-multiple-clusters
+```
+
+```shell
+holos init platform v1alpha5
+```
+
+### Example Component
+
+<CommonComponent />
+
+We'll integrate the component with the platform after we define clusters.
+
+## Defining Clusters
+
+We'll define a `#Cluster` schema and a `#Clusters` collection in this section.
+We'll use these schemas to define a `Clusters` structure we use to manage
+multiple clusters.
+
+### Assumptions
+
+We'll make the following assumptions, which hold true for many real world
+environments.
+
+1. There are two sets of clusters, workload clusters and management clusters.
+2. There is one management cluster.
+3. There are multiple workload clusters.
+4. Each workload cluster is configured similarly, but not identically, to the
+others.
+
+### Prototyping the data
+
+Before we define the schema, let's prototype the data structure we want to work
+with.  We want a structure that makes it easy to iterate over each cluster in
+two distinct sets of clusters, management clusters and workload clusters.  The
+following `ClusterSets` struct accomplishes this goal.
+
+```yaml showLineNumbers
+management:
+  name: management
+  clusters:
+    management:
+      name: management
+      region: us-central1
+      set: management
+workload:
+  name: workload
+  clusters:
+    e1:
+      name: e1
+      region: us-east1
+      set: workload
+    w1:
+      name: w1
+      region: us-west1
+      set: workload
+```
+
+:::tip
+The `ClusterSets` data structure supports iterating over each cluster in each
+cluster set.
+:::
+
+:::important
+You're free to define your own fields and structures like we define `region` in
+this topic.
+:::
+
+### Defining the schema
+
+Armed with a concrete example of the structure, we can write a schema to define
+and validate the data.
+
+In CUE, schema definitions are usually defined at the root so they're accessible
+in all subdirectories.  The following is one example schema, you're free to
+modify it to your situation.  Holos is flexible, supporting schemas that match
+your unique use case.
+
+```bash
+cat <<EOF > clusters.schema.cue
+```
+```cue showLineNumbers
+package holos
+
+import "strings"
+
+// #Cluster represents one cluster
+#Cluster: {
+	// name represents the cluster name.
+	name: string & =~"[a-z][a-z0-9]+" & strings.MinRunes(2) & strings.MaxRunes(63)
+	// Constrain the regions.  No default, the region must be specified.
+	region: "us-east1" | "us-central1" | "us-west1"
+	// Each cluster must be in only one set of clusters.  All but one cluster are
+	// workload clusters, so make it the default.
+	set: "management" | *"workload"
+}
+
+// #Clusters represents a cluster collection structure
+#Clusters: {
+	// name is the lookup key for the collection.
+	[NAME=string]: #Cluster & {
+		// name must match the struct field name.
+		name: NAME
+	}
+}
+
+// #ClusterSet represents a set of clusters.
+#ClusterSet: {
+	// name represents the cluster set name.
+	name: string & =~"[a-z][a-z0-9]+" & strings.MinRunes(2) & strings.MaxRunes(63)
+	clusters: #Clusters & {
+		// Constrain the cluster set to clusters having the same set.  Ensures
+		// clusters are never mis-categorized.
+		[_]: set: name
+	}
+}
+
+// #ClusterSets represents a cluster set collection.
+#ClusterSets: {
+	// name is the lookup key for the collection.
+	[NAME=string]: #ClusterSet & {
+		// name must match the struct field name.
+		name: NAME
+	}
+}
+```
+```bash
+EOF
+```
+
+### Defining the data
+
+With a schema defined, we also define the data close to the root so it's
+accessible through the unified configuration tree.
+
+```bash
+cat <<EOF > clusters.cue
+```
+```cue showLineNumbers
+package holos
+
+Clusters: #Clusters & {
+	// Management Cluster
+	management: region: "us-central1"
+	management: set:    "management"
+	// Local Cluster
+	local: region: "us-west1"
+	// Some example clusters.  Add new clusters to the Clusters struct like this.
+	e1: region: "us-east1"
+	e2: region: "us-east1"
+	e3: region: "us-east1"
+	w1: region: "us-west1"
+	w2: region: "us-west1"
+	w3: region: "us-west1"
+}
+
+// ClusterSets is dynamically built from the Clusters structure.
+ClusterSets: #ClusterSets & {
+	// Map every cluster into the correct set.
+	for CLUSTER in Clusters {
+		(CLUSTER.set): clusters: (CLUSTER.name): CLUSTER
+	}
+}
+```
+```bash
+EOF
+```
+
+### Inspecting the data
+
+We'll use the `holos cue` command to inspect the `ClusterSets` data structure we
+just defined.
+
+<Tabs groupId="9190BDAD-B4C5-4386-9C94-8E178AA6178A">
+  <TabItem value="command" label="Command">
+```bash
+holos cue export --expression ClusterSets --out=yaml ./
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```yaml showLineNumbers
+management:
+  name: management
+  clusters:
+    management:
+      name: management
+      region: us-central1
+      set: management
+workload:
+  name: workload
+  clusters:
+    local:
+      name: local
+      region: us-west1
+      set: workload
+    e1:
+      name: e1
+      region: us-east1
+      set: workload
+    e2:
+      name: e2
+      region: us-east1
+      set: workload
+    e3:
+      name: e3
+      region: us-east1
+      set: workload
+    w1:
+      name: w1
+      region: us-west1
+      set: workload
+    w2:
+      name: w2
+      region: us-west1
+      set: workload
+    w3:
+      name: w3
+      region: us-west1
+      set: workload
+```
+  </TabItem>
+</Tabs>
+
+This looks like our prototype, we're confident we can iterate over each cluster
+in each set.
+
+## Integrating Components
+
+The `ClusterSets` data structure unlocks the capability to iterate over each
+cluster in each cluster set.  We'll use this capability to integrate the
+`podinfo` component with each cluster in the platform.
+
+### Configuring the Output directory
+
+We need to configure `holos` to write output manifests into a cluster specific
+output directory.  We'll use the [ComponentConfig] `OutputBaseDir` field for
+this purpose.  We'll pass the value of this field as a component parameter.
+
+```bash
+cat <<EOF > componentconfig.cue
+```
+```cue showLineNumbers
+package holos
+
+#ComponentConfig: {
+	// Inject the output base directory from platform component parameters.
+	OutputBaseDir: string @tag(outputBaseDir, type=string)
+}
+```
+```bash
+EOF
+```
+
+### Integrating Podinfo
+
+```bash
+cat <<EOF >platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+// Manage podinfo on all workload clusters.
+for CLUSTER in ClusterSets.workload.clusters {
+	// We use the cluster name to disambiguate different podinfo build plans.
+	Platform: Components: "\(CLUSTER.name)-podinfo": {
+		name: "podinfo"
+		// Reuse the same component across multiple workload clusters.
+		path: "components/podinfo"
+		// Configure a cluster-unique message in the podinfo UI.
+		parameters: message: "Hello, I am cluster \(CLUSTER.name) in region \(CLUSTER.region)"
+		// Write to deploy/{outputBaseDir}/components/{name}/{name}.gen.yaml
+		parameters: outputBaseDir: "clusters/\(CLUSTER.name)"
+	}
+}
+```
+```bash
+EOF
+```
+
+## Rendering manifests
+
+### Rendering the Platform
+
+Render the platform to configure `podinfo` on each cluster.
+
+<Tabs groupId="34A2D80B-0E86-4142-B65B-7DF70C47E1D2">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform ./platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt
+cached podinfo 6.6.2
+rendered podinfo in 164.278583ms
+rendered podinfo in 165.48525ms
+rendered podinfo in 165.186208ms
+rendered podinfo in 165.831792ms
+rendered podinfo in 166.845208ms
+rendered podinfo in 167.000208ms
+rendered podinfo in 167.012208ms
+rendered platform in 167.06525ms
+```
+  </TabItem>
+</Tabs>
+
+### Inspecting the Tree
+
+Rendering the platform produces the following rendered manifests.
+
+```bash
+tree deploy
+```
+```txt showLineNumbers
+deploy
+└── clusters
+    ├── e1
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── e2
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── e3
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── local
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── w1
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    ├── w2
+    │   └── components
+    │       └── podinfo
+    │           └── podinfo.gen.yaml
+    └── w3
+        └── components
+            └── podinfo
+                └── podinfo.gen.yaml
+
+23 directories, 7 files
+```
+
+### Inspecting the Variation
+
+Note how each component has slight variation using the component parameters.
+
+```bash
+diff -U2 deploy/clusters/{e,w}1/components/podinfo/podinfo.gen.yaml
+```
+
+```diff
+--- deploy/clusters/e1/components/podinfo/podinfo.gen.yaml	2024-11-17 14:20:17
++++ deploy/clusters/w1/components/podinfo/podinfo.gen.yaml	2024-11-17 14:20:17
+@@ -61,5 +61,5 @@
+         env:
+         - name: PODINFO_UI_MESSAGE
+-          value: Hello, I am cluster e1 in region us-east1
++          value: Hello, I am cluster w1 in region us-west1
+         - name: PODINFO_UI_COLOR
+           value: '#34577c'
+
+```
+
+## Concluding Remarks
+
+In this topic we covered how to use CUE structures to organize multiple clusters
+into various sets.
+
+1. Clusters are defined in one place at the root of the configuration.
+2. Clusters may be organized into sets by their purpose.
+3. Most organizations have at least two sets, a set of workload clusters and a
+set of management clusters.
+4. Holos uses CUE, a super set of JSON.  New clusters may be added by dropping a
+JSON file into the root of the repository.
+5. The pattern of defining a `#Cluster` and a `#Clusters` collection is a
+general pattern.  We'll see the same pattern for environments, projects, owners,
+and more.
+6. Component parameters are a flexible way to inject user defined configuration
+from the platform level into a reusable component.
+
+[ClusterSet]: https://multicluster.sigs.k8s.io/api-types/cluster-set/
+[Environments]: ./environments.mdx
+[Namespace Sameness - SIG Multicluster Position Statement]: https://github.com/kubernetes/community/blob/master/sig-multicluster/namespace-sameness-position-statement.md
+[ComponentConfig]: ../../api/author.md#ComponentConfig

doc/md/topics/structures/environments.mdx

@@ -0,0 +1,29 @@
+---
+slug: environments
+title: Environments
+description: Managing Environments - dev, test, stage, prod.
+sidebar_position: 130
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Environments
+
+## Overview
+
+## The Code
+
+### Generating the structure
+
+### Using an example Component
+
+## Defining Environments
+
+### Defining one Environment
+
+### Defining a collection of Environments
+
+## Rendering manifests
+
+## Reviewing the Manifests

doc/md/topics/structures/index.mdx

@@ -0,0 +1,25 @@
+---
+slug: .
+title: Structures
+description: Commonly used CUE structures.
+sidebar_position: 120
+---
+import DocCardList from '@theme/DocCardList';
+
+# Structures
+
+This section has self contained articles covering commonly used CUE structures.
+These structures are organized and presented as recipes you may adopt and adjust
+to your unique organization.
+
+:::important
+Structures are defined by Holos Users, unlike the standardized [Core] and
+[Author] schemas defined by the Holos Authors.
+:::
+
+---
+
+<DocCardList />
+
+[Core]: ../../api/core.md
+[Author]: ../../api/author.md

doc/md/topics/structures/owners.mdx

@@ -0,0 +1,29 @@
+---
+slug: owners
+title: Owners
+description: Managing and mapping projects to owners.
+sidebar_position: 150
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Owners
+
+## Overview
+
+## The Code
+
+### Generating the structure
+
+### Using an example Component
+
+## Defining Owners
+
+### Defining one Owner
+
+### Defining a collection of Owners
+
+## Rendering manifests
+
+## Reviewing the Manifests

doc/md/topics/structures/projects.mdx

@@ -0,0 +1,29 @@
+---
+slug: projects
+title: Projects
+description: Managing components organizing them into projects.
+sidebar_position: 140
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Projects
+
+## Overview
+
+## The Code
+
+### Generating the structure
+
+### Using an example Component
+
+## Defining Projects
+
+### Defining one Project
+
+### Defining a collection of Projects
+
+## Rendering manifests
+
+## Reviewing the Manifests

doc/md/tutorial/cue-generator.mdx

@@ -1,15 +0,0 @@
----
-slug: cue-generator
-title: CUE Generator
-description: Render component manifests directly from CUE.
-sidebar_position: 50
----
-
-# CUE
-
-Key points to cover:
-
-1. Resources are validated against `#Resources` defined at the root.
-2. Custom Resource Definitions need to be imported with timoni.
-3. One component can have multiple generators, e.g. Helm and CUE together.  This
-is how resources are mixed in to helm charts.

doc/md/tutorial/cue.mdx

@@ -0,0 +1,278 @@
+---
+slug: cue
+title: CUE
+description: Render component manifests directly from CUE.
+sidebar_position: 50
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# CUE
+
+## Overview
+
+This tutorial demonstrates mixing additional resources into a component using
+CUE.  Holos components frequently mix in resources so we don't need to modify
+existing charts or manifests.  We'll add an [ExternalSecret] resource to the
+podinfo Helm chart we configured in the [Hello Holos] tutorial.
+
+Key concepts:
+
+1. Resources are validated against `#Resources` defined at the root.
+2. Custom Resource Definitions need to be imported with timoni.
+3. Helm, Kustomize, and CUE can be mixed in together in the same component.
+
+## The Code
+
+### Generating the structure
+
+Use `holos` to generate a minimal platform directory structure.  First, create
+and cd into a blank directory. Then use the `holos generate platform` command to
+generate a minimal platform.
+
+```shell
+mkdir holos-cue-tutorial && cd holos-cue-tutorial
+holos init platform v1alpha5
+```
+
+### Creating the component
+
+Create the directory for the `podinfo` component.  Create an empty file and then
+add the following CUE configuration to it.
+
+```bash
+mkdir -p components/podinfo
+```
+```bash
+cat <<EOF > components/podinfo/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+// export the component build plan to holos
+holos: Component.BuildPlan
+
+// Component is a Helm chart
+Component: #Helm & {
+	Name:      "podinfo"
+	Namespace: "default"
+	// Add metadata.namespace to all resources with kustomize.
+	KustomizeConfig: Kustomization: namespace: Namespace
+	Chart: {
+		version: "6.6.2"
+		repository: {
+			name: "podinfo"
+			url:  "https://stefanprodan.github.io/podinfo"
+		}
+	}
+}
+```
+```bash
+EOF
+```
+
+Integrate the component with the platform.
+
+```bash
+cat <<EOF > platform/podinfo.cue
+```
+```cue showLineNumbers
+package holos
+
+Platform: Components: podinfo: {
+	name: "podinfo"
+	path: "components/podinfo"
+}
+```
+```bash
+EOF
+```
+
+Render the platform.
+
+<Tabs groupId="tutorial-hello-render-manifests">
+  <TabItem value="command" label="Command">
+```bash
+holos render platform ./platform
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```
+cached podinfo 6.6.2
+rendered podinfo in 1.938665041s
+rendered platform in 1.938759417s
+```
+  </TabItem>
+</Tabs>
+
+Add and commit the initial configuration.
+
+```bash
+git init . && git add . && git commit -m initial
+```
+
+### Mixing in Resources
+
+We use the [ComponentConfig] `Resources` field to mix in resources to any
+component kind.  This field is a convenient wrapper around the core [BuildPlan]
+[Resources] [Generator].
+
+Create the mixins.cue file.
+
+```bash
+cat <<EOF > components/podinfo/mixins.cue
+```
+```cue showLineNumbers
+package holos
+
+// Component fields are unified with podinfo.cue
+Component: {
+	// Concrete values are defined in podinfo.cue
+	Name:      string
+	Namespace: string
+
+	// Resources represents mix-in resources organized as a struct.
+	Resources: ExternalSecret: (Name): {
+		// Name is consistent with the component name.
+		metadata: name: Name
+		// Namespace is consistent with the component namespace.
+		metadata: namespace: Namespace
+		spec: {
+			// Ensure the target secret name is consistent.
+			target: name: metadata.name
+			// Ensure the name in the SecretStore is consistent.
+			dataFrom: [{extract: {key: metadata.name}}]
+			refreshInterval: "30s"
+			secretStoreRef: kind: "SecretStore"
+			secretStoreRef: name: "default"
+		}
+	}
+}
+```
+```bash
+EOF
+```
+
+:::important
+Holos uses CUE to validate mixed in resources against a schema.  The `Resources`
+field validates against the `#Resources` definition in [resources.cue].
+:::
+
+### Importing CRDs
+
+Holos includes CUE schema definitions of the ExternalSecret custom resource
+definition (CRD).  These schemas are located in the `cue.mod` directory, written by
+the `holos init platform` command we executed at the start of this tutorial.
+
+Import your own custom resource definitions using [timoni].  We imported the
+ExternalSecret CRDs embedded into `holos` with the following command.
+
+<Tabs groupId="35B1A1A1-D7DF-4D27-A575-28556E182096">
+  <TabItem value="command" label="Command">
+```bash
+timoni mod vendor crds -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+```
+  </TabItem>
+  <TabItem value="output" label="Output">
+```txt
+2:22PM INF schemas vendored: external-secrets.io/clusterexternalsecret/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/clustersecretstore/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/clustersecretstore/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/externalsecret/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/externalsecret/v1beta1
+2:22PM INF schemas vendored: external-secrets.io/pushsecret/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/secretstore/v1alpha1
+2:22PM INF schemas vendored: external-secrets.io/secretstore/v1beta1
+2:22PM INF schemas vendored: generators.external-secrets.io/acraccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/ecrauthorizationtoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/fake/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/gcraccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/githubaccesstoken/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/password/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/uuid/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/vaultdynamicsecret/v1alpha1
+2:22PM INF schemas vendored: generators.external-secrets.io/webhook/v1alpha1
+```
+  </TabItem>
+</Tabs>
+
+:::tip
+Take a look at
+[cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue] to see
+the imported definitions.
+:::
+
+Once imported, the last step is to add the resource kind to the `#Resources`
+struct.  This is most often accomplished by adding a new file which cue unifies
+with the existing [resources.cue] file.
+
+## Reviewing Changes
+
+Render the platform with the `ExternalSecret` mixed into the podinfo component.
+
+```shell
+holos render platform ./platform
+```
+
+Take a look at the diff to see the mixed in `ExternalSecret`.
+
+```shell
+git diff deploy
+```
+
+```diff
+diff --git a/deploy/components/podinfo/podinfo.gen.yaml b/deploy/components/podinfo/podinfo.gen.yaml
+index 6e4aec0..f79e9d0 100644
+--- a/deploy/components/podinfo/podinfo.gen.yaml
++++ b/deploy/components/podinfo/podinfo.gen.yaml
+@@ -112,3 +112,19 @@ spec:
+       volumes:
+       - emptyDir: {}
+         name: data
++---
++apiVersion: external-secrets.io/v1beta1
++kind: ExternalSecret
++metadata:
++  name: podinfo
++  namespace: default
++spec:
++  dataFrom:
++  - extract:
++      key: podinfo
++  refreshInterval: 30s
++  secretStoreRef:
++    kind: SecretStore
++    name: default
++  target:
++    name: podinfo
+```
+
+We saw how to mix in resources using the `Resources` field of the
+[ComponentConfig].  This technique approach works for every kind of component in
+Holos.  We did this without needing to fork the upstream Helm chart so we can
+easily update to new podinfo versions as they're released.
+
+## Trying Locally
+
+Optionally apply the manifests Holos rendered to a [Local Cluster].
+
+## Next Steps
+
+This tutorial uses the `#Resources` structure to map resource kinds to their
+schema definitions in CUE.  This structure is defined in `resources.cue` at the
+root of the tree.  Take a look at [resources.cue] to see this mapping structure.
+
+Continue to the next tutorial to learn how to define your own data structures
+similar to this `#Resources` structure.
+
+[Local Cluster]: ../topics/local-cluster.mdx
+[ExternalSecret]: https://external-secrets.io/latest/api/externalsecret/
+[Artifact]: ../api/core.md#Artifact
+[Resources]: ../api/core.md#Resources
+[Generator]: ../api/core.md#Generator
+[Hello Holos]: ./hello-holos.mdx
+[cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue#L13
+[ComponentConfig]: ../api/author.md#ComponentConfig
+[timoni]: https://timoni.sh/install/
+[resources.cue]: https://github.com/holos-run/holos/blob/main/internal/generate/platforms/v1alpha5/resources.cue#L33

doc/md/tutorial/hello-holos.mdx

@@ -26,30 +26,94 @@ Chart as a Holos Component.
 
 ### Generating the structure
 
-Use `holos` to generate a minimal platform directory structure.  First, create
-and cd into a blank directory. Then use the `holos init platform` command to
-generate a minimal platform.
+Use `holos` to generate a minimal platform directory structure.  Start by
+creating a blank directory to hold the platform configuration.
+
+```shell
+mkdir holos-tutorial && cd holos-tutorial
+```
+
+Use the `holos init platform` command to initialize a minimal platform in the
+blank directory.
 
 ```shell
-mkdir holos-tutorial
-cd holos-tutorial
 holos init platform v1alpha5
 ```
 
-Holos creates a `platform` directory containing a `platform.gen.cue` file.  This
-file is the entry point for your new platform configuration.  You'll integrate
-components into the platform using the CUE code in this `platform` directory.
+Here's the filesystem tree we'll build in this tutorial.
+
+<Tabs groupId="80D04C6A-BC83-44D0-95CC-CE01B439B159">
+<TabItem value="tree" label="Tree">
+```text showLineNumbers
+holos-tutorial/
+├── components/
+│   └── podinfo/
+│       └── podinfo.cue
+├── cue.mod/
+├── platform/
+│   ├── platform.gen.cue
+│   └── podinfo.cue
+├── resources.cue
+├── schema.cue
+└── tags.cue
+```
+</TabItem>
+<TabItem value="details" label="Details">
+<div style={{display: "flex"}}>
+<div>
+```text showLineNumbers
+holos-tutorial/
+├── components/
+│   └── podinfo/
+│       └── podinfo.cue
+├── cue.mod/
+├── platform/
+│   ├── platform.gen.cue
+│   └── podinfo.cue
+├── resources.cue
+├── schema.cue
+└── tags.cue
+```
+</div>
+<div>
+- **Line 1** The platform root is the `holos-tutorial` directory we created.
+- **Line 2** This tutorial places components in `components/`.  They may reside
+anywhere.
+- **Line 3** A component is a collection of `*.cue` files at a path.
+- **Line 4** We'll create this file and configure the podinfo helm chart in the
+next section.
+- **Line 5** The CUE module directory.  Schema definitions for Kubernetes and
+Holos resources reside within the `cue.mod` directory.
+- **Line 6** The platform directory is the **main entrypoint** for the `holos
+render platform` command.
+- **Line 7** `platform.gen.cue` is initialized by `holos init platform` and
+contains the Platform spec.
+- **Line 8** `podinfo.cue` integrates podinfo with the platform by adding the
+component to the platform spec.  We'll add ths file after the next section.
+- **Line 9** `resources.cue` Defines the Kubernetes resources available to
+manage in CUE.
+- **Line 10** `schema.cue` Defines the configuration common to all component
+kinds.
+- **Line 11** `tags.cue` Defines where component parameter values are injected
+into the overall platform configuration.  We don't need to be concerned with
+this file until we cover component parameters.
+- **Lines 9-11** Initialized by `holos init platform`, user editable after
+initialization.
+</div>
+</div>
+</TabItem>
+</Tabs>
 
 ### Creating a component
 
 Start by creating a directory for the `podinfo` component.  Create an empty file
 and then add the following CUE configuration to it.
 
-<Tabs groupId="tutorial-hello-podinfo-helm-cue-code">
-  <TabItem value="components/podinfo/podinfo.cue" label="Podinfo Helm Chart">
 ```bash
 mkdir -p components/podinfo
-touch components/podinfo/podinfo.cue
+```
+```bash
+cat <<EOF > components/podinfo/podinfo.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -66,20 +130,38 @@ HelmChart: #Helm & {
 			url:  "https://stefanprodan.github.io/podinfo"
 		}
 	}
+	// Holos marshals Values into values.yaml for Helm.
+	Values: {
+		// message is a string with a default value.  @tag indicates a value may
+		// be injected from the platform spec component parameters.
+		ui: {
+			message: string | *"Hello World" @tag(greeting, type=string)
+		}
+	}
 }
 ```
-  </TabItem>
-</Tabs>
+```bash
+EOF
+```
+
+:::important
+CUE loads all of `*.cue` files in the component directory to define component,
+similar to Go packages.
+:::
+
+:::note
+CUE _also_ loads all `*.cue` files from the component leaf directory to the
+platform root directory.  In this example, `#Helm` on line 6 is defined in
+`schema.cue` at the root.
+:::
 
 ### Integrating the component
 
-Integrate the `podinfo` component by creating a new file in the `platform`
-directory with the following CUE code:
+Integrate the `podinfo` component into the platform by creating a new CUE file
+in the `platform` directory with the following content.
 
-<Tabs groupId="tutorial-hello-register-podinfo-component">
-  <TabItem value="platform/podinfo.cue" label="Register Podinfo">
 ```bash
-touch platform/podinfo.cue
+cat <<EOF > platform/podinfo.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -87,17 +169,25 @@ package holos
 Platform: Components: podinfo: {
 	name: "podinfo"
 	path: "components/podinfo"
+	// Inject a value into the component.
+	parameters: greeting: "Hello Holos!"
 }
 ```
-  </TabItem>
-</Tabs>
+```bash
+EOF
+```
+
+:::tip
+Component parameters may have any name as long as they don't start with
+`holos_`.
+:::
 
 ## Rendering manifests
 
 Render a manifest for `podinfo` using the `holos render platform ./platform`
-command.
+command.  The `platform/` directory is the main entrypoint for this command.
 
-<Tabs groupId="tutorial-hello-render-manifests">
+<Tabs groupId="E150C802-7162-4FBF-82A7-77D9ADAEE847">
   <TabItem value="command" label="Command">
 ```bash
 holos render platform ./platform
@@ -110,10 +200,19 @@ rendered podinfo in 1.938665041s
 rendered platform in 1.938759417s
 ```
   </TabItem>
-  <TabItem value="manifest" label="Rendered Manifest">
+</Tabs>
+
+:::important
+Holos rendered the following manifest file by executing `helm template` after
+caching `podinfo` locally.
+:::
+
 ```txt
 deploy/components/podinfo/podinfo.gen.yaml
 ```
+
+<Tabs groupId="0E9C231D-D0E8-410A-A4A0-601842A086A6">
+  <TabItem value="service" label="Service">
 ```yaml showLineNumbers
 apiVersion: v1
 kind: Service
@@ -137,7 +236,10 @@ spec:
   selector:
     app.kubernetes.io/name: podinfo
   type: ClusterIP
----
+```
+  </TabItem>
+  <TabItem value="deployment" label="Deployment">
+```yaml showLineNumbers
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -176,6 +278,8 @@ spec:
         - --random-delay=false
         - --random-error=false
         env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!
         - name: PODINFO_UI_COLOR
           value: '#34577c'
         image: ghcr.io/stefanprodan/podinfo:6.6.2
@@ -231,57 +335,34 @@ spec:
   </TabItem>
 </Tabs>
 
-Holos rendered the `deploy/components/podinfo/podinfo.gen.yaml` file by
-executing `helm template` after caching `podinfo` locally.
+Holos renders the component with the greeting injected from the platform spec.
+
+```shell
+grep -B2 Hello deploy/components/podinfo/podinfo.gen.yaml
+```
+```yaml
+        env:
+        - name: PODINFO_UI_MESSAGE
+          value: Hello Holos!
+```
 
 ## Breaking it down
 
-Here’s a quick review of the files we created and their purpose:
+We run `holos render platform ./platform` because the CUE files in the platform
+directory export a [Platform] resource to `holos`.  The platform directory is
+the entrypoint to the platform rendering process.
 
-```text
-holos-tutorial/
-├── components/
-│   └── podinfo/
-│       └── podinfo.cue
-├── cue.mod/
-├── platform/
-│   ├── platform.gen.cue
-│   └── podinfo.cue
-├── resources.cue
-├── schema.cue
-└── tags.cue
-```
+Components are the building blocks for a Platform.  The `platform/podinfo.cue`
+file integrates the `podinfo` Component with the Platform.
 
-#### `components/podinfo/podinfo.cue`
+Holos requires two fields to integrate a component with the platform.
 
-Configures the `podinfo` Helm chart as a holos component.
+1. A unique name for the component.
+2. The component path to the directory containing the CUE files exporting a
+`BuildPlan` defining the component.
 
-#### `cue.mod`
-
-[CUE Module] directory containing schema definitions for Kubernetes resources.
-
-#### `platform/platform.gen.cue`
-
-Exports the [Platform] spec from CUE to `holos` for processing.
-
-#### `platform/podinfo.cue`
-
-Integrates the `podinfo` Helm component into the platform.
-
-#### `resources.cue`
-
-Defines the `#Resources` schema of common Kubernetes resources.
-
-#### `schema.cue`
-
-Configures the `#Helm`, `#Kustomize`, and `#Kubernetes` common component kinds
-by composing the `#ComponentConfig` schema definition into each schema
-definition.  The component kinds behave consistently as a result.
-
-#### `tags.cue`
-
-Holds parameter values passed from `holos render platform` to `holos render
-component` injected via [CUE Tags].
+Component parameters are optional.  They allow re-use of the same component.
+Refer to the [Component Parameters] topic for more information.
 
 <Tabs groupId="67C1EE71-3EA8-4568-9F6D-0072BA09FF12">
   <TabItem value="overview" label="Rendering Overview">
@@ -296,63 +377,11 @@ component` injected via [CUE Tags].
   </TabItem>
 </Tabs>
 
-We run `holos render platform` against the `platform` directory because that
-directory exports a [Platform] resource to `holos`.  The platform directory is
-effectively the entrypoint into the rendering process.
-
-Components are the building blocks for a Platform, and without them `holos
-render platform` does nothing. The `platform/podinfo.cue` file integrates the
-`podinfo` Component with the Platform.
-
-Holos requires two things to integrate a component with the platform.
-
-1. A unique name for the component.
-2. The component filesystem path.
-
-:::important
-Components can be parameterized.
-:::
-
-The Platform spec can re-use the same component path providing it varying input
-parameters.  This is covered in the [Component Parameters] topic.
-
-:::tip
-Holos makes it easy to re-use a Helm chart with multiple customers and
-environments.  This is not well supported by Helm alone.
-:::
-
-The `components/podinfo/podinfo.cue` file unifies the `#Helm`
-definition, indicating that we're configuring a Helm chart, along with the
-`podinfo` chart's version and repository information.  If we wanted to customize
-the `podinfo` chart and change any of the chart's values, we would make those
-changes here.  For example, we could change the message being displayed by
-passing the `ui.message` value to the chart:
-
-```cue
-HelmChart: #Helm & {
-	Name: "podinfo"
-	Chart: {
-		version: "6.6.2"
-		repository: {
-			name: "podinfo"
-			url:  "https://stefanprodan.github.io/podinfo"
-		}
-	}
-	Values: {
-	    ui: message: "Hello Holos from Podinfo!"
-	}
-}
-```
-
-Holos repeats this process for every Component added to the Platform, and since `podinfo`
-is the only Component, we're done!
-
 ## Next Steps
 
-We've shown how to add a single Helm chart to the Platform, but what if you have
-more than one Helm chart and they all need to access the same data?  Continue on
-with the next tutorial to learn how Holos makes it easy to pass data to multiple
-components and Helm Charts.
+We've shown how to integrate one Helm chart to the Platform, but we haven't yet
+covered multiple Helm charts.  Continue on with the next tutorial to learn how
+Holos makes it easy to inject values into multiple components safely and easily.
 
 [podinfo]: https://github.com/stefanprodan/podinfo
 [CUE Module]: https://cuelang.org/docs/reference/modules/

doc/md/tutorial/helm-values.mdx

@@ -59,14 +59,12 @@ the following file contents.
 
 ```bash
 mkdir -p components/prometheus components/blackbox
-touch components/prometheus/prometheus.cue
-touch components/blackbox/blackbox.cue
 ```
 
 <Tabs groupId="D15A3008-1EFC-4D34-BED1-15BC0C736CC3">
   <TabItem value="prometheus.cue" label="prometheus.cue">
-```txt
-components/prometheus/prometheus.cue
+```bash
+cat <<EOF > components/prometheus/prometheus.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -84,11 +82,14 @@ Helm: #Helm & {
 		}
 	}
 }
+```
+```bash
+EOF
 ```
   </TabItem>
   <TabItem value="blackbox.cue" label="blackbox.cue">
-```txt
-components/blackbox/blackbox.cue
+```bash
+cat <<EOF > components/blackbox/blackbox.cue
 ```
 ```cue showLineNumbers
 package holos
@@ -106,6 +107,9 @@ Helm: #Helm & {
 		}
 	}
 }
+```
+```bash
+EOF
 ```
   </TabItem>
 </Tabs>
@@ -116,9 +120,8 @@ Integrate the components with the platform by adding the following file to the
 platform directory.
 
 ```bash
-touch platform/prometheus.cue
+cat <<EOF > platform/prometheus.cue
 ```
-
 ```cue showLineNumbers
 package holos
 
@@ -133,6 +136,9 @@ Platform: Components: {
 	}
 }
 ```
+```bash
+EOF
+```
 
 Render the platform.
 
@@ -196,8 +202,8 @@ holos cue import \
   components/blackbox/vendor/9.0.1/prometheus-blackbox-exporter/values.yaml
 ```
 
-These command convert the YAML data into CUE code and nest the values under the
-`Values` field of the `Holos` struct.
+These commands convert the YAML data into CUE code and nest the values under the
+`Values` field of the `Helm` struct.
 
 :::important
 CUE unifies `values.cue` with the other `*.cue` files in the same directory.
@@ -243,9 +249,8 @@ use.  We add this configuration to the `components` directory so it's in scope
 for all components.
 
 ```bash
-touch components/blackbox.cue
+cat <<EOF > components/blackbox.cue
 ```
-
 ```cue showLineNumbers
 package holos
 
@@ -263,6 +268,9 @@ Blackbox: #Blackbox & {
 	port: 9115
 }
 ```
+```bash
+EOF
+```
 
 :::important
 1. CUE loads and unifies all `*.cue` files from the root directory containing

doc/md/tutorial/kustomize.mdx

@@ -61,11 +61,12 @@ Create the `httpbin` component directory and add the `httpbin.cue` and
   <TabItem value="setup" label="Setup">
 ```bash
 mkdir -p components/httpbin
-touch components/httpbin/httpbin.cue
-touch components/httpbin/httpbin.yaml
 ```
   </TabItem>
   <TabItem value="components/httpbin/httpbin.cue" label="httpbin.cue">
+```bash
+cat <<EOF > components/httpbin/httpbin.cue
+```
 ```cue showLineNumbers
 package holos
 
@@ -97,9 +98,15 @@ Kustomize: #Kustomize & {
 		}
 	}
 }
+```
+```bash
+EOF
 ```
   </TabItem>
   <TabItem value="components/httpbin/httpbin.yaml" label="httpbin.yaml">
+```bash
+cat <<EOF > components/httpbin/httpbin.yaml
+```
 ```yaml showLineNumbers
 # https://github.com/mccutchen/go-httpbin/blob/v2.15.0/kustomize/resources.yaml
 apiVersion: apps/v1
@@ -137,6 +144,9 @@ spec:
       protocol: TCP
       name: http
       appProtocol: http
+```
+```bash
+EOF
 ```
   </TabItem>
 </Tabs>
@@ -150,9 +160,8 @@ Integrate `httpbin` with the platform by adding the following file to the
 platform directory.
 
 ```bash
-touch platform/httpbin.cue
+cat <<EOF > platform/httpbin.cue
 ```
-
 ```cue showLineNumbers
 package holos
 
@@ -163,6 +172,9 @@ Platform: Components: {
 	}
 }
 ```
+```bash
+EOF
+```
 
 Render the platform.
 
@@ -275,13 +287,9 @@ makes this easier with CUE.  We don't need to edit any yaml files.
 Add a new `patches.cue` file to the `httpbin` component with the following
 content.
 
-<Tabs groupId="104D40FD-ED59-4F66-8B91-435436084743">
-  <TabItem value="touch" label="touch">
 ```bash
-touch components/httpbin/patches.cue
+cat <<EOF > components/httpbin/patches.cue
 ```
-  </TabItem>
-  <TabItem value="patches.cue" label="patches.cue">
 ```cue showLineNumbers
 package holos
 
@@ -300,8 +308,9 @@ Kustomize: KustomizeConfig: Kustomization: _patches: {
 	}
 }
 ```
-  </TabItem>
-</Tabs>
+```bash
+EOF
+```
 
 :::note
 We use a hidden `_patches` field to easily unify data into a struct, then

doc/md/tutorial/schema-definitions.mdx

@@ -1,13 +0,0 @@
----
-slug: schema-definitions
-title: Schema Definitions
-description: Define your own custom data structures.
-sidebar_position: 70
----
-
-# Schema Definitions
-
-- Work through defining a `#Cluster` schema and a `Clusters` struct.
-- Direct the reader to [topics] for more recipes.
-
-[topics]: ../topics.mdx

doc/md/tutorial/setup.mdx

@@ -17,22 +17,54 @@ This tutorial will guide you through the installation of Holos and its
 dependencies, as well as the initialization of a minimal Platform that you can
 extend to meet your specific needs.
 
-## Installing Holos
+## Installing
 
 Holos is distributed as a single file executable that can be installed in a
 couple of ways.
 
+<Tabs groupId="FE2C74C8-B3A3-4AEA-BBD3-F57FAA654B6F">
+  <TabItem value="brew" label="Install with brew">
+```bash
+brew install holos-run/tap/holos
+```
+  </TabItem>
+  <TabItem value="go" label="Go">
+```bash
+go install github.com/holos-run/holos/cmd/holos@latest
+```
+  </TabItem>
+</Tabs>
+
+### Completion
+
+<Tabs groupId="65F79D28-2E57-4A90-8EBA-3D8758C80233">
+  <TabItem value="zsh" label="zsh">
+```bash
+source <(holos completion zsh)
+```
+  </TabItem>
+  <TabItem value="bash" label="bash">
+```bash
+source <(holos completion bash)
+```
+  </TabItem>
+  <TabItem value="fish" label="fish">
+```bash
+source <(holos completion fish)
+```
+  </TabItem>
+  <TabItem value="ksh" label="ksh">
+```bash
+source <(holos completion ksh)
+```
+  </TabItem>
+</Tabs>
+
 ### Releases
 
 Download `holos` from the [releases] page and place the executable into your
 shell path.
 
-### Go Install
-
-```shell
-go install github.com/holos-run/holos/cmd/holos@latest
-```
-
 ### Dependencies
 
 Holos integrates with the following tools that should be installed to enable
@@ -41,6 +73,13 @@ their functionality.
 - [Helm] to fetch and render Helm chart Components.
 - [Kubectl] to [kustomize] components.
 
+:::note
+Holos is tested with Helm version `v3.16.2`.
+:::
+
+Please try upgrading helm if you encounter `Error: chart requires kubeVersion
+...` errors.
+
 ## Next Steps
 
 You've got the structure of your platform configuration in place. Continue on to

doc/website/package.json

@@ -15,10 +15,10 @@
     "typecheck": "tsc"
   },
   "dependencies": {
-    "@docusaurus/core": "^3.6.0",
-    "@docusaurus/plugin-client-redirects": "^3.6.0",
-    "@docusaurus/preset-classic": "^3.6.0",
-    "@docusaurus/theme-mermaid": "^3.6.0",
+    "@docusaurus/core": "^3.6.1",
+    "@docusaurus/plugin-client-redirects": "^3.6.1",
+    "@docusaurus/preset-classic": "^3.6.1",
+    "@docusaurus/theme-mermaid": "^3.6.1",
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.3.0",
@@ -26,9 +26,9 @@
     "react-dom": "^18.0.0"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "^3.6.0",
-    "@docusaurus/tsconfig": "^3.6.0",
-    "@docusaurus/types": "^3.6.0",
+    "@docusaurus/module-type-aliases": "^3.6.1",
+    "@docusaurus/tsconfig": "^3.6.1",
+    "@docusaurus/types": "^3.6.1",
     "@wcj/html-to-markdown-cli": "^2.1.1",
     "cspell": "^8.10.4",
     "html-to-markdown": "^1.0.0",

doc/website/src/diagrams/rendering-overview.mdx

@@ -17,7 +17,7 @@ graph LR
 
     Generators[<a href="/docs/v1alpha5/api/core/#Generator">Generators</a>]
     Transformers[<a href="/docs/v1alpha5/api/core/#Transformer">Transformers</a>]
-    Validators[<a href="/docs/v1alpha5/api/core/#Transformer">Validators</a><br/>TBD]
+    Validators[Validators]
     Files[Manifest<br/>Files]
 
     Platform --> Component

internal/builder/v1alpha5/builder.go

@@ -333,6 +333,12 @@ func (b *BuildPlan) helm(
 	if !g.Helm.EnableHooks {
 		args = append(args, "--no-hooks")
 	}
+	for _, apiVersion := range g.Helm.APIVersions {
+		args = append(args, "--api-versions", apiVersion)
+	}
+	if kubeVersion := g.Helm.KubeVersion; kubeVersion != "" {
+		args = append(args, "--kube-version", kubeVersion)
+	}
 	args = append(args,
 		"--include-crds",
 		"--values", valuesPath,
@@ -347,6 +353,7 @@ func (b *BuildPlan) helm(
 		stderr := helmOut.Stderr.String()
 		lines := strings.Split(stderr, "\n")
 		for _, line := range lines {
+			log.DebugContext(ctx, line)
 			if strings.HasPrefix(line, "Error:") {
 				err = fmt.Errorf("%s: %w", line, err)
 			}
@@ -514,7 +521,15 @@ func (b *BuildPlan) cacheChart(
 	}
 	helmOut, err := util.RunCmd(ctx, "helm", "pull", "--destination", cacheTemp, "--untar=true", "--version", chart.Version, cn)
 	if err != nil {
-		return errors.Wrap(fmt.Errorf("could not run helm pull: %w", err))
+		stderr := helmOut.Stderr.String()
+		lines := strings.Split(stderr, "\n")
+		for _, line := range lines {
+			log.DebugContext(ctx, line)
+			if strings.HasPrefix(line, "Error:") {
+				err = fmt.Errorf("%s: %w", line, err)
+			}
+		}
+		return errors.Format("could not run helm pull: %w", err)
 	}
 	log.Debug("helm pull", "stdout", helmOut.Stdout, "stderr", helmOut.Stderr)
 

internal/cli/render/render.go

@@ -28,13 +28,13 @@ func New(cfg *holos.Config, feature holos.Flagger) *cobra.Command {
 	cmd := command.New("render")
 	cmd.Args = cobra.NoArgs
 	cmd.Short = "render platforms and components to manifest files"
-	cmd.AddCommand(NewComponent(cfg))
-	cmd.AddCommand(NewPlatform(cfg))
+	cmd.AddCommand(NewComponent(cfg, feature))
+	cmd.AddCommand(NewPlatform(cfg, feature))
 	return cmd
 }
 
 // New returns the component subcommand for the render command
-func NewComponent(cfg *holos.Config) *cobra.Command {
+func NewComponent(cfg *holos.Config, feature holos.Flagger) *cobra.Command {
 	cmd := command.New("component DIRECTORY")
 	cmd.Args = cobra.ExactArgs(1)
 	cmd.Short = "render a platform component"
@@ -43,8 +43,10 @@ func NewComponent(cfg *holos.Config) *cobra.Command {
 	cmd.Flags().AddGoFlagSet(cfg.ClusterFlagSet())
 
 	config := client.NewConfig(cfg)
-	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
-	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+	if feature.Flag(holos.ClientFeature) {
+		cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+		cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+	}
 
 	flagSet := flag.NewFlagSet("", flag.ContinueOnError)
 
@@ -176,15 +178,17 @@ func NewComponent(cfg *holos.Config) *cobra.Command {
 	return cmd
 }
 
-func NewPlatform(cfg *holos.Config) *cobra.Command {
+func NewPlatform(cfg *holos.Config, feature holos.Flagger) *cobra.Command {
 	cmd := command.New("platform DIRECTORY")
 	cmd.Args = cobra.ExactArgs(1)
 	cmd.Example = "  holos render platform ./platform"
 	cmd.Short = "render an entire platform"
 
 	config := client.NewConfig(cfg)
-	cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
-	cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+	if feature.Flag(holos.ClientFeature) {
+		cmd.PersistentFlags().AddGoFlagSet(config.ClientFlagSet())
+		cmd.PersistentFlags().AddGoFlagSet(config.TokenFlagSet())
+	}
 
 	var concurrency int
 	cmd.Flags().IntVar(&concurrency, "concurrency", min(runtime.NumCPU(), 8), "number of components to render concurrently")
@@ -274,17 +278,18 @@ func (t tags) Tags() []string {
 }
 
 func (t tags) String() string {
-	return strings.Join(t.Tags(), ",")
+	return strings.Join(t.Tags(), " ")
 }
 
+// Set sets a value.  Only one value per flag is supported.  For example
+// --inject=foo=bar --inject=bar=baz.  For JSON values, --inject=foo=bar,bar=baz
+// is not supported.
 func (t tags) Set(value string) error {
-	for _, item := range strings.Split(value, ",") {
-		parts := strings.SplitN(item, "=", 2)
-		if len(parts) != 2 {
-			return errors.Format("invalid format, must be tag=value")
-		}
-		t[parts[0]] = parts[1]
+	parts := strings.SplitN(value, "=", 2)
+	if len(parts) != 2 {
+		return errors.Format("invalid format, must be tag=value")
 	}
+	t[parts[0]] = parts[1]
 	return nil
 }
 

internal/cli/root.go

@@ -118,7 +118,7 @@ func newOrgCmd(feature holos.Flagger) (cmd *cobra.Command) {
 }
 
 func newCueCmd() (cmd *cobra.Command) {
-	cueCmd, _ := cue.New(os.Args[2:])
+	cueCmd, _ := cue.New(os.Args[1:])
 	cmd = cueCmd.Command
 	return
 }

internal/generate/platforms/cue.mod/gen/external-secrets.io/clusterexternalsecret/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -106,7 +106,6 @@ import (
 			sourceRef?: struct.MaxFields(1) & {
 				// GeneratorRef points to a generator custom resource.
 				//
-				//
 				// Deprecated: The generatorRef is not implemented in .data[].
 				// this will be removed with v1.
 				generatorRef?: {
@@ -336,6 +335,7 @@ import (
 
 	// The labels to select by to find the Namespaces to create the
 	// ExternalSecrets in.
+	// Deprecated: Use NamespaceSelectors instead.
 	namespaceSelector?: {
 		// matchExpressions is a list of label selector requirements. The
 		// requirements are ANDed.
@@ -368,8 +368,42 @@ import (
 		}
 	}
 
+	// A list of labels to select by to find the Namespaces to create
+	// the ExternalSecrets in. The selectors are ORed.
+	namespaceSelectors?: [...{
+		// matchExpressions is a list of label selector requirements. The
+		// requirements are ANDed.
+		matchExpressions?: [...{
+			// key is the label key that the selector applies to.
+			key: string
+
+			// operator represents a key's relationship to a set of values.
+			// Valid operators are In, NotIn, Exists and DoesNotExist.
+			operator: string
+
+			// values is an array of string values. If the operator is In or
+			// NotIn,
+			// the values array must be non-empty. If the operator is Exists
+			// or DoesNotExist,
+			// the values array must be empty. This array is replaced during a
+			// strategic
+			// merge patch.
+			values?: [...string]
+		}]
+
+		// matchLabels is a map of {key,value} pairs. A single {key,value}
+		// in the matchLabels
+		// map is equivalent to an element of matchExpressions, whose key
+		// field is "key", the
+		// operator is "In", and the values array contains only "value".
+		// The requirements are ANDed.
+		matchLabels?: {
+			[string]: string
+		}
+	}]
+
 	// Choose namespaces by name. This field is ORed with anything
-	// that NamespaceSelector ends up choosing.
+	// that NamespaceSelectors ends up choosing.
 	namespaces?: [...string]
 
 	// The time in which the controller should reconcile its objects

internal/generate/platforms/cue.mod/gen/external-secrets.io/clustersecretstore/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
@@ -745,6 +745,36 @@ import (
 			vault: string
 		}
 
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
 		// Vault configures this store to sync secrets using Hashi
 		// provider
 		vault?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/clustersecretstore/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -55,6 +55,9 @@ import (
 	// Used to constraint a ClusterSecretStore to specific namespaces.
 	// Relevant only to ClusterSecretStore
 	conditions?: [...{
+		// Choose namespaces by using regex matching
+		namespaceRegexes?: [...string]
+
 		// Choose namespace using a labelSelector
 		namespaceSelector?: {
 			// matchExpressions is a list of label selector requirements. The
@@ -394,6 +397,9 @@ import (
 			// AWS External ID set on assumed IAM roles
 			externalID?: string
 
+			// Prefix adds a prefix to all retrieved values.
+			prefix?: string
+
 			// AWS Region to be used for the provider
 			region: string
 
@@ -445,10 +451,28 @@ import (
 		// Vault provider
 		azurekv?: {
 			// Auth configures how the operator authenticates with Azure.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			authSecretRef?: {
-				// The Azure clientId of the service principle used for
+				// The Azure ClientCertificate of the service principle used for
 				// authentication.
+				clientCertificate?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure clientId of the service principle or managed identity
+				// used for authentication.
 				clientId?: {
 					// The key of the entry in the Secret resource's `data` field to
 					// be used. Some instances of this field may be
@@ -480,6 +504,23 @@ import (
 					// to the namespace of the referent.
 					namespace?: string
 				}
+
+				// The Azure tenantId of the managed identity used for
+				// authentication.
+				tenantId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
 			}
 
 			// Auth type defines how to authenticate to the keyvault service.
@@ -523,13 +564,225 @@ import (
 			}
 
 			// TenantID configures the Azure Tenant to send requests to.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			tenantId?: string
 
 			// Vault Url from which the secrets to be fetched from.
 			vaultUrl: string
 		}
 
+		// Beyondtrust configures this store to sync secrets using
+		// Password Safe provider.
+		beyondtrust?: {
+			// Auth configures how the operator authenticates with
+			// Beyondtrust.
+			auth: {
+				// Content of the certificate (cert.pem) for use when
+				// authenticating with an OAuth client Id using a Client
+				// Certificate.
+				certificate?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+
+				// Certificate private key (key.pem). For use when authenticating
+				// with an OAuth client Id
+				certificateKey?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientId: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientSecret: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+			}
+
+			// Auth configures how API server works.
+			server: {
+				apiUrl: string
+
+				// Timeout specifies a time limit for requests made by this
+				// Client. The timeout includes connection time, any redirects,
+				// and reading the response body. Defaults to 45 seconds.
+				clientTimeOutSeconds?: int
+
+				// The secret retrieval type. SECRET = Secrets Safe (credential,
+				// text, file). MANAGED_ACCOUNT = Password Safe account
+				// associated with a system.
+				retrievalType?: string
+
+				// A character that separates the folder names.
+				separator?: string
+				verifyCA:   bool
+			}
+		}
+
+		// BitwardenSecretsManager configures this store to sync secrets
+		// using BitwardenSecretsManager provider
+		bitwardensecretsmanager?: {
+			apiURL?: string
+			auth: {
+				secretRef: {
+					// AccessToken used for the bitwarden instance.
+					credentials: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			bitwardenServerSDKURL?: string
+
+			// Base64 encoded certificate for the bitwarden server sdk. The
+			// sdk MUST run with HTTPS to make sure no MITM attack
+			// can be performed.
+			caBundle?: string
+
+			// see:
+			// https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
+			caProvider?: {
+				// The key where the CA certificate can be found in the Secret or
+				// ConfigMap.
+				key?: string
+
+				// The name of the object located at the provider type.
+				name: string
+
+				// The namespace the Provider type is in.
+				// Can only be defined when used in a ClusterSecretStore.
+				namespace?: string
+
+				// The type of provider to use such as "Secret", or "ConfigMap".
+				type: "Secret" | "ConfigMap"
+			}
+			identityURL?: string
+
+			// OrganizationID determines which organization this secret store
+			// manages.
+			organizationID: string
+
+			// ProjectID determines which project this secret store manages.
+			projectID: string
+		}
+
+		// Chef configures this store to sync secrets with chef server
+		chef?: {
+			auth: {
+				secretRef: {
+					// SecretKey is the Signing Key in PEM format, used for
+					// authentication.
+					privateKeySecretRef: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// ServerURL is the chef server URL used to connect to. If using
+			// orgs you should include your org in the url and terminate the
+			// url with a "/"
+			serverUrl: string
+
+			// UserName should be the user ID on the chef server
+			username: string
+		}
+
 		// Conjur configures this store to sync secrets using conjur
 		// provider
 		conjur?: {
@@ -574,6 +827,11 @@ import (
 				jwt?: {
 					account: string
 
+					// Optional HostID for JWT authentication. This may be used
+					// depending
+					// on how the Conjur JWT authenticator policy is configured.
+					hostId?: string
+
 					// Optional SecretRef that refers to a key in a Secret resource
 					// containing JWT token to
 					// authenticate with Conjur using the JWT authentication method.
@@ -705,6 +963,33 @@ import (
 			urlTemplate?: string
 		}
 
+		// Device42 configures this store to sync secrets using the
+		// Device42 provider
+		device42?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// URL configures the Device42 instance URL.
+			host: string
+		}
+
 		// Doppler configures this store to sync secrets using the Doppler
 		// provider
 		doppler?: {
@@ -758,6 +1043,33 @@ import (
 			}]
 		}
 
+		// Fortanix configures this store to sync secrets using the
+		// Fortanix provider
+		fortanix?: {
+			apiKey?: {
+				// SecretRef is a reference to a secret containing the SDKMS API
+				// Key.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of SDKMS API. Defaults to
+			// `sdkms.fortanix.com`.
+			apiUrl?: string
+		}
+
 		// GCPSM configures this store to sync secrets using Google Cloud
 		// Platform Secret Manager provider
 		gcpsm?: {
@@ -806,6 +1118,9 @@ import (
 				}
 			}
 
+			// Location optionally defines a location for a secret
+			location?: string
+
 			// ProjectID project where secret is located
 			projectID?: string
 		}
@@ -896,6 +1211,55 @@ import (
 			serviceUrl?: string
 		}
 
+		// Infisical configures this store to sync secrets using the
+		// Infisical provider
+		infisical?: {
+			auth: {
+				universalAuthCredentials?: {
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientId: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientSecret: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			hostAPI?: string | *"https://app.infisical.com/api"
+			secretsScope: {
+				environmentSlug: string
+				projectSlug:     string
+				recursive?:      bool | *false
+				secretsPath?:    string | *"/"
+			}
+		}
+
 		// KeeperSecurity configures this store to sync secrets using the
 		// KeeperSecurity provider
 		keepersecurity?: {
@@ -923,7 +1287,7 @@ import (
 		kubernetes?: {
 			// Auth configures how secret-manager authenticates with a
 			// Kubernetes instance.
-			auth: struct.MaxFields(1) & {
+			auth?: struct.MaxFields(1) & {
 				// has both clientCert and clientKey as secretKeySelector
 				cert?: {
 					// A reference to a specific 'key' within a Secret resource,
@@ -999,6 +1363,22 @@ import (
 				}
 			}
 
+			// A reference to a secret that contains the auth information.
+			authRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
 			// Remote namespace to fetch the secrets from
 			remoteNamespace?: string | *"default"
 
@@ -1030,6 +1410,61 @@ import (
 			}
 		}
 
+		// Onboardbase configures this store to sync secrets using the
+		// Onboardbase provider
+		onboardbase?: {
+			// APIHost use this to configure the host url for the API for
+			// selfhosted installation, default is
+			// https://public.onboardbase.com/api/v1/
+			apiHost: string | *"https://public.onboardbase.com/api/v1/"
+
+			// Auth configures how the Operator authenticates with the
+			// Onboardbase API
+			auth: {
+				// OnboardbaseAPIKey is the APIKey generated by an admin account.
+				// It is used to recognize and authorize access to a project and
+				// environment within onboardbase
+				apiKeyRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// OnboardbasePasscode is the passcode attached to the API Key
+				passcodeRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Environment is the name of an environmnent within a project to
+			// pull the secrets from
+			environment: string | *"development"
+
+			// Project is an onboardbase project that the secrets should be
+			// pulled from
+			project: string | *"development"
+		}
+
 		// OnePassword configures this store to sync secrets using the
 		// 1Password Cloud provider
 		onepassword?: {
@@ -1158,6 +1593,149 @@ import (
 			// located.
 			vault: string
 		}
+		passbolt?: {
+			// Auth defines the information necessary to authenticate against
+			// Passbolt Server
+			auth: {
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				passwordSecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				privateKeySecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Host defines the Passbolt Server to connect to
+			host: string
+		}
+
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
+		// Previder configures this store to sync secrets using the
+		// Previder provider
+		previder?: {
+			auth: {
+				secretRef?: {
+					// The AccessToken is used for authentication
+					accessToken: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			baseUri?: string
+		}
+
+		// Pulumi configures this store to sync secrets using the Pulumi
+		// provider
+		pulumi?: {
+			accessToken: {
+				// SecretRef is a reference to a secret containing the Pulumi API
+				// token.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of the Pulumi API.
+			apiUrl?: string | *"https://api.pulumi.com/api/esc"
+
+			// Environment are YAML documents composed of static key-value
+			// pairs, programmatic expressions,
+			// dynamically retrieved values from supported providers including
+			// all major clouds,
+			// and other Pulumi ESC environments.
+			// To create a new environment, visit
+			// https://www.pulumi.com/docs/esc/environments/ for more
+			// information.
+			environment: string
+
+			// Organization are a space to collaborate on shared projects and
+			// stacks.
+			// To create a new organization, visit https://app.pulumi.com/ and
+			// click "New Organization".
+			organization: string
+
+			// Project is the name of the Pulumi ESC project the environment
+			// belongs to.
+			project: string
+		}
 
 		// Scaleway
 		scaleway?: {
@@ -1222,6 +1800,63 @@ import (
 			}
 		}
 
+		// SecretServer configures this store to sync secrets using
+		// SecretServer provider
+		// https://docs.delinea.com/online-help/secret-server/start.htm
+		secretserver?: {
+			// Password is the secret server account password.
+			password: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+
+			// ServerURL
+			// URL to your secret server installation
+			serverURL: string
+
+			// Username is the secret server account username.
+			username: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+		}
+
 		// Senhasegura configures this store to sync secrets using
 		// senhasegura provider
 		senhasegura?: {
@@ -1632,6 +2267,17 @@ import (
 					username: string
 				}
 
+				// Name of the vault namespace to authenticate to. This can be
+				// different than the namespace your secret is in.
+				// Namespaces is a set of features within Vault Enterprise that
+				// allows
+				// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+				// More about namespaces can be found here
+				// https://www.vaultproject.io/docs/enterprise/namespaces
+				// This will default to Vault.Namespace field if set, or empty
+				// otherwise
+				namespace?: string
+
 				// TokenSecretRef authenticates with Vault by presenting a token.
 				tokenSecretRef?: {
 					// The key of the entry in the Secret resource's `data` field to
@@ -1717,6 +2363,11 @@ import (
 			// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 			forwardInconsistent?: bool
 
+			// Headers to be added in Vault request
+			headers?: {
+				[string]: string
+			}
+
 			// Name of the vault namespace. Namespaces is a set of features
 			// within Vault Enterprise that allows
 			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 

internal/generate/platforms/cue.mod/gen/external-secrets.io/externalsecret/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -87,7 +87,6 @@ import (
 		sourceRef?: struct.MaxFields(1) & {
 			// GeneratorRef points to a generator custom resource.
 			//
-			//
 			// Deprecated: The generatorRef is not implemented in .data[].
 			// this will be removed with v1.
 			generatorRef?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/pushsecret/v1alpha1/types_gen.cue

@@ -1,10 +1,13 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
-import "strings"
+import (
+	"strings"
+	"struct"
+)
 
 #PushSecret: {
 	// APIVersion defines the versioned schema of this representation
@@ -48,6 +51,9 @@ import "strings"
 #PushSecretSpec: {
 	// Secret Data that should be pushed to providers
 	data?: [...{
+		// Used to define a conversion Strategy for the secret keys
+		conversionStrategy?: "None" | "ReverseUnicode" | *"None"
+
 		// Match a given Secret Key to be pushed to the provider.
 		match: {
 			// Remote Refs to push to providers.
@@ -118,8 +124,22 @@ import "strings"
 		// Optionally, sync to the SecretStore of the given name
 		name?: string
 	}]
-	selector: {
-		secret: {
+
+	// The Secret Selector (k8s source) for the Push Secret
+	selector: struct.MaxFields(1) & {
+		// Point to a generator to create a Secret.
+		generatorRef?: {
+			// Specify the apiVersion of the generator resource
+			apiVersion?: string | *"generators.external-secrets.io/v1alpha1"
+
+			// Specify the Kind of the resource, e.g. Password, ACRAccessToken
+			// etc.
+			kind: string
+
+			// Specify the name of the generator resource
+			name: string
+		}
+		secret?: {
 			// Name of the Secret. The Secret must exist in the same namespace
 			// as the PushSecret manifest.
 			name: string
@@ -168,4 +188,8 @@ import "strings"
 		}]
 		type?: string
 	}
+
+	// UpdatePolicy to handle Secrets in the provider. Possible
+	// Values: "Replace/IfNotExists". Defaults to "Replace".
+	updatePolicy?: "Replace" | "IfNotExists" | *"Replace"
 }

internal/generate/platforms/cue.mod/gen/external-secrets.io/secretstore/v1alpha1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1alpha1
 
@@ -744,6 +744,36 @@ import (
 			vault: string
 		}
 
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
 		// Vault configures this store to sync secrets using Hashi
 		// provider
 		vault?: {

internal/generate/platforms/cue.mod/gen/external-secrets.io/secretstore/v1beta1/types_gen.cue

@@ -1,6 +1,6 @@
 // Code generated by timoni. DO NOT EDIT.
 
-//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-secrets-eso/prod-secrets-eso.gen.yaml
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
 
 package v1beta1
 
@@ -54,6 +54,9 @@ import (
 	// Used to constraint a ClusterSecretStore to specific namespaces.
 	// Relevant only to ClusterSecretStore
 	conditions?: [...{
+		// Choose namespaces by using regex matching
+		namespaceRegexes?: [...string]
+
 		// Choose namespace using a labelSelector
 		namespaceSelector?: {
 			// matchExpressions is a list of label selector requirements. The
@@ -98,7 +101,7 @@ import (
 	controller?: string
 
 	// Used to configure the provider. Only one provider may be set
-	provider: {
+	provider: struct.MaxFields(1) & {
 		// Akeyless configures this store to sync secrets using Akeyless
 		// Vault provider
 		akeyless?: {
@@ -393,6 +396,9 @@ import (
 			// AWS External ID set on assumed IAM roles
 			externalID?: string
 
+			// Prefix adds a prefix to all retrieved values.
+			prefix?: string
+
 			// AWS Region to be used for the provider
 			region: string
 
@@ -444,10 +450,28 @@ import (
 		// Vault provider
 		azurekv?: {
 			// Auth configures how the operator authenticates with Azure.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			authSecretRef?: {
-				// The Azure clientId of the service principle used for
+				// The Azure ClientCertificate of the service principle used for
 				// authentication.
+				clientCertificate?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure clientId of the service principle or managed identity
+				// used for authentication.
 				clientId?: {
 					// The key of the entry in the Secret resource's `data` field to
 					// be used. Some instances of this field may be
@@ -479,6 +503,23 @@ import (
 					// to the namespace of the referent.
 					namespace?: string
 				}
+
+				// The Azure tenantId of the managed identity used for
+				// authentication.
+				tenantId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
 			}
 
 			// Auth type defines how to authenticate to the keyvault service.
@@ -522,13 +563,225 @@ import (
 			}
 
 			// TenantID configures the Azure Tenant to send requests to.
-			// Required for ServicePrincipal auth type.
+			// Required for ServicePrincipal auth type. Optional for
+			// WorkloadIdentity.
 			tenantId?: string
 
 			// Vault Url from which the secrets to be fetched from.
 			vaultUrl: string
 		}
 
+		// Beyondtrust configures this store to sync secrets using
+		// Password Safe provider.
+		beyondtrust?: {
+			// Auth configures how the operator authenticates with
+			// Beyondtrust.
+			auth: {
+				// Content of the certificate (cert.pem) for use when
+				// authenticating with an OAuth client Id using a Client
+				// Certificate.
+				certificate?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+
+				// Certificate private key (key.pem). For use when authenticating
+				// with an OAuth client Id
+				certificateKey?: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientId: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+				clientSecret: {
+					// SecretRef references a key in a secret that will be used as
+					// value.
+					secretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// Value can be specified directly to set a value without using a
+					// secret.
+					value?: string
+				}
+			}
+
+			// Auth configures how API server works.
+			server: {
+				apiUrl: string
+
+				// Timeout specifies a time limit for requests made by this
+				// Client. The timeout includes connection time, any redirects,
+				// and reading the response body. Defaults to 45 seconds.
+				clientTimeOutSeconds?: int
+
+				// The secret retrieval type. SECRET = Secrets Safe (credential,
+				// text, file). MANAGED_ACCOUNT = Password Safe account
+				// associated with a system.
+				retrievalType?: string
+
+				// A character that separates the folder names.
+				separator?: string
+				verifyCA:   bool
+			}
+		}
+
+		// BitwardenSecretsManager configures this store to sync secrets
+		// using BitwardenSecretsManager provider
+		bitwardensecretsmanager?: {
+			apiURL?: string
+			auth: {
+				secretRef: {
+					// AccessToken used for the bitwarden instance.
+					credentials: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			bitwardenServerSDKURL?: string
+
+			// Base64 encoded certificate for the bitwarden server sdk. The
+			// sdk MUST run with HTTPS to make sure no MITM attack
+			// can be performed.
+			caBundle?: string
+
+			// see:
+			// https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
+			caProvider?: {
+				// The key where the CA certificate can be found in the Secret or
+				// ConfigMap.
+				key?: string
+
+				// The name of the object located at the provider type.
+				name: string
+
+				// The namespace the Provider type is in.
+				// Can only be defined when used in a ClusterSecretStore.
+				namespace?: string
+
+				// The type of provider to use such as "Secret", or "ConfigMap".
+				type: "Secret" | "ConfigMap"
+			}
+			identityURL?: string
+
+			// OrganizationID determines which organization this secret store
+			// manages.
+			organizationID: string
+
+			// ProjectID determines which project this secret store manages.
+			projectID: string
+		}
+
+		// Chef configures this store to sync secrets with chef server
+		chef?: {
+			auth: {
+				secretRef: {
+					// SecretKey is the Signing Key in PEM format, used for
+					// authentication.
+					privateKeySecretRef: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// ServerURL is the chef server URL used to connect to. If using
+			// orgs you should include your org in the url and terminate the
+			// url with a "/"
+			serverUrl: string
+
+			// UserName should be the user ID on the chef server
+			username: string
+		}
+
 		// Conjur configures this store to sync secrets using conjur
 		// provider
 		conjur?: {
@@ -573,6 +826,11 @@ import (
 				jwt?: {
 					account: string
 
+					// Optional HostID for JWT authentication. This may be used
+					// depending
+					// on how the Conjur JWT authenticator policy is configured.
+					hostId?: string
+
 					// Optional SecretRef that refers to a key in a Secret resource
 					// containing JWT token to
 					// authenticate with Conjur using the JWT authentication method.
@@ -704,6 +962,33 @@ import (
 			urlTemplate?: string
 		}
 
+		// Device42 configures this store to sync secrets using the
+		// Device42 provider
+		device42?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// URL configures the Device42 instance URL.
+			host: string
+		}
+
 		// Doppler configures this store to sync secrets using the Doppler
 		// provider
 		doppler?: {
@@ -757,6 +1042,33 @@ import (
 			}]
 		}
 
+		// Fortanix configures this store to sync secrets using the
+		// Fortanix provider
+		fortanix?: {
+			apiKey?: {
+				// SecretRef is a reference to a secret containing the SDKMS API
+				// Key.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of SDKMS API. Defaults to
+			// `sdkms.fortanix.com`.
+			apiUrl?: string
+		}
+
 		// GCPSM configures this store to sync secrets using Google Cloud
 		// Platform Secret Manager provider
 		gcpsm?: {
@@ -805,6 +1117,9 @@ import (
 				}
 			}
 
+			// Location optionally defines a location for a secret
+			location?: string
+
 			// ProjectID project where secret is located
 			projectID?: string
 		}
@@ -895,6 +1210,55 @@ import (
 			serviceUrl?: string
 		}
 
+		// Infisical configures this store to sync secrets using the
+		// Infisical provider
+		infisical?: {
+			auth: {
+				universalAuthCredentials?: {
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientId: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// A reference to a specific 'key' within a Secret resource,
+					// In some instances, `key` is a required field.
+					clientSecret: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			hostAPI?: string | *"https://app.infisical.com/api"
+			secretsScope: {
+				environmentSlug: string
+				projectSlug:     string
+				recursive?:      bool | *false
+				secretsPath?:    string | *"/"
+			}
+		}
+
 		// KeeperSecurity configures this store to sync secrets using the
 		// KeeperSecurity provider
 		keepersecurity?: {
@@ -922,7 +1286,7 @@ import (
 		kubernetes?: {
 			// Auth configures how secret-manager authenticates with a
 			// Kubernetes instance.
-			auth: {
+			auth?: struct.MaxFields(1) & {
 				// has both clientCert and clientKey as secretKeySelector
 				cert?: {
 					// A reference to a specific 'key' within a Secret resource,
@@ -998,6 +1362,22 @@ import (
 				}
 			}
 
+			// A reference to a secret that contains the auth information.
+			authRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
 			// Remote namespace to fetch the secrets from
 			remoteNamespace?: string | *"default"
 
@@ -1029,6 +1409,61 @@ import (
 			}
 		}
 
+		// Onboardbase configures this store to sync secrets using the
+		// Onboardbase provider
+		onboardbase?: {
+			// APIHost use this to configure the host url for the API for
+			// selfhosted installation, default is
+			// https://public.onboardbase.com/api/v1/
+			apiHost: string | *"https://public.onboardbase.com/api/v1/"
+
+			// Auth configures how the Operator authenticates with the
+			// Onboardbase API
+			auth: {
+				// OnboardbaseAPIKey is the APIKey generated by an admin account.
+				// It is used to recognize and authorize access to a project and
+				// environment within onboardbase
+				apiKeyRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// OnboardbasePasscode is the passcode attached to the API Key
+				passcodeRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Environment is the name of an environmnent within a project to
+			// pull the secrets from
+			environment: string | *"development"
+
+			// Project is an onboardbase project that the secrets should be
+			// pulled from
+			project: string | *"development"
+		}
+
 		// OnePassword configures this store to sync secrets using the
 		// 1Password Cloud provider
 		onepassword?: {
@@ -1157,6 +1592,149 @@ import (
 			// located.
 			vault: string
 		}
+		passbolt?: {
+			// Auth defines the information necessary to authenticate against
+			// Passbolt Server
+			auth: {
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				passwordSecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// A reference to a specific 'key' within a Secret resource,
+				// In some instances, `key` is a required field.
+				privateKeySecretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Host defines the Passbolt Server to connect to
+			host: string
+		}
+
+		// Configures a store to sync secrets with a Password Depot
+		// instance.
+		passworddepot?: {
+			auth: {
+				secretRef: {
+					// Username / Password is used for authentication.
+					credentials?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+
+			// Database to use as source
+			database: string
+
+			// URL configures the Password Depot instance URL.
+			host: string
+		}
+
+		// Previder configures this store to sync secrets using the
+		// Previder provider
+		previder?: {
+			auth: {
+				secretRef?: {
+					// The AccessToken is used for authentication
+					accessToken: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+			}
+			baseUri?: string
+		}
+
+		// Pulumi configures this store to sync secrets using the Pulumi
+		// provider
+		pulumi?: {
+			accessToken: {
+				// SecretRef is a reference to a secret containing the Pulumi API
+				// token.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// APIURL is the URL of the Pulumi API.
+			apiUrl?: string | *"https://api.pulumi.com/api/esc"
+
+			// Environment are YAML documents composed of static key-value
+			// pairs, programmatic expressions,
+			// dynamically retrieved values from supported providers including
+			// all major clouds,
+			// and other Pulumi ESC environments.
+			// To create a new environment, visit
+			// https://www.pulumi.com/docs/esc/environments/ for more
+			// information.
+			environment: string
+
+			// Organization are a space to collaborate on shared projects and
+			// stacks.
+			// To create a new organization, visit https://app.pulumi.com/ and
+			// click "New Organization".
+			organization: string
+
+			// Project is the name of the Pulumi ESC project the environment
+			// belongs to.
+			project: string
+		}
 
 		// Scaleway
 		scaleway?: {
@@ -1221,6 +1799,63 @@ import (
 			}
 		}
 
+		// SecretServer configures this store to sync secrets using
+		// SecretServer provider
+		// https://docs.delinea.com/online-help/secret-server/start.htm
+		secretserver?: {
+			// Password is the secret server account password.
+			password: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+
+			// ServerURL
+			// URL to your secret server installation
+			serverURL: string
+
+			// Username is the secret server account username.
+			username: {
+				// SecretRef references a key in a secret that will be used as
+				// value.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Value can be specified directly to set a value without using a
+				// secret.
+				value?: string
+			}
+		}
+
 		// Senhasegura configures this store to sync secrets using
 		// senhasegura provider
 		senhasegura?: {
@@ -1631,6 +2266,17 @@ import (
 					username: string
 				}
 
+				// Name of the vault namespace to authenticate to. This can be
+				// different than the namespace your secret is in.
+				// Namespaces is a set of features within Vault Enterprise that
+				// allows
+				// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+				// More about namespaces can be found here
+				// https://www.vaultproject.io/docs/enterprise/namespaces
+				// This will default to Vault.Namespace field if set, or empty
+				// otherwise
+				namespace?: string
+
 				// TokenSecretRef authenticates with Vault by presenting a token.
 				tokenSecretRef?: {
 					// The key of the entry in the Secret resource's `data` field to
@@ -1716,6 +2362,11 @@ import (
 			// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 			forwardInconsistent?: bool
 
+			// Headers to be added in Vault request
+			headers?: {
+				[string]: string
+			}
+
 			// Name of the vault namespace. Namespaces is a set of features
 			// within Vault Enterprise that allows
 			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/acraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,164 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ACRAccessToken returns a Azure Container Registry token
+// that can be used for pushing/pulling images.
+// Note: by default it will return an ACR Refresh Token with full
+// access
+// (depending on the identity).
+// This can be scoped down to the repository level using
+// .spec.scope.
+// In case scope is defined it will return an ACR Access Token.
+//
+// See docs:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+#ACRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ACRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// ACRAccessTokenSpec defines how to generate the access token
+	// e.g. how to authenticate and which registry to use.
+	// see:
+	// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+	spec!: #ACRAccessTokenSpec
+}
+
+// ACRAccessTokenSpec defines how to generate the access token
+// e.g. how to authenticate and which registry to use.
+// see:
+// https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+#ACRAccessTokenSpec: {
+	auth: {
+		managedIdentity?: {
+			// If multiple Managed Identity is assigned to the pod, you can
+			// select the one to be used
+			identityId?: string
+		}
+		servicePrincipal?: {
+			// Configuration used to authenticate with Azure using static
+			// credentials stored in a Kind=Secret.
+			secretRef: {
+				// The Azure clientId of the service principle used for
+				// authentication.
+				clientId?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// The Azure ClientSecret of the service principle used for
+				// authentication.
+				clientSecret?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+		}
+		workloadIdentity?: {
+			// ServiceAccountRef specified the service account
+			// that should be used when authenticating with WorkloadIdentity.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// EnvironmentType specifies the Azure cloud environment endpoints
+	// to use for
+	// connecting and authenticating with Azure. By default it points
+	// to the public cloud AAD endpoint.
+	// The following endpoints are available, also see here:
+	// https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	environmentType?: "PublicCloud" | "USGovernmentCloud" | "ChinaCloud" | "GermanCloud" | *"PublicCloud"
+
+	// the domain name of the ACR registry
+	// e.g. foobarexample.azurecr.io
+	registry: string
+
+	// Define the scope for the access token, e.g. pull/push access
+	// for a repository.
+	// if not provided it will return a refresh token that has full
+	// scope.
+	// Note: you need to pin it down to the repository level, there is
+	// no wildcard available.
+	//
+	// examples:
+	// repository:my-repository:pull,push
+	// repository:my-repository:pull
+	//
+	// see docs for details:
+	// https://docs.docker.com/registry/spec/auth/scope/
+	scope?: string
+
+	// TenantID configures the Azure Tenant to send requests to.
+	// Required for ServicePrincipal auth type.
+	tenantId?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/ecrauthorizationtoken/v1alpha1/types_gen.cue

@@ -0,0 +1,142 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to
+// retrieve an
+// authorization token.
+// The authorization token is valid for 12 hours.
+// The authorizationToken returned is a base64 encoded string that
+// can be decoded
+// and used in a docker login command to authenticate to a
+// registry.
+// For more information, see Registry authentication
+// (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth)
+// in the Amazon Elastic Container Registry User Guide.
+#ECRAuthorizationToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "ECRAuthorizationToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #ECRAuthorizationTokenSpec
+}
+#ECRAuthorizationTokenSpec: {
+	// Auth defines how to authenticate with AWS
+	auth?: {
+		jwt?: {
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef?: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// AWSAuthSecretRef holds secret references for AWS credentials
+		// both AccessKeyID and SecretAccessKey must be defined in order
+		// to properly authenticate.
+		secretRef?: {
+			// The AccessKeyID is used for authentication
+			accessKeyIDSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// The SessionToken used for authentication
+			// This must be defined if AccessKeyID and SecretAccessKey are
+			// temporary credentials
+			// see:
+			// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+			sessionTokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// Region specifies the region to operate in.
+	region: string
+
+	// You can assume a role before making calls to the
+	// desired AWS service.
+	role?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/fake/v1alpha1/types_gen.cue

@@ -0,0 +1,62 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Fake generator is used for testing. It lets you define
+// a static set of credentials that is always returned.
+#Fake: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Fake"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// FakeSpec contains the static data.
+	spec!: #FakeSpec
+}
+
+// FakeSpec contains the static data.
+#FakeSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Data defines the static data returned
+	// by this generator.
+	data?: {
+		[string]: string
+	}
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/gcraccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,93 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GCRAccessToken generates an GCP access token
+// that can be used to authenticate with GCR.
+#GCRAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GCRAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GCRAccessTokenSpec
+}
+#GCRAccessTokenSpec: {
+	// Auth defines the means for authenticating with GCP
+	auth: {
+		secretRef?: {
+			// The SecretAccessKey is used for authentication
+			secretAccessKeySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+		workloadIdentity?: {
+			clusterLocation:   string
+			clusterName:       string
+			clusterProjectID?: string
+
+			// A reference to a ServiceAccount resource.
+			serviceAccountRef: {
+				// Audience specifies the `aud` claim for the service account
+				// token
+				// If the service account uses a well-known annotation for e.g.
+				// IRSA or GCP Workload Identity
+				// then this audiences will be appended to the list
+				audiences?: [...string]
+
+				// The name of the ServiceAccount resource being referred to.
+				name: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+
+	// ProjectID defines which project to use to authenticate with
+	projectID: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/githubaccesstoken/v1alpha1/types_gen.cue

@@ -0,0 +1,72 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// GithubAccessToken generates ghs_ accessToken
+#GithubAccessToken: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "GithubAccessToken"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #GithubAccessTokenSpec
+}
+#GithubAccessTokenSpec: {
+	appID: string
+	auth: {
+		privateKey: {
+			// A reference to a specific 'key' within a Secret resource,
+			// In some instances, `key` is a required field.
+			secretRef: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+	}
+	installID: string
+
+	// URL configures the Github instance URL. Defaults to
+	// https://github.com/.
+	url?: string
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/password/v1alpha1/types_gen.cue

@@ -0,0 +1,77 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Password generates a random password based on the
+// configuration parameters in spec.
+// You can specify the length, characterset and other attributes.
+#Password: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Password"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// PasswordSpec controls the behavior of the password generator.
+	spec!: #PasswordSpec
+}
+
+// PasswordSpec controls the behavior of the password generator.
+#PasswordSpec: {
+	// set AllowRepeat to true to allow repeating characters.
+	allowRepeat: bool | *false
+
+	// Digits specifies the number of digits in the generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	digits?: int
+
+	// Length of the password to be generated.
+	// Defaults to 24
+	length: int | *24
+
+	// Set NoUpper to disable uppercase characters
+	noUpper: bool | *false
+
+	// SymbolCharacters specifies the special characters that should
+	// be used
+	// in the generated password.
+	symbolCharacters?: string
+
+	// Symbols specifies the number of symbol characters in the
+	// generated
+	// password. If omitted it defaults to 25% of the length of the
+	// password
+	symbols?: int
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/uuid/v1alpha1/types_gen.cue

@@ -0,0 +1,50 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// UUID generates a version 1 UUID
+// (e56657e3-764f-11ef-a397-65231a88c216).
+#UUID: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "UUID"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// UUIDSpec controls the behavior of the uuid generator.
+	spec!: #UUIDSpec
+}
+
+// UUIDSpec controls the behavior of the uuid generator.
+#UUIDSpec: {}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/vaultdynamicsecret/v1alpha1/types_gen.cue

@@ -0,0 +1,625 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+#VaultDynamicSecret: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "VaultDynamicSecret"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+	spec!: #VaultDynamicSecretSpec
+}
+#VaultDynamicSecretSpec: {
+	// Used to select the correct ESO controller (think:
+	// ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller
+	// name and filters VDS based on this property
+	controller?: string
+
+	// Vault API method to use (GET/POST/other)
+	method?: string
+
+	// Parameters to pass to Vault write (for non-GET methods)
+	parameters?: _
+
+	// Vault path to obtain the dynamic secret from
+	path: string
+
+	// Vault provider common spec
+	provider: {
+		// Auth configures how secret-manager authenticates with the Vault
+		// server.
+		auth: {
+			// AppRole authenticates with Vault using the App Role auth
+			// mechanism,
+			// with the role and secret stored in a Kubernetes Secret
+			// resource.
+			appRole?: {
+				// Path where the App Role authentication backend is mounted
+				// in Vault, e.g: "approle"
+				path: string | *"approle"
+
+				// RoleID configured in the App Role authentication backend when
+				// setting
+				// up the authentication backend in Vault.
+				roleId?: string
+
+				// Reference to a key in a Secret that contains the App Role ID
+				// used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role id.
+				roleRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Reference to a key in a Secret that contains the App Role
+				// secret used
+				// to authenticate with Vault.
+				// The `key` field must be specified and denotes which entry
+				// within the Secret
+				// resource is used as the app role secret.
+				secretRef: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Cert authenticates with TLS Certificates by passing client
+			// certificate, private key and ca certificate
+			// Cert authentication method
+			cert?: {
+				// ClientCert is a certificate to authenticate using the Cert
+				// Vault
+				// authentication method
+				clientCert?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// SecretRef to a key in a Secret resource containing client
+				// private key to
+				// authenticate with Vault using the Cert authentication method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Iam authenticates with vault by passing a special AWS request
+			// signed with AWS IAM credentials
+			// AWS IAM authentication method
+			iam?: {
+				// AWS External ID set on assumed IAM roles
+				externalID?: string
+				jwt?: {
+					// A reference to a ServiceAccount resource.
+					serviceAccountRef?: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+				path?: string
+
+				// AWS region
+				region?: string
+
+				// This is the AWS role to be assumed before talking to vault
+				role?: string
+
+				// Specify credentials in a Secret object
+				secretRef?: {
+					// The AccessKeyID is used for authentication
+					accessKeyIDSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SecretAccessKey is used for authentication
+					secretAccessKeySecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+
+					// The SessionToken used for authentication
+					// This must be defined if AccessKeyID and SecretAccessKey are
+					// temporary credentials
+					// see:
+					// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+					sessionTokenSecretRef?: {
+						// The key of the entry in the Secret resource's `data` field to
+						// be used. Some instances of this field may be
+						// defaulted, in others it may be required.
+						key?: string
+
+						// The name of the Secret resource being referred to.
+						name?: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault
+				// IAM auth method to mitigate against different types of replay
+				// attacks. More details here:
+				// https://developer.hashicorp.com/vault/docs/auth/aws
+				vaultAwsIamServerID?: string
+
+				// Vault Role. In vault, a role describes an identity with a set
+				// of permissions, groups, or policies you want to attach a user
+				// of the secrets engine
+				vaultRole: string
+			}
+
+			// Jwt authenticates with Vault by passing role and JWT token
+			// using the
+			// JWT/OIDC authentication method
+			jwt?: {
+				// Optional ServiceAccountToken specifies the Kubernetes service
+				// account for which to request
+				// a token for with the `TokenRequest` API.
+				kubernetesServiceAccountToken?: {
+					// Optional audiences field that will be used to request a
+					// temporary Kubernetes service
+					// account token for the service account referenced by
+					// `serviceAccountRef`.
+					// Defaults to a single audience `vault` it not specified.
+					// Deprecated: use serviceAccountRef.Audiences instead
+					audiences?: [...string]
+
+					// Optional expiration time in seconds that will be used to
+					// request a temporary
+					// Kubernetes service account token for the service account
+					// referenced by
+					// `serviceAccountRef`.
+					// Deprecated: this will be removed in the future.
+					// Defaults to 10 minutes.
+					expirationSeconds?: int
+
+					// Service account field containing the name of a kubernetes
+					// ServiceAccount.
+					serviceAccountRef: {
+						// Audience specifies the `aud` claim for the service account
+						// token
+						// If the service account uses a well-known annotation for e.g.
+						// IRSA or GCP Workload Identity
+						// then this audiences will be appended to the list
+						audiences?: [...string]
+
+						// The name of the ServiceAccount resource being referred to.
+						name: string
+
+						// Namespace of the resource being referred to. Ignored if
+						// referent is not cluster-scoped. cluster-scoped defaults
+						// to the namespace of the referent.
+						namespace?: string
+					}
+				}
+
+				// Path where the JWT authentication backend is mounted
+				// in Vault, e.g: "jwt"
+				path: string | *"jwt"
+
+				// Role is a JWT role to authenticate using the JWT/OIDC Vault
+				// authentication method
+				role?: string
+
+				// Optional SecretRef that refers to a key in a Secret resource
+				// containing JWT token to
+				// authenticate with Vault using the JWT/OIDC authentication
+				// method.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Kubernetes authenticates with Vault by passing the
+			// ServiceAccount
+			// token stored in the named Secret resource to the Vault server.
+			kubernetes?: {
+				// Path where the Kubernetes authentication backend is mounted in
+				// Vault, e.g:
+				// "kubernetes"
+				mountPath: string | *"kubernetes"
+
+				// A required field containing the Vault Role to assume. A Role
+				// binds a
+				// Kubernetes ServiceAccount with a set of Vault policies.
+				role: string
+
+				// Optional secret field containing a Kubernetes ServiceAccount
+				// JWT used
+				// for authenticating with Vault. If a name is specified without a
+				// key,
+				// `token` is the default. If one is not specified, the one bound
+				// to
+				// the controller will be used.
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Optional service account field containing the name of a
+				// kubernetes ServiceAccount.
+				// If the service account is specified, the service account secret
+				// token JWT will be used
+				// for authenticating with Vault. If the service account selector
+				// is not supplied,
+				// the secretRef will be used instead.
+				serviceAccountRef?: {
+					// Audience specifies the `aud` claim for the service account
+					// token
+					// If the service account uses a well-known annotation for e.g.
+					// IRSA or GCP Workload Identity
+					// then this audiences will be appended to the list
+					audiences?: [...string]
+
+					// The name of the ServiceAccount resource being referred to.
+					name: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+			}
+
+			// Ldap authenticates with Vault by passing username/password pair
+			// using
+			// the LDAP authentication method
+			ldap?: {
+				// Path where the LDAP authentication backend is mounted
+				// in Vault, e.g: "ldap"
+				path: string | *"ldap"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the LDAP
+				// user used to authenticate with Vault using the LDAP
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a LDAP user name used to authenticate using the
+				// LDAP Vault
+				// authentication method
+				username: string
+			}
+
+			// Name of the vault namespace to authenticate to. This can be
+			// different than the namespace your secret is in.
+			// Namespaces is a set of features within Vault Enterprise that
+			// allows
+			// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+			// More about namespaces can be found here
+			// https://www.vaultproject.io/docs/enterprise/namespaces
+			// This will default to Vault.Namespace field if set, or empty
+			// otherwise
+			namespace?: string
+
+			// TokenSecretRef authenticates with Vault by presenting a token.
+			tokenSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// UserPass authenticates with Vault by passing username/password
+			// pair
+			userPass?: {
+				// Path where the UserPassword authentication backend is mounted
+				// in Vault, e.g: "user"
+				path: string | *"user"
+
+				// SecretRef to a key in a Secret resource containing password for
+				// the
+				// user used to authenticate with Vault using the UserPass
+				// authentication
+				// method
+				secretRef?: {
+					// The key of the entry in the Secret resource's `data` field to
+					// be used. Some instances of this field may be
+					// defaulted, in others it may be required.
+					key?: string
+
+					// The name of the Secret resource being referred to.
+					name?: string
+
+					// Namespace of the resource being referred to. Ignored if
+					// referent is not cluster-scoped. cluster-scoped defaults
+					// to the namespace of the referent.
+					namespace?: string
+				}
+
+				// Username is a user name used to authenticate using the UserPass
+				// Vault
+				// authentication method
+				username: string
+			}
+		}
+
+		// PEM encoded CA bundle used to validate Vault server
+		// certificate. Only used
+		// if the Server URL is using HTTPS protocol. This parameter is
+		// ignored for
+		// plain HTTP protocol connection. If not set the system root
+		// certificates
+		// are used to validate the TLS connection.
+		caBundle?: string
+
+		// The provider for the CA bundle to use to validate Vault server
+		// certificate.
+		caProvider?: {
+			// The key where the CA certificate can be found in the Secret or
+			// ConfigMap.
+			key?: string
+
+			// The name of the object located at the provider type.
+			name: string
+
+			// The namespace the Provider type is in.
+			// Can only be defined when used in a ClusterSecretStore.
+			namespace?: string
+
+			// The type of provider to use such as "Secret", or "ConfigMap".
+			type: "Secret" | "ConfigMap"
+		}
+
+		// ForwardInconsistent tells Vault to forward read-after-write
+		// requests to the Vault
+		// leader instead of simply retrying within a loop. This can
+		// increase performance if
+		// the option is enabled serverside.
+		// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+		forwardInconsistent?: bool
+
+		// Headers to be added in Vault request
+		headers?: {
+			[string]: string
+		}
+
+		// Name of the vault namespace. Namespaces is a set of features
+		// within Vault Enterprise that allows
+		// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+		// More about namespaces can be found here
+		// https://www.vaultproject.io/docs/enterprise/namespaces
+		namespace?: string
+
+		// Path is the mount path of the Vault KV backend endpoint, e.g:
+		// "secret". The v2 KV secret engine version specific "/data" path
+		// suffix
+		// for fetching secrets from Vault is optional and will be
+		// appended
+		// if not present in specified path.
+		path?: string
+
+		// ReadYourWrites ensures isolated read-after-write semantics by
+		// providing discovered cluster replication states in each
+		// request.
+		// More information about eventual consistency in Vault can be
+		// found here
+		// https://www.vaultproject.io/docs/enterprise/consistency
+		readYourWrites?: bool
+
+		// Server is the connection address for the Vault server, e.g:
+		// "https://vault.example.com:8200".
+		server: string
+
+		// The configuration used for client side related TLS
+		// communication, when the Vault server
+		// requires mutual authentication. Only used if the Server URL is
+		// using HTTPS protocol.
+		// This parameter is ignored for plain HTTP protocol connection.
+		// It's worth noting this configuration is different from the "TLS
+		// certificates auth method",
+		// which is available under the `auth.cert` section.
+		tls?: {
+			// CertSecretRef is a certificate added to the transport layer
+			// when communicating with the Vault server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.crt'.
+			certSecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+
+			// KeySecretRef to a key in a Secret resource containing client
+			// private key
+			// added to the transport layer when communicating with the Vault
+			// server.
+			// If no key for the Secret is specified, external-secret will
+			// default to 'tls.key'.
+			keySecretRef?: {
+				// The key of the entry in the Secret resource's `data` field to
+				// be used. Some instances of this field may be
+				// defaulted, in others it may be required.
+				key?: string
+
+				// The name of the Secret resource being referred to.
+				name?: string
+
+				// Namespace of the resource being referred to. Ignored if
+				// referent is not cluster-scoped. cluster-scoped defaults
+				// to the namespace of the referent.
+				namespace?: string
+			}
+		}
+
+		// Version is the Vault KV secret engine version. This can be
+		// either "v1" or
+		// "v2". Version defaults to "v2".
+		version?: "v1" | "v2" | *"v2"
+	}
+
+	// Result type defines which data is returned from the generator.
+	// By default it is the "data" section of the Vault API response.
+	// When using e.g. /auth/token/create the "data" section is empty
+	// but
+	// the "auth" section contains the generated token.
+	// Please refer to the vault docs regarding the result data
+	// structure.
+	resultType?: "Data" | "Auth" | *"Data"
+}

internal/generate/platforms/cue.mod/gen/generators.external-secrets.io/webhook/v1alpha1/types_gen.cue

@@ -0,0 +1,123 @@
+// Code generated by timoni. DO NOT EDIT.
+
+//timoni:generate timoni vendor crd -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.10.5/deploy/crds/bundle.yaml
+
+package v1alpha1
+
+import "strings"
+
+// Webhook connects to a third party API server to handle the
+// secrets generation
+// configuration parameters in spec.
+// You can specify the server, the token, and additional body
+// parameters.
+// See documentation for the full API specification for requests
+// and responses.
+#Webhook: {
+	// APIVersion defines the versioned schema of this representation
+	// of an object.
+	// Servers should convert recognized schemas to the latest
+	// internal value, and
+	// may reject unrecognized values.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+	apiVersion: "generators.external-secrets.io/v1alpha1"
+
+	// Kind is a string value representing the REST resource this
+	// object represents.
+	// Servers may infer this from the endpoint the client submits
+	// requests to.
+	// Cannot be updated.
+	// In CamelCase.
+	// More info:
+	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	kind: "Webhook"
+	metadata!: {
+		name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
+			string
+		}
+		namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
+			string
+		}
+		labels?: {
+			[string]: string
+		}
+		annotations?: {
+			[string]: string
+		}
+	}
+
+	// WebhookSpec controls the behavior of the external generator.
+	// Any body parameters should be passed to the server through the
+	// parameters field.
+	spec!: #WebhookSpec
+}
+
+// WebhookSpec controls the behavior of the external generator.
+// Any body parameters should be passed to the server through the
+// parameters field.
+#WebhookSpec: {
+	// Body
+	body?: string
+
+	// PEM encoded CA bundle used to validate webhook server
+	// certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is
+	// ignored for
+	// plain HTTP protocol connection. If not set the system root
+	// certificates
+	// are used to validate the TLS connection.
+	caBundle?: string
+
+	// The provider for the CA bundle to use to validate webhook
+	// server certificate.
+	caProvider?: {
+		// The key the value inside of the provider type to use, only used
+		// with "Secret" type
+		key?: string
+
+		// The name of the object located at the provider type.
+		name: string
+
+		// The namespace the Provider type is in.
+		namespace?: string
+
+		// The type of provider to use such as "Secret", or "ConfigMap".
+		type: "Secret" | "ConfigMap"
+	}
+
+	// Headers
+	headers?: {
+		[string]: string
+	}
+
+	// Webhook Method
+	method?: string
+	result: {
+		// Json path of return value
+		jsonPath?: string
+	}
+
+	// Secrets to fill in templates
+	// These secrets will be passed to the templating function as key
+	// value pairs under the given name
+	secrets?: [...{
+		// Name of this secret in templates
+		name: string
+
+		// Secret ref to fill in credentials
+		secretRef: {
+			// The key where the token is found.
+			key?: string
+
+			// The name of the Secret resource being referred to.
+			name?: string
+		}
+	}]
+
+	// Timeout
+	timeout?: string
+
+	// Webhook url to call
+	url: string
+}

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/author/v1alpha5/definitions_go_gen.cue

@@ -92,6 +92,12 @@ import "github.com/holos-run/holos/api/core/v1alpha5:core"
 	// Namespace sets the helm chart namespace flag if provided.
 	Namespace?: string
 
+	// APIVersions represents the helm template --api-versions flag
+	APIVersions?: [...string] @go(,[]string)
+
+	// KubeVersion represents the helm template --kube-version flag
+	KubeVersion?: string
+
 	// BuildPlan represents the derived BuildPlan produced for the holos render
 	// component command.
 	BuildPlan: core.#BuildPlan

internal/generate/platforms/cue.mod/gen/github.com/holos-run/holos/api/core/v1alpha5/types_go_gen.cue

@@ -147,6 +147,12 @@ package core
 
 	// Namespace represents the helm namespace flag
 	namespace?: string @go(Namespace)
+
+	// APIVersions represents the helm template --api-versions flag
+	apiVersions?: [...string] @go(APIVersions,[]string)
+
+	// KubeVersion represents the helm template --kube-version flag
+	kubeVersion?: string @go(KubeVersion)
 }
 
 // Values represents [Helm] Chart values generated from CUE.

internal/generate/platforms/cue.mod/pkg/github.com/holos-run/holos/api/author/v1alpha5/definitions.cue

@@ -106,9 +106,11 @@ import (
 		name:    string | *Name
 		release: string | *name
 	}
-	Values:      _
-	EnableHooks: _
-	Namespace?:  _
+	Values:       _
+	EnableHooks:  _
+	Namespace?:   _
+	APIVersions?: _
+	KubeVersion?: _
 
 	Artifacts: {
 		HolosComponent: {
@@ -134,6 +136,12 @@ import (
 						if Namespace != _|_ {
 							namespace: Namespace
 						}
+						if APIVersions != _|_ {
+							apiVersions: APIVersions
+						}
+						if KubeVersion != _|_ {
+							kubeVersion: KubeVersion
+						}
 					}
 				},
 				{

internal/holos/types.go

@@ -31,6 +31,7 @@ type feature string
 
 const BuildFeature = feature("BUILD")
 const ServerFeature = feature("SERVER")
+const ClientFeature = feature("CLIENT")
 const PreflightFeature = feature("PREFLIGHT")
 const GenerateComponentFeature = feature("GENERATE_COMPONENT")
 const SecretsFeature = feature("SECRETS")

version/embedded/minor

@@ -1 +1 @@
-98
+99

version/embedded/patch

@@ -1 +1 @@
-1
+3