Merge pull request #194 from stefanprodan/release-v6.1.4

Release v6.1.4
2026-04-07 03:26:54 +00:00 · 2022-04-18 10:00:06 +03:00 · 2022-04-18 09:56:02 +03:00 · 2022-04-18 09:54:32 +03:00 · 2022-04-18 09:49:42 +03:00 · 2022-04-18 09:44:21 +03:00
164 changed files with 7521 additions and 1383 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,112 +0,0 @@
-version: 2.1
-jobs:
-  e2e-kubernetes:
-    machine: true
-    steps:
-      - checkout
-      - run:
-          name: Build podinfo container
-          command: e2e/build.sh
-      - run:
-          name: Start Kubernetes Kind cluster
-          command: e2e/bootstrap.sh
-      - run:
-          name: Install podinfo with Helm
-          command: e2e/install.sh
-      - run:
-          name: Run Helm tests
-          command: e2e/test.sh
-
-  push-container:
-    docker:
-      - image: circleci/golang:1.12
-    working_directory: ~/build
-    steps:
-      - checkout
-      - setup_remote_docker:
-          docker_layer_caching: true
-      - run: make build-container
-      - run: |
-          if [ -z "$CIRCLE_TAG" ]; then
-            echo "Not a release, skipping container push";
-          else
-            echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin;
-            echo $QUAY_PASS | docker login -u $QUAY_USER --password-stdin quay.io;
-            make push-container;
-          fi
-
-  push-binary:
-    docker:
-      - image: circleci/golang:1.12
-    steps:
-      - checkout
-      - run: curl -sL https://git.io/goreleaser | bash
-
-  push-helm-charts:
-    docker:
-      - image: circleci/golang:1.12
-    steps:
-      - checkout
-      - run:
-          name: Install kubectl
-          command: sudo curl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && sudo chmod +x /usr/local/bin/kubectl
-      - run:
-          name: Install helm
-          command: sudo curl -L https://storage.googleapis.com/kubernetes-helm/helm-v2.14.2-linux-amd64.tar.gz | tar xz && sudo mv linux-amd64/helm /bin/helm && sudo rm -rf linux-amd64
-      - run:
-          name: Initialize helm
-          command:  helm init --client-only --kubeconfig=$HOME/.kube/kubeconfig
-      - run:
-          name: Lint charts
-          command: |
-            helm lint ./charts/*
-      - run:
-          name: Package charts
-          command: |
-            mkdir $HOME/charts
-            helm package ./charts/* --destination $HOME/charts
-      - run:
-          name: Publish charts
-          command: |
-            if echo "${CIRCLE_TAG}" | grep -Eq "[0-9]+(\.[0-9]+)*(-[a-z]+)?$"; then
-              REPOSITORY="https://stefanprodan:${GITHUB_TOKEN}@github.com/stefanprodan/podinfo.git"
-              git config user.email stefanprodan@users.noreply.github.com
-              git config user.name stefanprodan
-              git remote set-url origin ${REPOSITORY}
-              git checkout gh-pages
-              mv -f $HOME/charts/*.tgz .
-              helm repo index . --url https://stefanprodan.github.io/podinfo
-              git add .
-              git commit -m "Publish Helm charts v${CIRCLE_TAG}"
-              git push origin gh-pages
-            else
-              echo "Not a release! Skip charts publish"
-            fi
-
-workflows:
-  version: 2
-  build-test:
-    jobs:
-      - e2e-kubernetes
-  release:
-    jobs:
-      - push-binary:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/
-      - push-container:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/
-      - push-helm-charts:
-          requires:
-            - push-container
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/
--- a/.cosign/README.md
+++ b/.cosign/README.md
@@ -0,0 +1,39 @@
+# Podinfo signed releases
+
+Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+and are signed using [cosign](https://github.com/sigstore/cosign).
+
+## Verify the artifacts with cosign
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
+```
+
+Verify a podinfo release with cosign CLI:
+
+```sh
+cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+ghcr.io/stefanprodan/podinfo-deploy:latest
+```
+
+## Download the artifacts with crane
+
+Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
+
+```sh
+brew install crane
+```
+
+Download the podinfo deployment manifests with crane CLI:
+
+```console
+$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
+
+$ ls -1
+deployment.yaml
+hpa.yaml
+kustomization.yaml
+service.yaml
+```
--- a/.cosign/cosign.pub
+++ b/.cosign/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
+iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
+-----END PUBLIC KEY-----
--- a/.github/actions/helm/action.yml
+++ b/.github/actions/helm/action.yml
@@ -0,0 +1,33 @@
+name: Setup Helm CLI
+description: A GitHub Action for running Helm commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "Helm version"
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: "Download helm binary to tmp"
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
+        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
+        mkdir -p /tmp/helm
+        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
+    - name: "Add helm binary to /usr/local/bin"
+      shell: bash
+      run: |
+        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
+    - name: "Cleanup tmp"
+      shell: bash
+      run: |
+        rm -rf /tmp/helm/ /tmp/helm.tar.gz
+    - name: "Verify correct installation of binary"
+      shell: bash
+      run: |
+        helm version
--- a/.github/actions/release-notes/Dockerfile
+++ b/.github/actions/release-notes/Dockerfile
@@ -0,0 +1,6 @@
+FROM stefanprodan/alpine-base:latest
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/release-notes/action.yml
+++ b/.github/actions/release-notes/action.yml
@@ -0,0 +1,9 @@
+name: 'github-release-notes'
+description: 'A GitHub Action to run github-release-notes commands'
+author: 'Stefan Prodan'
+branding:
+  icon: 'command'
+  color: 'blue'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
--- a/.github/actions/release-notes/entrypoint.sh
+++ b/.github/actions/release-notes/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+
+VERSION=0.2.0
+BIN_DIR="$GITHUB_WORKSPACE/bin"
+
+main() {
+  mkdir -p ${BIN_DIR}
+  tmpDir=$(mktemp -d)
+
+  pushd $tmpDir >& /dev/null
+
+  curl -sSL https://github.com/buchanae/github-release-notes/releases/download/${VERSION}/github-release-notes-linux-amd64-${VERSION}.tar.gz | tar xz
+  cp github-release-notes ${BIN_DIR}/github-release-notes
+
+  popd >& /dev/null
+  rm -rf $tmpDir
+}
+
+main
+
+echo "$BIN_DIR" >> $GITHUB_PATH
+echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH
--- a/.github/policy/kubernetes.rego
+++ b/.github/policy/kubernetes.rego
@@ -0,0 +1,51 @@
+package kubernetes
+
+name = input.metadata.name
+
+kind = input.kind
+
+is_service {
+	input.kind = "Service"
+}
+
+is_deployment {
+	input.kind = "Deployment"
+}
+
+is_pod {
+	input.kind = "Pod"
+}
+
+split_image(image) = [image, "latest"] {
+	not contains(image, ":")
+}
+
+split_image(image) = [image_name, tag] {
+	[image_name, tag] = split(image, ":")
+}
+
+pod_containers(pod) = all_containers {
+	keys = {"containers", "initContainers"}
+	all_containers = [c | keys[k]; c = pod.spec[k][_]]
+}
+
+containers[container] {
+	pods[pod]
+	all_containers = pod_containers(pod)
+	container = all_containers[_]
+}
+
+containers[container] {
+	all_containers = pod_containers(input)
+	container = all_containers[_]
+}
+
+pods[pod] {
+	is_deployment
+	pod = input.spec.template
+}
+
+pods[pod] {
+	is_pod
+	pod = input
+}
--- a/.github/policy/rules.rego
+++ b/.github/policy/rules.rego
@@ -0,0 +1,43 @@
+package main
+
+import data.kubernetes
+
+name = input.metadata.name
+
+# Deny containers with latest image tag
+deny[msg] {
+	kubernetes.containers[container]
+	[image_name, "latest"] = kubernetes.split_image(container.image)
+	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
+}
+
+# Deny services without app label selector
+service_labels {
+  input.spec.selector["app"]
+}
+deny[msg] {
+  kubernetes.is_service
+  not service_labels
+  msg = sprintf("Service %s should set app label selector", [name])
+}
+
+# Deny deployments without app label selector
+match_labels {
+  input.spec.selector.matchLabels["app"]
+}
+deny[msg] {
+  kubernetes.is_deployment
+  not match_labels
+  msg = sprintf("Service %s should set app label selector", [name])
+}
+
+# Warn if deployments have no prometheus pod annotations
+annotations {
+  input.spec.template.metadata.annotations["prometheus.io/scrape"]
+  input.spec.template.metadata.annotations["prometheus.io/port"]
+}
+warn[msg] {
+  kubernetes.is_deployment
+  not annotations
+  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
+}
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -0,0 +1,28 @@
+name: cve-scan
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build image
+        id: build
+        run: |
+          IMAGE=test/podinfo:${GITHUB_SHA}
+          docker build -t ${IMAGE} .
+          echo "::set-output name=image::$IMAGE"
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: table
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: CRITICAL,HIGH
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -0,0 +1,38 @@
+name: e2e
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  kind-helm:
+    strategy:
+      matrix:
+        helm-version:
+          - 3.8.1
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Kubernetes
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+      - name: Build container image
+        run: |
+          ./test/build.sh
+          kind load docker-image test/podinfo:latest
+      - name: Setup Helm
+        uses: ./.github/actions/helm
+        with:
+          version: ${{ matrix.helm-version }}
+      - name: Deploy
+        run: ./test/deploy.sh
+      - name: Run integration tests
+        run: ./test/test.sh
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl logs -l app=podinfo || true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,123 @@
+name: release
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: imjasonh/setup-crane@v0.1
+      - uses: sigstore/cosign-installer@main
+      - name: Setup Helm
+        uses: ./.github/actions/helm
+        with:
+          version: 3.8.1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=sha-${GITHUB_SHA::8}
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF/refs\/tags\//}
+          fi
+          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile.xx
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: |
+            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+            docker.io/stefanprodan/podinfo:latest
+            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+      - name: Publish Helm chart to GHCR
+        run: |
+          helm package charts/podinfo
+          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
+          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/stefanprodan/podinfo:latest
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+      - name: Publish base image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          platforms: linux/amd64
+          file: ./Dockerfile.base
+          tags: docker.io/stefanprodan/podinfo-base:latest
+      - name: Publish helm chart
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish config artifact
+        run: |
+          cd kustomize
+          tar -cf config.tar * --numeric-owner --owner=0 --group=0
+          crane append -f config.tar -t ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          crane tag ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} latest
+          rm config.tar
+      - name: Sign config artifact
+        run: |
+          echo "$COSIGN_KEY" > /tmp/cosign.key
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+        env:
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - uses: ./.github/actions/release-notes
+      - name: Generate release notes
+        run: |
+          echo 'CHANGELOG' > /tmp/release.txt
+          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@v1
+        with:
+          version: latest
+          args: release --release-notes=/tmp/release.txt --skip-validate
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,65 @@
+name: test
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Restore Go cache
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.x
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@main
+      - name: Run unit tests
+        run: make test
+      - name: Generate CUE definitions
+        run: make cue-mod
+      - name: Verify CUE formatting
+        working-directory: ./cue
+        run: |
+          cue fmt .
+          status=$(git status . --porcelain)
+          [[ -z "$status" ]] || {
+            echo "CUE files are not correctly formatted"
+            echo "$status"
+            git diff
+            exit 1
+          }
+      - name: Validate CUE
+        working-directory: ./cue
+        run: cue vet --all-errors --concrete .
+      - name: Check if working tree is dirty
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'run make test and commit changes'
+            exit 1
+          fi
+      - name: Validate Helm chart
+        uses: stefanprodan/kube-tools@v1
+        with:
+          kubectl: 1.19.11
+          helm: 2.17.0
+          helmv3: 3.6.0
+          command: |
+            helmv3 template ./charts/podinfo | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
+      - name: Validate kustomization
+        uses: stefanprodan/kube-tools@v1
+        with:
+          kubectl: 1.19.11
+          command: |
+            kustomize build ./kustomize | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
+            kustomize build ./kustomize | conftest test -p .github/policy -
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,5 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
--- a/30
+++ b/30
@@ -1,4 +1,6 @@
-FROM golang:1.12 as builder
+FROM golang:1.17-alpine as builder
+
+ARG REVISION

 RUN mkdir -p /podinfo/

@@ -6,26 +8,28 @@ WORKDIR /podinfo

 COPY . .

-RUN GOPROXY=https://proxy.golang.org go mod download
+RUN go mod download

-RUN go test -v -race ./...
-
-RUN GIT_COMMIT=$(git rev-list -1 HEAD) && \
-    CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w \
-    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${GIT_COMMIT}" \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podinfo cmd/podinfo/*

-RUN GIT_COMMIT=$(git rev-list -1 HEAD) && \
-    CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w \
-    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${GIT_COMMIT}" \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*

-FROM alpine:3.10
+FROM alpine:3.15
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"

 RUN addgroup -S app \
-    && adduser -S -g app app \
+    && adduser -S -G app app \
    && apk --no-cache add \
-    curl openssl netcat-openbsd
+    ca-certificates curl netcat-openbsd

 WORKDIR /home/app

--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -0,0 +1,10 @@
+FROM golang:1.17
+
+WORKDIR /workspace
+
+# copy modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# cache modules
+RUN go mod download
--- a/Dockerfile.xx
+++ b/Dockerfile.xx
@@ -0,0 +1,53 @@
+ARG GO_VERSION=1.17
+ARG XX_VERSION=1.1.0
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG REVISION
+
+RUN mkdir -p /podinfo/
+
+WORKDIR /podinfo
+
+COPY . .
+
+RUN go mod download
+
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podinfo cmd/podinfo/*
+
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podcli cmd/podcli/*
+
+FROM alpine:3.15
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
+
+RUN addgroup -S app \
+    && adduser -S -G app app \
+    && apk --no-cache add \
+    ca-certificates curl netcat-openbsd
+
+WORKDIR /home/app
+
+COPY --from=builder /podinfo/bin/podinfo .
+COPY --from=builder /podinfo/bin/podcli /usr/local/bin/podcli
+COPY ./ui ./ui
+RUN chown -R app:app ./
+
+USER app
+
+CMD ["./podinfo"]
--- a/214
+++ b/214
@@ -1,21 +1,201 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/

-Copyright (c) 2018 Stefan Prodan
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/65
+++ b/65
@@ -8,16 +8,27 @@ DOCKER_REPOSITORY:=stefanprodan
 DOCKER_IMAGE_NAME:=$(DOCKER_REPOSITORY)/$(NAME)
 GIT_COMMIT:=$(shell git describe --dirty --always)
 VERSION:=$(shell grep 'VERSION' pkg/version/version.go | awk '{ print $$4 }' | tr -d '"')
+EXTRA_RUN_ARGS?=

 run:
-	GO111MODULE=on go run -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" cmd/podinfo/* --level=debug
+	go run -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" cmd/podinfo/* \
+	--level=debug --grpc-port=9999 --backend-url=https://httpbin.org/status/401 --backend-url=https://httpbin.org/status/500 \
+	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)

+.PHONY: test
 test:
-	GO111MODULE=on go test -v -race ./...
+	go test ./... -coverprofile cover.out

 build:
-	GO111MODULE=on GIT_COMMIT=$$(git rev-list -1 HEAD) && GO111MODULE=on CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
-	GO111MODULE=on GIT_COMMIT=$$(git rev-list -1 HEAD) && GO111MODULE=on CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
+	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
+	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
+
+tidy:
+	rm -f go.sum; go mod tidy -compat=1.17
+
+fmt:
+	gofmt -l -s -w ./
+	goimports -l -w ./

 build-charts:
 	helm lint charts/*
@@ -26,6 +37,19 @@ build-charts:
 build-container:
 	docker build -t $(DOCKER_IMAGE_NAME):$(VERSION) .

+build-xx:
+	docker buildx build \
+	--platform=linux/amd64 \
+	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
+	--load \
+	-f Dockerfile.xx .
+
+build-base:
+	docker build -f Dockerfile.base -t $(DOCKER_REPOSITORY)/podinfo-base:latest .
+
+push-base: build-base
+	docker push $(DOCKER_REPOSITORY)/podinfo-base:latest
+
 test-container:
 	@docker rm -f podinfo || true
 	@docker run -dp 9898:9898 --name=podinfo $(DOCKER_IMAGE_NAME):$(VERSION)
@@ -34,20 +58,43 @@ test-container:
 	curl -sH "Authorization: Bearer $${TOKEN}" localhost:9898/token/validate | grep test

 push-container:
+	docker tag $(DOCKER_IMAGE_NAME):$(VERSION) $(DOCKER_IMAGE_NAME):latest
 	docker push $(DOCKER_IMAGE_NAME):$(VERSION)
+	docker push $(DOCKER_IMAGE_NAME):latest
 	docker tag $(DOCKER_IMAGE_NAME):$(VERSION) quay.io/$(DOCKER_IMAGE_NAME):$(VERSION)
+	docker tag $(DOCKER_IMAGE_NAME):$(VERSION) quay.io/$(DOCKER_IMAGE_NAME):latest
 	docker push quay.io/$(DOCKER_IMAGE_NAME):$(VERSION)
+	docker push quay.io/$(DOCKER_IMAGE_NAME):latest

 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
+	/usr/bin/sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
 	echo "Version $$next set in code, deployment, chart and kustomize"

 release:
 	git tag $(VERSION)
 	git push origin $(VERSION)
+
+swagger:
+	go get github.com/swaggo/swag/cmd/swag
+	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+
+.PHONY: cue-mod
+cue-mod:
+	@cd cue && cue get go k8s.io/api/...
+
+.PHONY: cue-gen
+cue-gen:
+	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
+	@cd cue && cue gen
--- a/README.md
+++ b/README.md
@@ -1,23 +1,31 @@
 # podinfo

-[![CircleCI](https://circleci.com/gh/stefanprodan/podinfo.svg?style=svg)](https://circleci.com/gh/stefanprodan/podinfo)
+[![e2e](https://github.com/stefanprodan/podinfo/workflows/e2e/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/e2e.yml)
+[![test](https://github.com/stefanprodan/podinfo/workflows/test/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/test.yml)
+[![cve-scan](https://github.com/stefanprodan/podinfo/workflows/cve-scan/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/cve-scan.yml)
+[![Go Report Card](https://goreportcard.com/badge/github.com/stefanprodan/podinfo)](https://goreportcard.com/report/github.com/stefanprodan/podinfo)
 [![Docker Pulls](https://img.shields.io/docker/pulls/stefanprodan/podinfo)](https://hub.docker.com/r/stefanprodan/podinfo)

-Podinfo is a tiny web application made with Go 
-that showcases best practices of running microservices in Kubernetes.
+Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.
+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2) and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.

 Specifications:

 * Health checks (readiness and liveness)
 * Graceful shutdown on interrupt signals
 * File watcher for secrets and configmaps
-* Instrumented with Prometheus
-* Tracing with Istio and Jaeger
+* Instrumented with Prometheus and Open Telemetry
 * Structured logging with zap 
 * 12-factor app with viper
 * Fault injection (random errors and latency)
-* Helm and Kustomize installers
+* Swagger docs
+* CUE, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
+* Kustomize testing with GitHub Actions and Open Policy Agent
+* Multi-arch container image with Docker buildx and Github Actions
+* Container image signing with Sigstore cosign
+* CVE scanning with Trivy

 Web API:

@@ -37,45 +45,151 @@ Web API:
 * `POST /token` issues a JWT token valid for one minute `JWT=$(curl -sd 'anon' podinfo:9898/token | jq -r .token)`
 * `GET /token/validate` validates the JWT token `curl -H "Authorization: Bearer $JWT" podinfo:9898/token/validate`
 * `GET /configs` returns a JSON with configmaps and/or secrets mounted in the `config` volume
+* `POST/PUT /cache/{key}` saves the posted content to Redis
+* `GET /cache/{key}` returns the content from Redis if the key exists
+* `DELETE /cache/{key}` deletes the key from Redis if exists
 * `POST /store` writes the posted content to disk at /data/hash and returns the SHA1 hash of the content
 * `GET /store/{hash}` returns the content of the file /data/hash if exists
 * `GET /ws/echo` echos content via websockets `podcli ws ws://localhost:9898/ws/echo`
 * `GET /chunked/{seconds}` uses `transfer-encoding` type `chunked` to give a partial response and then waits for the specified period
+* `GET /swagger.json` returns the API Swagger docs, used for Linkerd service profiling and Gloo routes discovery
+
+gRPC API:
+
+* `/grpc.health.v1.Health/Check` health checking

 Web UI:

-![podinfo-ui](https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/screens/podinfo-ui.png)
+![podinfo-ui](https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/screens/podinfo-ui-v3.png)
+
+To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.

 ### Guides

+* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
+* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
 * [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
 * [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
+* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
 * [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Expose Kubernetes services over HTTPS with Ngrok](https://stefanprodan.com/2018/expose-kubernetes-services-over-http-with-ngrok/)
+* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)

 ### Install

-Helm:
+#### Helm
+
+Install from github.io:

 ```bash
-helm repo add sp https://stefanprodan.github.io/podinfo
+helm repo add podinfo https://stefanprodan.github.io/podinfo

 helm upgrade --install --wait frontend \
 --namespace test \
 --set replicaCount=2 \
 --set backend=http://backend-podinfo:9898/echo \
-sp/podinfo
+podinfo/podinfo

-helm test frontend --cleanup
+helm test frontend

 helm upgrade --install --wait backend \
 --namespace test \
--set hpa.enabled=true \
-sp/podinfo
+--set redis.enabled=true \
+podinfo/podinfo
 ```

-Kustomize:
+Install from ghcr.io:
+
+```bash
+helm upgrade --install --wait podinfo --namespace default \
+oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+#### Kustomize

 ```bash
 kubectl apply -k github.com/stefanprodan/podinfo//kustomize
 ```
+
+#### Docker
+
+```bash
+docker run -dp 9898:9898 stefanprodan/podinfo
+```
+
+### Continuous Delivery
+
+In order to install podinfo on a Kubernetes cluster and keep it up to date with the latest
+release in an automated manner, you can use [Flux](https://fluxcd.io).
+
+Install the Flux CLI on MacOS and Linux using Homebrew:
+
+```sh
+brew install fluxcd/tap/flux
+```
+
+Install the Flux controllers needed for Helm operations:
+
+```sh
+flux install \
+--namespace=flux-system \
+--network-policy=false \
+--components=source-controller,helm-controller
+```
+
+Add podinfo's Helm repository to your cluster and
+configure Flux to check for new chart releases every ten minutes:
+
+```sh
+flux create source helm podinfo \
+--namespace=default \
+--url=https://stefanprodan.github.io/podinfo \
+--interval=10m
+```
+
+Create a `podinfo-values.yaml` file locally:
+
+```sh
+cat > podinfo-values.yaml <<EOL
+replicaCount: 2
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+EOL
+```
+
+Create a Helm release for deploying podinfo in the default namespace:
+
+```sh
+flux create helmrelease podinfo \
+--namespace=default \
+--source=HelmRepository/podinfo \
+--release-name=podinfo \
+--chart=podinfo \
+--chart-version=">5.0.0" \
+--values=podinfo-values.yaml
+```
+
+Based on the above definition, Flux will upgrade the release automatically
+when a new version of podinfo is released. If the upgrade fails, Flux
+can [rollback](https://toolkit.fluxcd.io/components/helm/helmreleases/#configuring-failure-remediation)
+to the previous working version.
+
+You can check what version is currently deployed with:
+
+```sh
+flux get helmreleases -n default
+```
+
+To delete podinfo's Helm repository and release from your cluster run:
+
+```sh
+flux -n default delete source helm podinfo
+flux -n default delete helmrelease podinfo
+```
+
+If you wish to manage the lifecycle of your applications in a **GitOps** manner, check out
+this [workflow example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+for multi-env deployments with Flux, Kustomize and Helm.
--- a/charts/ngrok/.helmignore
+++ b/charts/ngrok/.helmignore
@@ -1,21 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
--- a/charts/ngrok/Chart.yaml
+++ b/charts/ngrok/Chart.yaml
@@ -1,5 +0,0 @@
-apiVersion: v1
-appVersion: "1.0"
-description: A Ngrok Helm chart for Kubernetes
-name: ngrok
-version: 0.2.0
--- a/charts/ngrok/README.md
+++ b/charts/ngrok/README.md
@@ -1,64 +0,0 @@
-# Ngrok
-
-Expose Kubernetes service with [Ngrok](https://ngrok.com).
-
-## Installing the Chart
-
-To install the chart with the release name `my-release`:
-
-```console
-$ helm install sp/ngrok --name my-release \
-  --set token=NGROK-TOKEN \
-  --set expose.service=podinfo:9898
-```
-
-The command deploys Ngrok on the Kubernetes cluster in the default namespace.
-The [configuration](#configuration) section lists the parameters that can be configured during installation.
-
-## Uninstalling the Chart
-
-To uninstall/delete the `my-release` deployment:
-
-```console
-$ helm delete --purge my-release
-```
-
-The command removes all the Kubernetes components associated with the chart and deletes the release.
-
-## Configuration
-
-The following tables lists the configurable parameters of the Grafana chart and their default values.
-
-Parameter | Description | Default
--- | --- | ---
-`image.repository` | Image repository | `stefanprodan/ngrok`
-`image.pullPolicy` | Image pull policy | `IfNotPresent`
-`image.tag` | Image tag | `latest`
-`replicaCount` | desired number of pods | `1`
-`tolerations` | List of node taints to tolerate | `[]`
-`affinity` | node/pod affinities | `node`
-`nodeSelector` | node labels for pod assignment | `{}`
-`service.type` | type of service | `ClusterIP`
-`token` | Ngrok auth token | `none`
-`expose.service` | Service address to be exposed as in `service-name:port` | `none`
-`subdomain` | Ngrok subdomain | `none`
-
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
-
-```console
-$ helm upgrade --install --wait tunel \
-  --set token=NGROK-TOKEN \
-  --set service.type=NodePort \
-  --set expose.service=podinfo:9898 \
-  sp/ngrok
-```
-
-Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
-
-```console
-$ helm install sp/grafana --name my-release -f values.yaml
-```
-
-> **Tip**: You can use the default [values.yaml](values.yaml)
-```
-
--- a/charts/ngrok/templates/NOTES.txt
+++ b/charts/ngrok/templates/NOTES.txt
@@ -1,15 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "ngrok.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get svc -w {{ template "ngrok.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "ngrok.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "ngrok.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
-{{- end }}
--- a/charts/ngrok/templates/_helpers.tpl
+++ b/charts/ngrok/templates/_helpers.tpl
@@ -1,32 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "ngrok.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "ngrok.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "ngrok.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
--- a/charts/ngrok/templates/config.yaml
+++ b/charts/ngrok/templates/config.yaml
@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-data:
-  ngrok.yml: |-
-    web_addr: 0.0.0.0:4040
-    update: false
-    log: stdout
-{{- if .Values.token }}
-    authtoken: {{ .Values.token }}
-{{- end }}
--- a/charts/ngrok/templates/deployment.yaml
+++ b/charts/ngrok/templates/deployment.yaml
@@ -1,65 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-  labels:
-    app: {{ template "ngrok.name" . }}
-    chart: {{ template "ngrok.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: {{ template "ngrok.name" . }}
-      release: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app: {{ template "ngrok.name" . }}
-        release: {{ .Release.Name }}
-      annotations:
-        prometheus.io/scrape: 'false'
-    spec:
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
-            - ./ngrok
-            - http
-            {{- if .Values.subdomain }}
-            - --subdomain={{ .Values.subdomain }}
-            {{- end }}
-            - {{ .Values.expose.service }}
-          volumeMounts:
-          - name: config
-            mountPath: /home/ngrok/.ngrok2
-          ports:
-            - name: http
-              containerPort: 4040
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /api/tunnels
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 30
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-      volumes:
-      - name: config
-        configMap:
-          name: {{ template "ngrok.fullname" . }}
--- a/charts/ngrok/templates/service.yaml
+++ b/charts/ngrok/templates/service.yaml
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-  labels:
-    app: {{ template "ngrok.name" . }}
-    chart: {{ template "ngrok.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app: {{ template "ngrok.name" . }}
-    release: {{ .Release.Name }}
--- a/charts/ngrok/values.yaml
+++ b/charts/ngrok/values.yaml
@@ -1,27 +0,0 @@
-# Default values for ngrok.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: stefanprodan/ngrok
-  tag: latest
-  pullPolicy: IfNotPresent
-
-service:
-  type: ClusterIP
-  port: 4040
-
-expose:
-  service: ga-podinfo:9898
-
-token: 4i3rDinhLqMHtvez71N9S_38rkS7onwv77VFNZTaUR6
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-subdomain:
--- a/charts/podinfo/Chart.yaml
+++ b/charts/podinfo/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 2.0.2
-appVersion: 2.0.2
+version: 6.1.4
+appVersion: 6.1.4
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,3 +10,4 @@ maintainers:
  name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
+kubeVersion: ">=1.19.0-0"
--- a/charts/podinfo/LICENSE
+++ b/charts/podinfo/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/charts/podinfo/README.md
+++ b/charts/podinfo/README.md
@@ -1,15 +1,20 @@
 # Podinfo

-Podinfo is a tiny web application made with Go 
+Podinfo is a tiny web application made with Go
 that showcases best practices of running microservices in Kubernetes.

+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2)
+and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.
+
 ## Installing the Chart

 To install the chart with the release name `my-release`:

 ```console
-$ helm repo add sp https://stefanprodan.github.io/k8s-podinfo
-$ helm upgrade my-release --install sp/podinfo 
+$ helm repo add podinfo https://stefanprodan.github.io/podinfo
+
+$ helm upgrade -i my-release podinfo/podinfo
 ```

 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -20,7 +25,7 @@ The [configuration](#configuration) section lists the parameters that can be con
 To uninstall/delete the `my-release` deployment:

 ```console
-$ helm delete --purge my-release
+$ helm delete my-release
 ```

 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -29,53 +34,90 @@ The command removes all the Kubernetes components associated with the chart and

 The following tables lists the configurable parameters of the podinfo chart and their default values.

-Parameter | Description | Default
+Parameter | Default | Description
 --- | --- | ---
-`affinity` | node/pod affinities | None
-`color` | UI color | blue
-`backend` | echo backend URL | None
-`faults.delay` | random HTTP response delays between 0 and 5 seconds | `false`
-`faults.error` | 1/3 chances of a random HTTP response error | `false`
-`hpa.enabled` | enables HPA | `false`
-`hpa.cpu` | target CPU usage per pod | None
-`hpa.memory` | target memory usage per pod | None
-`hpa.requests` | target requests per second per pod | None
-`hpa.maxReplicas` | maximum pod replicas | `10`
-`ingress.hosts` | ingress accepted hostnames | None
-`ingress.tls` | ingress TLS configuration | None:
-`image.pullPolicy` | image pull policy | `IfNotPresent`
-`image.repository` | image repository | `stefanprodan/podinfo`
-`image.tag` | image tag | `0.0.1`
-`ingress.enabled` | enables ingress | `false`
-`ingress.annotations` | ingress annotations | None
-`ingress.hosts` | ingress accepted hostnames | None
-`ingress.tls` | ingress TLS configuration | None
-`message` | UI greetings message | None
-`nodeSelector` | node labels for pod assignment | `{}`
-`replicaCount` | desired number of pods | `2`
-`resources.requests/cpu` | pod CPU request | `1m`
-`resources.requests/memory` | pod memory request | `16Mi`
-`resources.limits/cpu` | pod CPU limit | None
-`resources.limits/memory` | pod memory limit | None
-`service.externalPort` | external port for the service | `9898`
-`service.internalPort` | internal port for the service | `9898`
-`service.nodePort` | node port for the service | `31198`
-`service.type` | type of service | `ClusterIP`
-`tolerations` | list of node taints to tolerate | `[]`
+`replicaCount` | `1` | Desired number of pods
+`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
+`backend` | `None` | Echo backend URL
+`backends` | `[]` | Array of echo backend URLs
+`cache` | `None` | Redis address in the format `tcp://<host>:<port>`
+`redis.enabled` | `false` | Create Redis deployment for caching purposes
+`ui.color` | `#34577c` |  UI color
+`ui.message` | `None` |  UI greetings message
+`ui.logo` | `None` |  UI logo
+`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
+`faults.error` | `false` | 1/3 chances of a random HTTP response error
+`faults.unhealthy` | `false` | When set, the healthy state is never reached
+`faults.unready` | `false` | When set, the ready state is never reached
+`faults.testFail` | `false` | When set, a helm test is included which always fails
+`faults.testTimeout` | `false` | When set, a helm test is included which always times out
+`image.repository` | `stefanprodan/podinfo` | Image repository
+`image.tag` | `<VERSION>` | Image tag
+`image.pullPolicy` | `IfNotPresent` | Image pull policy
+`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
+`service.type` | `ClusterIP` | Type of the Kubernetes Service
+`service.metricsPort` | `9797` | Prometheus metrics endpoint port
+`service.httpPort` | `9898` | Container HTTP port
+`service.externalPort` | `9898` | ClusterIP HTTP port
+`service.grpcPort` | `9999` | ClusterIP gPRC port
+`service.grpcService` | `podinfo` | gPRC service name
+`service.nodePort` | `31198` | NodePort for the HTTP endpoint
+`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
+`hpa.enabled` | `false` | Enables the Kubernetes HPA
+`hpa.maxReplicas` | `10` | Maximum amount of pods
+`hpa.cpu` | `None` | Target CPU usage per pod
+`hpa.memory` | `None` | Target memory usage per pod
+`hpa.requests` | `None` | Target HTTP requests per second per pod
+`serviceAccount.enabled` | `false` | Whether a service account should be created
+`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
+`securityContext` | `{}` | The security context to be set on the podinfo container
+`linkerd.profile.enabled` | `false` | Create Linkerd service profile
+`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
+`serviceMonitor.interval` | `15s` | Prometheus scraping interval
+`serviceMonitor.additionalLabels` | `{}` | Add additional labels to the service monitor |
+`ingress.enabled` | `false` | Enables Ingress
+`ingress.className ` | `""` | Use ingressClassName
+`ingress.annotations` | `{}` | Ingress annotations
+`ingress.hosts` | `[]` | Ingress accepted hosts
+`ingress.tls` | `[]` | Ingress TLS configuration
+`resources.requests.cpu` | `1m` | Pod CPU request
+`resources.requests.memory` | `16Mi` | Pod memory request
+`resources.limits.cpu` | `None` | Pod CPU limit
+`resources.limits.memory` | `None` | Pod memory limit
+`nodeSelector` | `{}` | Node labels for pod assignment
+`tolerations` | `[]` | List of node taints to tolerate
+`affinity` | `None` | Node/pod affinities
+`podAnnotations` | `{}` | Pod annotations

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

 ```console
-$ helm install stable/podinfo --name my-release \
-  --set=image.tag=0.0.2,service.type=NodePort
+$ helm install my-release podinfo/podinfo \
+  --set=serviceMonitor.enabled=true,serviceMonitor.interval=5s
+```
+
+To add custom annotations you need to escape the annotation key string:
+
+```console
+$ helm upgrade -i my-release podinfo/podinfo \
+--set podAnnotations."appmesh\.k8s\.aws\/preview"=enabled
 ```

 Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

 ```console
-$ helm install stable/podinfo --name my-release -f values.yaml
+$ helm install my-release podinfo/podinfo -f values.yaml
 ```

 > **Tip**: You can use the default [values.yaml](values.yaml)
-```

+## Upgrading the chart
+
+### To =< 5.0.0
+
+Version 5.0.0 is a major update.
+
+* The chart now follows the new Kubernetes label recommendations:
+<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
+
+The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.
--- a/charts/podinfo/templates/NOTES.txt
+++ b/charts/podinfo/templates/NOTES.txt
@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
@@ -11,9 +13,8 @@
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get svc -w {{ template "podinfo.fullname" . }}'
  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
+  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "podinfo.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }}
+  kubectl -n {{ .Release.Namespace }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }}
 {{- end }}
--- a/charts/podinfo/templates/_helpers.tpl
+++ b/charts/podinfo/templates/_helpers.tpl
@@ -1,10 +1,9 @@
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "podinfo.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}

 {{/*
 Create a default fully qualified app name.
@@ -12,21 +11,59 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "podinfo.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}

 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "podinfo.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "podinfo.labels" -}}
+helm.sh/chart: {{ include "podinfo.chart" . }}
+{{ include "podinfo.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "podinfo.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "podinfo.fullname" . }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "podinfo.serviceAccountName" -}}
+{{- if .Values.serviceAccount.enabled }}
+{{- default (include "podinfo.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the tls secret for secure port
+*/}}
+{{- define "podinfo.tlsSecretName" -}}
+{{- $fullname := include "podinfo.fullname" . -}}
+{{- default (printf "%s-tls" $fullname) .Values.tls.secretName }}
+{{- end }}
--- a/charts/podinfo/templates/certificate.yaml
+++ b/charts/podinfo/templates/certificate.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.certificate.create -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "podinfo.fullname" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+  {{- range .Values.certificate.dnsNames }}
+    - {{ . | quote }}
+  {{- end }}
+  secretName: {{ template "podinfo.tlsSecretName" . }}
+  issuerRef:
+  {{- .Values.certificate.issuerRef | toYaml | trimSuffix "\n" | nindent 4 }}
+{{- end }}
--- a/charts/podinfo/templates/deployment.yaml
+++ b/charts/podinfo/templates/deployment.yaml
@@ -3,45 +3,102 @@ kind: Deployment
 metadata:
  name: {{ template "podinfo.fullname" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
+  {{- if not .Values.hpa.enabled }}
  replicas: {{ .Values.replicaCount }}
+  {{- end }}
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
-      app: {{ template "podinfo.name" . }}
-      release: {{ .Release.Name }}
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
-        app: {{ template "podinfo.name" . }}
-        release: {{ .Release.Name }}
+        {{- include "podinfo.selectorLabels" . | nindent 8 }}
      annotations:
-        prometheus.io/scrape: 'true'
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "{{ .Values.service.httpPort }}"
+        {{- range $key, $value := .Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
    spec:
      terminationGracePeriodSeconds: 30
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
+      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }}
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+          {{- end }}
          command:
            - ./podinfo
-            - --port={{ .Values.service.containerPort }}
+            - --port={{ .Values.service.httpPort | default 9898 }}
+            {{- if .Values.host }}
+            - --host={{ .Values.host }}
+            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - --secure-port={{ .Values.tls.port }}
+            {{- end }}
+            {{- if .Values.tls.certPath }}
+            - --cert-path={{ .Values.tls.certPath }}
+            {{- end }}
+            {{- if .Values.service.metricsPort }}
+            - --port-metrics={{ .Values.service.metricsPort }}
+            {{- end }}
+            {{- if .Values.service.grpcPort }}
+            - --grpc-port={{ .Values.service.grpcPort }}
+            {{- end }}
+            {{- if .Values.service.grpcService }}
+            - --grpc-service-name={{ .Values.service.grpcService }}
+            {{- end }}
+            {{- range .Values.backends }}
+            - --backend-url={{ . }}
+            {{- end }}
+            {{- if .Values.cache }}
+            - --cache-server={{ .Values.cache }}
+            {{- else if .Values.redis.enabled }}
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
+            {{- end }}
            - --level={{ .Values.logLevel }}
            - --random-delay={{ .Values.faults.delay }}
            - --random-error={{ .Values.faults.error }}
+            {{- if .Values.faults.unhealthy }}
+            - --unhealthy
+            {{- end }}
+            {{- if .Values.faults.unready }}
+            - --unready
+            {{- end }}
+            {{- if .Values.h2c.enabled }}
+            - --h2c
+            {{- end }}
          env:
-          - name: PODINFO_UI_COLOR
-            value: {{ .Values.color }}
-          {{- if .Values.message }}
+          {{- if .Values.ui.message }}
          - name: PODINFO_UI_MESSAGE
-            value: {{ .Values.message }}
+            value: {{ quote .Values.ui.message }}
+          {{- end }}
+          {{- if .Values.ui.logo }}
+          - name: PODINFO_UI_LOGO
+            value: {{ .Values.ui.logo }}
+          {{- end }}
+          {{- if .Values.ui.color }}
+          - name: PODINFO_UI_COLOR
+            value: {{ quote .Values.ui.color }}
          {{- end }}
          {{- if .Values.backend }}
          - name: PODINFO_BACKEND_URL
@@ -49,15 +106,36 @@ spec:
          {{- end }}
          ports:
            - name: http
-              containerPort: {{ .Values.service.containerPort }}
+              containerPort: {{ .Values.service.httpPort | default 9898 }}
              protocol: TCP
+              {{- if .Values.service.hostPort }}
+              hostPort: {{ .Values.service.hostPort }}
+              {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: https
+              containerPort: {{ .Values.tls.port | default 9899 }}
+              protocol: TCP
+              {{- if .Values.tls.hostPort }}
+              hostPort: {{ .Values.tls.hostPort }}
+              {{- end }}
+            {{- end }}
+            {{- if .Values.service.metricsPort }}
+            - name: http-metrics
+              containerPort: {{ .Values.service.metricsPort }}
+              protocol: TCP
+            {{- end }}
+            {{- if .Values.service.grpcPort }}
+            - name: grpc
+              containerPort: {{ .Values.service.grpcPort }}
+              protocol: TCP
+            {{- end }}
          livenessProbe:
            exec:
              command:
              - podcli
              - check
              - http
-              - localhost:{{ .Values.service.containerPort }}/healthz
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
            initialDelaySeconds: 1
            timeoutSeconds: 5
          readinessProbe:
@@ -66,12 +144,17 @@ spec:
              - podcli
              - check
              - http
-              - localhost:{{ .Values.service.containerPort }}/readyz
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
            initialDelaySeconds: 1
            timeoutSeconds: 5
          volumeMounts:
          - name: data
            mountPath: /data
+          {{- if .Values.tls.enabled }}
+          - name: tls
+            mountPath: {{ .Values.tls.certPath | default "/data/cert" }}
+            readOnly: true
+          {{- end }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
    {{- with .Values.nodeSelector }}
@@ -89,3 +172,8 @@ spec:
      volumes:
      - name: data
        emptyDir: {}
+      {{- if .Values.tls.enabled }}
+      - name: tls
+        secret:
+          secretName: {{ template "podinfo.tlsSecretName" . }}
+      {{- end }}
--- a/charts/podinfo/templates/hpa.yaml
+++ b/charts/podinfo/templates/hpa.yaml
@@ -1,11 +1,13 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ template "podinfo.fullname" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
  scaleTargetRef:
-    apiVersion: apps/v1beta2
+    apiVersion: apps/v1
    kind: Deployment
    name: {{ template "podinfo.fullname" . }}
  minReplicas: {{ .Values.replicaCount }}
@@ -15,18 +17,25 @@ spec:
  - type: Resource
    resource:
      name: cpu
-      targetAverageUtilization: {{ .Values.hpa.cpu }}
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.hpa.cpu }}
  {{- end }}
  {{- if .Values.hpa.memory }}
  - type: Resource
    resource:
      name: memory
-      targetAverageValue: {{ .Values.hpa.memory }}
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.memory }}
  {{- end }}
  {{- if .Values.hpa.requests }}
-  - type: Pod
-      pods:
-        metricName: http_requests
-        targetAverageValue: {{ .Values.hpa.requests }}
+  - type: Pods
+    pods:
+      metric:
+        name: http_requests
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.requests }}
  {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/ingress.yaml
+++ b/charts/podinfo/templates/ingress.yaml
@@ -1,39 +1,41 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
-{{- $servicePort := .Values.service.port -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: extensions/v1beta1
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-{{- with .Values.ingress.annotations }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . }}
-      {{- end }}
-      secretName: {{ .secretName }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
  {{- end }}
-{{- end }}
  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
      http:
        paths:
-          - path: {{ $ingressPath }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/linkerd.yaml
+++ b/charts/podinfo/templates/linkerd.yaml
@@ -0,0 +1,98 @@
+{{- if .Values.linkerd.profile.enabled -}}
+apiVersion: linkerd.io/v1alpha2
+kind: ServiceProfile
+metadata:
+  name: {{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}  
+spec:
+  routes:
+    - condition:
+        method: GET
+        pathRegex: /
+      name: GET /
+    - condition:
+        method: POST
+        pathRegex: /api/echo
+      name: POST /api/echo
+    - condition:
+        method: GET
+        pathRegex: /api/info
+      name: GET /api/info
+    - condition:
+        method: GET
+        pathRegex: /chunked/[^/]*
+      name: GET /chunked/{seconds}
+    - condition:
+        method: GET
+        pathRegex: /delay/[^/]*
+      name: GET /delay/{seconds}
+    - condition:
+        method: GET
+        pathRegex: /env
+      name: GET /env
+    - condition:
+        method: GET
+        pathRegex: /headers
+      name: GET /headers
+    - condition:
+        method: GET
+        pathRegex: /healthz
+      name: GET /healthz
+    - condition:
+        method: GET
+        pathRegex: /metrics
+      name: GET /metrics
+    - condition:
+        method: GET
+        pathRegex: /panic
+      name: GET /panic
+    - condition:
+        method: GET
+        pathRegex: /readyz
+      name: GET /readyz
+    - condition:
+        method: POST
+        pathRegex: /readyz/disable
+      name: POST /readyz/disable
+    - condition:
+        method: POST
+        pathRegex: /readyz/enable
+      name: POST /readyz/enable
+    - condition:
+        method: GET
+        pathRegex: /status/[^/]*
+      name: GET /status/{code}
+    - condition:
+        method: POST
+        pathRegex: /cache
+      name: POST /cache
+    - condition:
+        method: GET
+        pathRegex: /cache/[^/]*
+      name: GET /cache/{hash}
+    - condition:
+        method: POST
+        pathRegex: /store
+      name: POST /store
+    - condition:
+        method: GET
+        pathRegex: /store/[^/]*
+      name: GET /store/{hash}
+    - condition:
+        method: POST
+        pathRegex: /token
+      name: POST /token
+    - condition:
+        method: POST
+        pathRegex: /token/validate
+      name: POST /token/validate
+    - condition:
+        method: GET
+        pathRegex: /version
+      name: GET /version
+    - condition:
+        method: POST
+        pathRegex: /ws/echo
+      name: POST /ws/echo
+{{- end }}
--- a/charts/podinfo/templates/redis/config.yaml
+++ b/charts/podinfo/templates/redis/config.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+data:
+  redis.conf: |
+    maxmemory 64mb
+    maxmemory-policy allkeys-lru
+    save ""
+    appendonly no
+{{- end }}
--- a/charts/podinfo/templates/redis/deployment.yaml
+++ b/charts/podinfo/templates/redis/deployment.yaml
@@ -0,0 +1,68 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+  labels:
+    app: {{ template "podinfo.fullname" . }}-redis
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: {{ template "podinfo.fullname" . }}-redis
+  template:
+    metadata:
+      labels:
+        app: {{ template "podinfo.fullname" . }}-redis
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/redis/config.yaml") . | sha256sum | quote }}
+    spec:
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
+      {{- end }}
+      containers:
+        - name: redis
+          image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}"
+          imagePullPolicy: IfNotPresent
+          command:
+            - redis-server
+            - "/redis-master/redis.conf"
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: redis
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          readinessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 128Mi
+            requests:
+              cpu: 100m
+              memory: 32Mi
+          volumeMounts:
+            - mountPath: /var/lib/redis
+              name: data
+            - mountPath: /redis-master
+              name: config
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: {{ template "podinfo.fullname" . }}-redis
+            items:
+              - key: redis.conf
+                path: redis.conf
+{{- end }}
--- a/charts/podinfo/templates/redis/service.yaml
+++ b/charts/podinfo/templates/redis/service.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+  labels:
+    app: {{ template "podinfo.fullname" . }}-redis
+spec:
+  type: ClusterIP
+  selector:
+    app: {{ template "podinfo.fullname" . }}-redis
+  ports:
+    - name: redis
+      port: 6379
+      protocol: TCP
+      targetPort: redis
+{{- end }}
--- a/charts/podinfo/templates/service.yaml
+++ b/charts/podinfo/templates/service.yaml
@@ -1,12 +1,14 @@
+{{- if .Values.service.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "podinfo.fullname" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
 spec:
  type: {{ .Values.service.type }}
  ports:
@@ -17,6 +19,18 @@ spec:
      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
      nodePort: {{ .Values.service.nodePort }}
      {{- end }}
+    {{- if .Values.tls.enabled }}
+    - port: {{ .Values.tls.port | default 9899 }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    {{- end }}
+    {{- if .Values.service.grpcPort }}
+    - port: {{ .Values.service.grpcPort }}
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+    {{- end }}
  selector:
-    app: {{ template "podinfo.name" . }}
-    release: {{ .Release.Name }}
+    {{- include "podinfo.selectorLabels" . | nindent 4 }}
+{{- end }}
--- a/charts/podinfo/templates/serviceaccount.yaml
+++ b/charts/podinfo/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "podinfo.serviceAccountName" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+{{- end -}}
--- a/charts/podinfo/templates/servicemonitor.yaml
+++ b/charts/podinfo/templates/servicemonitor.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "podinfo.fullname" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - path: /metrics
+      port: http
+      interval: {{ .Values.serviceMonitor.interval }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
+{{- end }}
--- a/charts/podinfo/templates/tests/cache.yaml
+++ b/charts/podinfo/templates/tests/cache.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cache }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-cache-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -sd 'data' ${PODINFO_SVC}/cache/test &&
+          curl -s ${PODINFO_SVC}/cache/test | grep data &&
+          curl -s -XDELETE ${PODINFO_SVC}/cache/test
+      env:
+      - name: PODINFO_SVC
+        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+  restartPolicy: Never
+{{- end }}
--- a/charts/podinfo/templates/tests/fail.yaml
+++ b/charts/podinfo/templates/tests/fail.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.faults.testFail }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: fault
+      image: alpine:3.11
+      command: ['/bin/sh']
+      args:  ['-c', 'exit 1']
+  restartPolicy: Never
+{{- end }}
--- a/charts/podinfo/templates/tests/grpc.yaml
+++ b/charts/podinfo/templates/tests/grpc.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-grpc-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: grpc-health-probe
+      image: stefanprodan/grpc_health_probe:v0.3.0
+      command: ['grpc_health_probe']
+      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.grpcPort }}']
+  restartPolicy: Never
--- a/charts/podinfo/templates/tests/jwt.yaml
+++ b/charts/podinfo/templates/tests/jwt.yaml
@@ -3,41 +3,24 @@ kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-jwt-test-{{ randAlphaNum 5 | lower }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
  containers:
    - name: tools
      image: giantswarm/tiny-tools
-      command: ["/bin/sh", "/scripts/test.sh"]
+      command:
+        - sh
+        - -c
+        - |
+          TOKEN=$(curl -sd 'test' ${PODINFO_SVC}/token | jq -r .token) &&
+          curl -sH "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
      env:
      - name: PODINFO_SVC
-        value: {{ template "podinfo.fullname" . }}:{{ .Values.service.externalPort }}
-      volumeMounts:
-      - name: scripts
-        mountPath: /scripts
+        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
-  volumes:
-  - name: scripts
-    configMap:
-      name: {{ template "podinfo.fullname" . }}-storage-cfg
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "podinfo.fullname" . }}-storage-cfg
-  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
-data:
-  test.sh: |
-    #!/bin/sh
-    echo "testing ${PODINFO_SVC}/token"
-    TOKEN=$(curl -sd 'test' ${PODINFO_SVC}/token | jq -r .token) && \
-    curl -H "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
--- a/charts/podinfo/templates/tests/service.yaml
+++ b/charts/podinfo/templates/tests/service.yaml
@@ -3,16 +3,23 @@ kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-service-test-{{ randAlphaNum 5 | lower }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
  containers:
    - name: curl
-      image: radial/busyboxplus:curl
-      command: ['curl']
-      args:  ['{{ template "podinfo.fullname" . }}:{{ .Values.service.externalPort }}']
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -s ${PODINFO_SVC}/api/info | grep version
+      env:
+        - name: PODINFO_SVC
+          value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/timeout.yaml
+++ b/charts/podinfo/templates/tests/timeout.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.faults.testTimeout }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: fault
+      image: alpine:3.11
+      command: ['/bin/sh']
+      args:  ['-c', 'while sleep 3600; do :; done']
+  restartPolicy: Never
+{{- end }}
--- a/charts/podinfo/templates/tests/tls.yaml
+++ b/charts/podinfo/templates/tests/tls.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.tls.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-tls-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -sk ${PODINFO_SVC}/api/info | grep version
+      env:
+        - name: PODINFO_SVC
+          value: "https://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.tls.port }}"
+  restartPolicy: Never
+{{- end }}
--- a/charts/podinfo/values-prod.yaml
+++ b/charts/podinfo/values-prod.yaml
@@ -0,0 +1,137 @@
+# Production values for podinfo.
+# Includes Redis deployment and memory limits.
+
+replicaCount: 1
+logLevel: info
+backend: #http://backend-podinfo:9898/echo
+backends: []
+
+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.1.4
+  pullPolicy: IfNotPresent
+
+ui:
+  color: "#34577c"
+  message: ""
+  logo: ""
+
+# failure conditions
+faults:
+  delay: false
+  error: false
+  unhealthy: false
+  unready: false
+  testFail: false
+  testTimeout: false
+
+# Kubernetes Service settings
+service:
+  enabled: true
+  annotations: {}
+  type: ClusterIP
+  metricsPort: 9797
+  httpPort: 9898
+  externalPort: 9898
+  grpcPort: 9999
+  grpcService: podinfo
+  nodePort: 31198
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
+
+# metrics-server add-on required
+hpa:
+  enabled: true
+  maxReplicas: 5
+  # average total CPU usage per pod (1-100)
+  cpu: 99
+  # average memory usage per pod (100Mi-1Gi)
+  memory:
+  # average http requests per second per pod (k8s-prometheus-adapter)
+  requests:
+
+# Redis address in the format tcp://<host>:<port>
+cache: ""
+# Redis deployment
+redis:
+  enabled: true
+  repository: redis
+  tag: 6.0.8
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  enabled: false
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+# set container security context
+securityContext: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+linkerd:
+  profile:
+    enabled: false
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+podAnnotations: {}
--- a/charts/podinfo/values.yaml
+++ b/charts/podinfo/values.yaml
@@ -2,24 +2,73 @@

 replicaCount: 1
 logLevel: info
-color: blue
+host: #0.0.0.0
 backend: #http://backend-podinfo:9898/echo
-message: #UI greetings
+backends: []

+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.1.4
+  pullPolicy: IfNotPresent
+
+ui:
+  color: "#34577c"
+  message: ""
+  logo: ""
+
+# failure conditions
 faults:
  delay: false
  error: false
+  unhealthy: false
+  unready: false
+  testFail: false
+  testTimeout: false

-image:
-  repository: quay.io/stefanprodan/podinfo
-  tag: 2.0.2
-  pullPolicy: IfNotPresent
-
+# Kubernetes Service settings
 service:
+  enabled: true
+  annotations: {}
  type: ClusterIP
+  metricsPort: 9797
+  httpPort: 9898
  externalPort: 9898
-  containerPort: 9898
+  grpcPort: 9999
+  grpcService: podinfo
  nodePort: 31198
+  # the port used to bind the http port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo

 # metrics-server add-on required
 hpa:
@@ -32,19 +81,50 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

+# Redis address in the format tcp://<host>:<port>
+cache: ""
+# Redis deployment
+redis:
+  enabled: false
+  repository: redis
+  tag: 6.0.8
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  enabled: false
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+# set container security context
+securityContext: {}
+
 ingress:
  enabled: false
+  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
-  path: /
  hosts:
-    - podinfo.local
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

+linkerd:
+  profile:
+    enabled: false
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
 resources:
  limits:
  requests:
@@ -57,3 +137,4 @@ tolerations: []

 affinity: {}

+podAnnotations: {}
--- a/cmd/podcli/check.go
+++ b/cmd/podcli/check.go
@@ -14,14 +14,19 @@ import (

 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/status"
 )

 var (
-	retryCount int
-	retryDelay time.Duration
-	method     string
-	body       string
-	timeout    time.Duration
+	retryCount      int
+	retryDelay      time.Duration
+	method          string
+	body            string
+	timeout         time.Duration
+	grpcServiceName string
 )

 var checkCmd = &cobra.Command{
@@ -51,6 +56,13 @@ var checkCertCmd = &cobra.Command{
 	RunE:    runCheckCert,
 }

+var checkgRPCCmd = &cobra.Command{
+	Use:     `grpc [address]`,
+	Short:   "gRPC health check",
+	Example: `  check grpc localhost:8080 --service=podinfo --retry=1 --delay=2s --timeout=2s`,
+	RunE:    runCheckgPRC,
+}
+
 func init() {
 	checkUrlCmd.Flags().StringVar(&method, "method", "GET", "HTTP method")
 	checkUrlCmd.Flags().StringVar(&body, "body", "", "HTTP POST/PUT content")
@@ -64,6 +76,12 @@ func init() {
 	checkTcpCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
 	checkCmd.AddCommand(checkTcpCmd)

+	checkgRPCCmd.Flags().IntVar(&retryCount, "retry", 0, "times to retry the TCP check")
+	checkgRPCCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
+	checkgRPCCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
+	checkgRPCCmd.Flags().StringVar(&grpcServiceName, "service", "", "gRPC service name")
+	checkCmd.AddCommand(checkgRPCCmd)
+
 	checkCmd.AddCommand(checkCertCmd)

 	rootCmd.AddCommand(checkCmd)
@@ -243,3 +261,53 @@ func fmtContentLength(b int64) string {
 	}
 	return fmt.Sprintf("%.1f %cB", float64(b)/float64(div), "kMGTPE"[exp])
 }
+
+func runCheckgPRC(cmd *cobra.Command, args []string) error {
+	if retryCount < 0 {
+		return fmt.Errorf("--retry is required")
+	}
+	if len(args) < 1 {
+		return fmt.Errorf("address is required! example: check grpc localhost:8080")
+	}
+	address := args[0]
+
+	for n := 0; n <= retryCount; n++ {
+		if n != 1 {
+			time.Sleep(retryDelay)
+		}
+
+		conn, err := grpc.Dial(address, grpc.WithInsecure())
+		if err != nil {
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+		ctx, cancel := context.WithTimeout(context.Background(), timeout)
+		resp, err := grpc_health_v1.NewHealthClient(conn).Check(ctx, &grpc_health_v1.HealthCheckRequest{
+			Service: grpcServiceName,
+		})
+		cancel()
+
+		if err != nil {
+			if stat, ok := status.FromError(err); ok && stat.Code() == codes.Unimplemented {
+				logger.Info("gPRC health protocol not implemented")
+				os.Exit(1)
+			} else {
+				logger.Info("check failed",
+					zap.String("address", address),
+					zap.Error(err))
+			}
+			continue
+		}
+
+		conn.Close()
+		logger.Info("check succeed",
+			zap.String("status", resp.GetStatus().String()))
+		os.Exit(0)
+
+	}
+
+	os.Exit(1)
+	return nil
+}
--- a/cmd/podcli/code.go
+++ b/cmd/podcli/code.go
@@ -1,365 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strings"
-
-	"github.com/hashicorp/go-getter"
-	"github.com/spf13/cobra"
-)
-
-var (
-	codeProjectName string
-	codeGitUser     string
-	codeVersion     string
-	codeProjectPath string
-)
-
-var codeCmd = &cobra.Command{
-	Use:   `code`,
-	Short: "Code commands",
-}
-
-var codeInitCmd = &cobra.Command{
-	Use:     `init [name]`,
-	Short:   "initialize podinfo code repo",
-	Example: `  code init demo-app --version=v1.2.0 --git-user=stefanprodan`,
-	RunE:    runCodeInit,
-}
-
-func init() {
-	codeInitCmd.Flags().StringVar(&codeGitUser, "git-user", "", "GitHub user or org")
-	codeInitCmd.Flags().StringVar(&codeVersion, "version", "master", "podinfo repo tag or branch name")
-	codeInitCmd.Flags().StringVar(&codeProjectPath, "path", ".", "destination repo")
-
-	codeCmd.AddCommand(codeInitCmd)
-
-	rootCmd.AddCommand(codeCmd)
-}
-
-func runCodeInit(cmd *cobra.Command, args []string) error {
-
-	if len(codeGitUser) < 0 {
-		return fmt.Errorf("--git-user is required")
-	}
-	if len(args) < 1 {
-		return fmt.Errorf("project name is required")
-	}
-
-	codeProjectName = args[0]
-
-	pwd, err := os.Getwd()
-	if err != nil {
-		log.Fatalf("Error getting pwd: %s", err)
-		os.Exit(1)
-	}
-
-	tmpPath := "/tmp/k8s-podinfo"
-	versionName := fmt.Sprintf("k8s-podinfo-%s", codeVersion)
-
-	downloadURL := fmt.Sprintf("https://github.com/stefanprodan/podinfo/archive/%s.zip", codeVersion)
-	client := &getter.Client{
-		Src:  downloadURL,
-		Dst:  tmpPath,
-		Pwd:  pwd,
-		Mode: getter.ClientModeAny,
-	}
-
-	fmt.Printf("Downloading %s\n", downloadURL)
-
-	if err := client.Get(); err != nil {
-		log.Fatalf("Error downloading: %s", err)
-		os.Exit(1)
-	}
-
-	pkgFrom := "github.com/stefanprodan/podinfo"
-	pkgTo := fmt.Sprintf("github.com/%s/%s", codeGitUser, codeProjectName)
-
-	if err := replaceImports(tmpPath, pkgFrom, pkgTo); err != nil {
-		log.Fatalf("Error parsing imports: %s", err)
-		os.Exit(1)
-	}
-
-	dirs := []string{"pkg", "cmd", "ui", "vendor", ".github"}
-	for _, dir := range dirs {
-
-		err = os.MkdirAll(path.Join(codeProjectPath, dir), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-		if err := copyDir(path.Join(tmpPath, versionName, dir), path.Join(codeProjectPath, dir)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	files := []string{"Gopkg.toml", "Gopkg.lock"}
-	for _, file := range files {
-		if err := copyFile(path.Join(tmpPath, versionName, file), path.Join(codeProjectPath, file)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), pkgFrom, pkgTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	projFrom := "stefanprodan/podinfo"
-	projTo := fmt.Sprintf("%s/%s", codeGitUser, codeProjectName)
-
-	makeFiles := []string{"Makefile.gh", "Dockerfile.gh"}
-	for _, file := range makeFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, ".gh", "", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	workflows := []string{".github/main.workflow"}
-	for _, file := range workflows {
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), "Dockerfile.gh", "Dockerfile", -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	dockerFiles := []string{"Dockerfile.ci"}
-	for _, file := range dockerFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	travisFiles := []string{"travis.lite.yml"}
-	for _, file := range travisFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, "travis.lite.yml", ".travis.yml", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	err = gitPush()
-	if err != nil {
-		log.Fatalf("git push error: %s", err)
-		os.Exit(1)
-	}
-
-	fmt.Println("Initialization finished")
-	return nil
-}
-
-func gitPush() error {
-	cmdPush := fmt.Sprintf("git add . && git commit -m \"sync %s\" && git push", codeVersion)
-	cmd := exec.Command("sh", "-c", cmdPush)
-	output, err := cmd.Output()
-	if err != nil {
-		return err
-	}
-	fmt.Println(string(output))
-	return nil
-}
-
-func replaceImports(projectPath string, pkgFrom string, pkgTo string) error {
-	regexImport, err := regexp.Compile(`(?s)(import(.*?)\)|import.*$)`)
-	if err != nil {
-		return err
-	}
-
-	regexImportedPackage, err := regexp.Compile(`"(.*?)"`)
-	if err != nil {
-		return err
-	}
-
-	found := []string{}
-
-	err = filepath.Walk(projectPath, func(path string, info os.FileInfo, err error) error {
-		if filepath.Ext(path) == ".go" {
-			bts, err := ioutil.ReadFile(path)
-			if err != nil {
-				return err
-			}
-
-			content := string(bts)
-			matches := regexImport.FindAllString(content, -1)
-			isExists := false
-
-		isReplaceable:
-			for _, each := range matches {
-				for _, eachLine := range strings.Split(each, "\n") {
-					matchesInline := regexImportedPackage.FindAllString(eachLine, -1)
-					if err != nil {
-						return err
-					}
-
-					for _, eachSubline := range matchesInline {
-						if strings.Contains(eachSubline, pkgFrom) {
-							isExists = true
-							break isReplaceable
-						}
-					}
-				}
-			}
-
-			if isExists {
-				content = strings.Replace(content, `"`+pkgFrom+`"`, `"`+pkgTo+`"`, -1)
-				content = strings.Replace(content, `"`+pkgFrom+`/`, `"`+pkgTo+`/`, -1)
-				found = append(found, path)
-			}
-
-			err = ioutil.WriteFile(path, []byte(content), info.Mode())
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		fmt.Println("ERROR", err.Error())
-	}
-
-	if len(found) == 0 {
-		fmt.Println("Nothing replaced")
-	} else {
-		fmt.Printf("Go imports total %d file replaced\n", len(found))
-	}
-
-	return nil
-}
-
-func copyDir(src string, dst string) error {
-	si, err := os.Stat(src)
-	if err != nil {
-		return err
-	}
-	if !si.IsDir() {
-		return fmt.Errorf("source is not a directory")
-	}
-
-	err = os.MkdirAll(dst, si.Mode())
-	if err != nil {
-		return err
-	}
-
-	entries, err := ioutil.ReadDir(src)
-	if err != nil {
-		return err
-	}
-
-	for _, entry := range entries {
-		srcPath := filepath.Join(src, entry.Name())
-		dstPath := filepath.Join(dst, entry.Name())
-
-		if entry.IsDir() {
-			err = copyDir(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		} else {
-			// Skip symlinks.
-			if entry.Mode()&os.ModeSymlink != 0 {
-				continue
-			}
-
-			err = copyFile(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func copyFile(src, dst string) (err error) {
-	in, err := os.Open(src)
-	if err != nil {
-		return
-	}
-	defer in.Close()
-
-	out, err := os.Create(dst)
-	if err != nil {
-		return
-	}
-	defer func() {
-		if e := out.Close(); e != nil {
-			err = e
-		}
-	}()
-
-	_, err = io.Copy(out, in)
-	if err != nil {
-		return
-	}
-
-	err = out.Sync()
-	if err != nil {
-		return
-	}
-
-	si, err := os.Stat(src)
-	if err != nil {
-		return
-	}
-	err = os.Chmod(dst, si.Mode())
-	if err != nil {
-		return
-	}
-
-	return
-}
--- a/cmd/podcli/main.go
+++ b/cmd/podcli/main.go
@@ -2,11 +2,12 @@ package main

 import (
 	"fmt"
-	"github.com/spf13/cobra"
-	"go.uber.org/zap"
 	"log"
 	"os"
 	"strings"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap"
 )

 var rootCmd = &cobra.Command{
--- a/cmd/podcli/version.go
+++ b/cmd/podcli/version.go
@@ -2,6 +2,7 @@ package main

 import (
 	"fmt"
+
 	"github.com/spf13/cobra"
 	"github.com/stefanprodan/podinfo/pkg/version"
 )
--- a/cmd/podinfo/main.go
+++ b/cmd/podinfo/main.go
@@ -2,41 +2,58 @@ package main

 import (
 	"fmt"
-	"github.com/spf13/pflag"
-	"github.com/spf13/viper"
-	"github.com/stefanprodan/podinfo/pkg/api"
-	"github.com/stefanprodan/podinfo/pkg/signals"
-	"github.com/stefanprodan/podinfo/pkg/version"
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/spf13/pflag"
+	"github.com/spf13/viper"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+
+	"github.com/stefanprodan/podinfo/pkg/api"
+	"github.com/stefanprodan/podinfo/pkg/grpc"
+	"github.com/stefanprodan/podinfo/pkg/signals"
+	"github.com/stefanprodan/podinfo/pkg/version"
 )

 func main() {
 	// flags definition
 	fs := pflag.NewFlagSet("default", pflag.ContinueOnError)
-	fs.Int("port", 9898, "port")
+	fs.String("host", "", "Host to bind service to")
+	fs.Int("port", 9898, "HTTP port to bind service to")
+	fs.Int("secure-port", 0, "HTTPS port")
 	fs.Int("port-metrics", 0, "metrics port")
-	fs.String("level", "info", "log level debug, info, warn, error, flat or panic")
-	fs.String("backend-url", "", "backend service URL")
+	fs.Int("grpc-port", 0, "gRPC port")
+	fs.String("grpc-service-name", "podinfo", "gPRC service name")
+	fs.String("level", "info", "log level debug, info, warn, error, fatal or panic")
+	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
 	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
+	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
 	fs.String("config", "config.yaml", "config file name")
 	fs.String("ui-path", "./ui", "UI local path")
-	fs.String("ui-color", "blue", "UI color")
+	fs.String("ui-logo", "", "UI logo")
+	fs.String("ui-color", "#34577c", "UI color")
 	fs.String("ui-message", fmt.Sprintf("greetings from podinfo v%v", version.VERSION), "UI message")
-	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay")
+	fs.Bool("h2c", false, "allow upgrading to H2C")
+	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay by default")
+	fs.String("random-delay-unit", "s", "either s(seconds) or ms(milliseconds")
+	fs.Int("random-delay-min", 0, "min for random delay: 0 by default")
+	fs.Int("random-delay-max", 5, "max for random delay: 5 by default")
 	fs.Bool("random-error", false, "1/3 chances of a random response error")
-	fs.Int("stress-cpu", 0, "Number of CPU cores with 100 load")
+	fs.Bool("unhealthy", false, "when set, healthy state is never reached")
+	fs.Bool("unready", false, "when set, ready state is never reached")
+	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
+	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")

 	versionFlag := fs.BoolP("version", "v", false, "get version number")

@@ -59,6 +76,7 @@ func main() {
 	viper.RegisterAlias("backendUrl", "backend-url")
 	hostname, _ := os.Hostname()
 	viper.SetDefault("jwt-secret", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9")
+	viper.SetDefault("ui-logo", "https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif")
 	viper.Set("hostname", hostname)
 	viper.Set("version", version.VERSION)
 	viper.Set("revision", version.REVISION)
@@ -67,11 +85,11 @@ func main() {
 	viper.AutomaticEnv()

 	// load config from file
-	if _, err := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); err == nil {
+	if _, fileErr := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); fileErr == nil {
 		viper.SetConfigName(strings.Split(viper.GetString("config"), ".")[0])
 		viper.AddConfigPath(viper.GetString("config-path"))
-		if err := viper.ReadInConfig(); err != nil {
-			fmt.Printf("Error reading config file, %v\n", err)
+		if readErr := viper.ReadInConfig(); readErr != nil {
+			fmt.Printf("Error reading config file, %v\n", readErr)
 		}
 	}

@@ -90,6 +108,38 @@ func main() {
 		viper.Set("port", strconv.Itoa(port))
 	}

+	// validate secure port
+	if _, err := strconv.Atoi(viper.GetString("secure-port")); err != nil {
+		securePort, _ := fs.GetInt("secure-port")
+		viper.Set("secure-port", strconv.Itoa(securePort))
+	}
+
+	// validate random delay options
+	if viper.GetInt("random-delay-max") < viper.GetInt("random-delay-min") {
+		logger.Panic("`--random-delay-max` should be greater than `--random-delay-min`")
+	}
+
+	switch delayUnit := viper.GetString("random-delay-unit"); delayUnit {
+	case
+		"s",
+		"ms":
+		break
+	default:
+		logger.Panic("`random-delay-unit` accepted values are: s|ms")
+	}
+
+	// load gRPC server config
+	var grpcCfg grpc.Config
+	if err := viper.Unmarshal(&grpcCfg); err != nil {
+		logger.Panic("config unmarshal failed", zap.Error(err))
+	}
+
+	// start gRPC server
+	if grpcCfg.Port > 0 {
+		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
+		go grpcSrv.ListenAndServe()
+	}
+
 	// load HTTP server config
 	var srvCfg api.Config
 	if err := viper.Unmarshal(&srvCfg); err != nil {
--- a/cue/README.md
+++ b/cue/README.md
@@ -0,0 +1,58 @@
+# Podinfo CUE module
+
+This directory contains a [CUE](https://cuelang.org/docs/) module and tooling
+for generating podinfo's Kubernetes resources.
+
+The module contains a `podinfo.#Application` definition which takes `podinfo.#Config` as input.
+
+## Prerequisites
+
+Install CUE with:
+
+```shell
+brew install cue
+```
+
+Generate the Kubernetes API definitions required by this module with:
+
+```shell
+cue get go k8s.io/api/...
+```
+
+## Configuration
+
+Configure the application in `main.cue`:
+
+```cue
+app: podinfo.#Application & {
+	config: {
+		meta: {
+			name:      "podinfo"
+			namespace: "default"
+		}
+		image: tag: "6.1.3"
+		resources: requests: {
+			cpu:    "100m"
+			memory: "16Mi"
+		}
+		hpa: {
+			enabled:     true
+			maxReplicas: 3
+		}
+		ingress: {
+			enabled:   true
+			className: "nginx"
+			host:      "podinfo.example.com"
+			tls:       true
+			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
+		}
+		serviceMonitor: enabled: true
+	}
+}
+```
+
+## Generate the manifests
+
+```shell
+cue gen
+```
--- a/cue/cue.mod/module.cue
+++ b/cue/cue.mod/module.cue
@@ -0,0 +1 @@
+module: "github.com/stefanprodan/podinfo/cue"
--- a/cue/go.mod
+++ b/cue/go.mod
@@ -0,0 +1,23 @@
+module github.com/stefanprodan/podinfo/cue
+
+go 1.17
+
+require (
+	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/api v0.23.5 // indirect
+	k8s.io/apimachinery v0.23.5 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+)
--- a/cue/go.sum
+++ b/cue/go.sum
@@ -0,0 +1,231 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
+github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
+github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSyhcnluiMv+Xg=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
+github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
+github.com/go-logr/logr v1.2.0 h1:QK40JKJyMdUDz+h+xvCsru/bJhvG0UxvePV0ufL/AcE=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
+github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
+github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
+golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.23.5 h1:zno3LUiMubxD/V1Zw3ijyKO3wxrhbUF1Ck+VjBvfaoA=
+k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
+k8s.io/apimachinery v0.23.5 h1:Va7dwhp8wgkUPWsEXk6XglXWU4IKYLKNlv8VkX7SDM0=
+k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
+k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
+k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
+k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
+k8s.io/klog/v2 v2.30.0 h1:bUO6drIvCIsvZ/XFgfxoGFQU/a4Qkh0iAlvUR7vlHJw=
+k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65/go.mod h1:sX9MT8g7NVZM5lVL/j8QyCCJe8YSMW30QvGZWaCIDIk=
+k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20211116205334-6203023598ed h1:ck1fRPWPJWsMd8ZRFsWc6mh/zHp5fZ/shhbrgPUxDAE=
+k8s.io/utils v0.0.0-20211116205334-6203023598ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s=
+sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
+sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
+sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
--- a/cue/main.cue
+++ b/cue/main.cue
@@ -0,0 +1,33 @@
+package main
+
+import (
+	podinfo "github.com/stefanprodan/podinfo/cue/podinfo"
+)
+
+app: podinfo.#Application & {
+	config: {
+		meta: {
+			name:      "podinfo"
+			namespace: "default"
+		}
+		image: tag: "6.1.4"
+		resources: requests: {
+			cpu:    "100m"
+			memory: "16Mi"
+		}
+		hpa: {
+			enabled:     true
+			maxReplicas: 3
+		}
+		ingress: {
+			enabled:   true
+			className: "nginx"
+			host:      "podinfo.example.com"
+			tls:       true
+			annotations: "cert-manager.io/cluster-issuer": "letsencrypt"
+		}
+		serviceMonitor: enabled: true
+	}
+}
+
+objects: app.objects
--- a/cue/main_tool.cue
+++ b/cue/main_tool.cue
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"tool/cli"
+	"encoding/yaml"
+)
+
+command: gen: {
+	task: print: cli.Print & {
+		text: yaml.MarshalStream([ for x in objects {x}])
+	}
+}
--- a/cue/podinfo/app.cue
+++ b/cue/podinfo/app.cue
@@ -0,0 +1,26 @@
+package podinfo
+
+#Application: {
+	config: #Config
+
+	objects: {
+		service:    #Service & {_config:        config}
+		account:    #ServiceAccount & {_config: config}
+		deployment: #Deployment & {
+			_config:         config
+			_serviceAccount: account.metadata.name
+		}
+	}
+
+	if config.hpa.enabled == true {
+		objects: hpa: #HorizontalPodAutoscaler & {_config: config}
+	}
+
+	if config.ingress.enabled == true {
+		objects: ingress: #Ingress & {_config: config}
+	}
+
+	if config.serviceMonitor.enabled == true {
+		objects: serviceMonitor: #ServiceMonitor & {_config: config}
+	}
+}
--- a/cue/podinfo/config.cue
+++ b/cue/podinfo/config.cue
@@ -0,0 +1,41 @@
+package podinfo
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+#Config: {
+	meta:           metav1.#ObjectMeta
+	hpa:            #hpaConfig
+	ingress:        #ingressConfig
+	service:        #serviceConfig
+	serviceMonitor: #serviceMonConfig
+
+	image: {
+		repository: *"ghcr.io/stefanprodan/podinfo" | string
+		pullPolicy: *"IfNotPresent" | string
+		tag:        string
+	}
+
+	cache?: string & =~"^tcp://"
+	backends: [...string]
+	logLevel: *"info" | string
+	replicas: *1 | int
+
+	resources: *{
+		requests: {
+			cpu:    "1m"
+			memory: "16Mi"
+		}
+		limits: memory: "128Mi"
+	} | corev1.#ResourceRequirements
+
+	selectorLabels: *{"app.kubernetes.io/name": meta.name} | {[ string]: string}
+	meta: annotations: *{"app.kubernetes.io/version": "\(image.tag)"} | {[ string]: string}
+	meta: labels:      *selectorLabels | {[ string]:  string}
+
+	securityContext?: corev1.#PodSecurityContext
+	affinity?:        corev1.#Affinity
+	tolerations?: [ ...corev1.#Toleration]
+}
--- a/cue/podinfo/deployment.cue
+++ b/cue/podinfo/deployment.cue
@@ -0,0 +1,110 @@
+package podinfo
+
+import (
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+)
+
+#Deployment: appsv1.#Deployment & {
+	_config:         #Config
+	_serviceAccount: string
+	apiVersion:      "apps/v1"
+	kind:            "Deployment"
+	metadata:        _config.meta
+	spec:            appsv1.#DeploymentSpec & {
+		if !_config.hpa.enabled {
+			replicas: _config.replicas
+		}
+		strategy: {
+			type: "RollingUpdate"
+			rollingUpdate: maxUnavailable: 1
+		}
+		selector: matchLabels: _config.selectorLabels
+		template: {
+			metadata: {
+				labels: _config.selectorLabels
+				if !_config.serviceMonitor.enabled {
+					annotations: {
+						"prometheus.io/scrape": "true"
+						"prometheus.io/port":   "\(_config.service.metricsPort)"
+					}
+				}
+			}
+			spec: corev1.#PodSpec & {
+				terminationGracePeriodSeconds: 15
+				serviceAccountName:            _serviceAccount
+				containers: [
+					{
+						name:            "podinfo"
+						image:           "\(_config.image.repository):\(_config.image.tag)"
+						imagePullPolicy: _config.image.pullPolicy
+						command: [
+							"./podinfo",
+							"--port=\(_config.service.httpPort)",
+							"--port-metrics=\(_config.service.metricsPort)",
+							"--grpc-port=\(_config.service.grpcPort)",
+							"--level=\(_config.logLevel)",
+							if _config.cache != _|_ {
+								"--cache-server=\(_config.cache)"
+							},
+							for b in _config.backends {
+								"--backend-url=\(b)"
+							},
+						]
+						ports: [
+							{
+								name:          "http"
+								containerPort: _config.service.httpPort
+								protocol:      "TCP"
+							},
+							{
+								name:          "http-metrics"
+								containerPort: _config.service.metricsPort
+								protocol:      "TCP"
+							},
+							{
+								name:          "grpc"
+								containerPort: _config.service.grpcPort
+								protocol:      "TCP"
+							},
+						]
+						livenessProbe: {
+							httpGet: {
+								path: "/healthz"
+								port: "http"
+							}
+						}
+						readinessProbe: {
+							httpGet: {
+								path: "/readyz"
+								port: "http"
+							}
+						}
+						volumeMounts: [
+							{
+								name:      "data"
+								mountPath: "/data"
+							},
+						]
+						resources: _config.resources
+						if _config.securityContext != _|_ {
+							securityContext: _config.securityContext
+						}
+					},
+				]
+				if _config.affinity != _|_ {
+					affinity: _config.affinity
+				}
+				if _config.tolerations != _|_ {
+					tolerations: _config.tolerations
+				}
+				volumes: [
+					{
+						name: "data"
+						emptyDir: {}
+					},
+				]
+			}
+		}
+	}
+}
--- a/cue/podinfo/hpa.cue
+++ b/cue/podinfo/hpa.cue
@@ -0,0 +1,55 @@
+package podinfo
+
+import (
+	autoscaling "k8s.io/api/autoscaling/v2beta2"
+)
+
+#hpaConfig: {
+	enabled:     *false | bool
+	cpu:         *99 | int
+	memory:      *"" | string
+	minReplicas: *1 | int
+	maxReplicas: *1 | int
+}
+
+#HorizontalPodAutoscaler: autoscaling.#HorizontalPodAutoscaler & {
+	_config:    #Config
+	apiVersion: "autoscaling/v2beta2"
+	kind:       "HorizontalPodAutoscaler"
+	metadata:   _config.meta
+	spec: {
+		scaleTargetRef: {
+			apiVersion: "apps/v1"
+			kind:       "Deployment"
+			name:       _config.meta.name
+		}
+		minReplicas: _config.hpa.minReplicas
+		maxReplicas: _config.hpa.maxReplicas
+		metrics: [
+			if _config.hpa.cpu > 0 {
+				{
+					type: "Resource"
+					resource: {
+						name: "cpu"
+						target: {
+							type:               "Utilization"
+							averageUtilization: _config.hpa.cpu
+						}
+					}
+				}
+			},
+			if _config.hpa.memory != "" {
+				{
+					type: "Resource"
+					resource: {
+						name: "memory"
+						target: {
+							type:         "AverageValue"
+							averageValue: _config.hpa.memory
+						}
+					}
+				}
+			},
+		]
+	}
+}
--- a/cue/podinfo/ingress.cue
+++ b/cue/podinfo/ingress.cue
@@ -0,0 +1,47 @@
+package podinfo
+
+import (
+	netv1 "k8s.io/api/networking/v1"
+)
+
+#ingressConfig: {
+	enabled: *false | bool
+	annotations?: {[ string]: string}
+	className?: string
+	tls:        *false | bool
+	host:       string
+}
+
+#Ingress: netv1.#Ingress & {
+	_config:    #Config
+	apiVersion: "networking.k8s.io/v1"
+	kind:       "Ingress"
+	metadata:   _config.meta
+	if _config.ingress.annotations != _|_ {
+		metadata: annotations: _config.ingress.annotations
+	}
+	spec: netv1.#IngressSpec & {
+		rules: [{
+			host: _config.ingress.host
+			http: {
+				paths: [{
+					pathType: "Prefix"
+					path:     "/"
+					backend: service: {
+						name: _config.meta.name
+						port: name: "http"
+					}
+				}]
+			}
+		}]
+		if _config.ingress.tls {
+			tls: [{
+				hosts: [_config.ingress.host]
+				secretName: "\(_config.meta.name)-cert"
+			}]
+		}
+		if _config.ingress.className != _|_ {
+			ingressClassName: _config.ingress.className
+		}
+	}
+}
--- a/cue/podinfo/service.cue
+++ b/cue/podinfo/service.cue
@@ -0,0 +1,44 @@
+package podinfo
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+#serviceConfig: {
+	type:         *"ClusterIP" | string
+	externalPort: *9898 | int
+	httpPort:     *9898 | int
+	metricsPort:  *9797 | int
+	grpcPort:     *9999 | int
+}
+
+#Service: corev1.#Service & {
+	_config:    #Config
+	apiVersion: "v1"
+	kind:       "Service"
+	metadata:   _config.meta
+	spec:       corev1.#ServiceSpec & {
+		type:     _config.service.type
+		selector: _config.selectorLabels
+		ports: [
+			{
+				name:       "http"
+				port:       _config.service.externalPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+			{
+				name:       "http-metrics"
+				port:       _config.service.metricsPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+			{
+				name:       "grpc"
+				port:       _config.service.grpcPort
+				targetPort: "\(name)"
+				protocol:   "TCP"
+			},
+		]
+	}
+}
--- a/cue/podinfo/serviceaccount.cue
+++ b/cue/podinfo/serviceaccount.cue
@@ -0,0 +1,12 @@
+package podinfo
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+#ServiceAccount: corev1.#ServiceAccount & {
+	_config:    #Config
+	apiVersion: "v1"
+	kind:       "ServiceAccount"
+	metadata:   _config.meta
+}
--- a/cue/podinfo/servicemonitor.cue
+++ b/cue/podinfo/servicemonitor.cue
@@ -0,0 +1,22 @@
+package podinfo
+
+#serviceMonConfig: {
+	enabled:  *false | bool
+	interval: *"15s" | string
+}
+
+#ServiceMonitor: {
+	_config:    #Config
+	apiVersion: "monitoring.coreos.com/v1"
+	kind:       "ServiceMonitor"
+	metadata:   _config.meta
+	spec: {
+		endpoints: [{
+			path:     "/metrics"
+			port:     "http-metrics"
+			interval: _config.serviceMonitor.interval
+		}]
+		namespaceSelector: matchNames: _config.meta.namespace
+		selector: matchLabels:         _config.meta.labels
+	}
+}
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -0,0 +1,45 @@
+# Deploy demo webapp
+
+Demo webapp manifests:
+
+- [common](webapp/common)
+- [frontend](webapp/frontend)
+- [backend](webapp/backend)
+
+Deploy the demo in `webapp` namespace:
+
+```bash
+kubectl apply -f ./webapp/common
+kubectl apply -f ./webapp/backend
+kubectl apply -f ./webapp/frontend
+```
+
+Deploy the demo in the `dev` namespace:
+
+```bash
+kustomize build ./overlays/dev | kubectl apply -f-
+```
+
+Deploy the demo in the `staging` namespace:
+
+```bash
+kustomize build ./overlays/staging | kubectl apply -f-
+```
+
+Deploy the demo in the `production` namespace:
+
+```bash
+kustomize build ./overlays/production | kubectl apply -f-
+```
+
+## Testing Locally Using Kind
+
+> NOTE: You can install [kind from here](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+
+The following will create a new cluster called "podinfo" and configure host ports on 80 and 443. You can access the
+endpoints on localhost. The example also deploys cert-manager within the cluster along with a self-signed cluster issuer
+used to generate the certificate to validate the secure port.
+
+```sh
+./kind.sh
+```
--- a/deploy/bases/backend/deployment.yaml
+++ b/deploy/bases/backend/deployment.yaml
@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: backend
+    spec:
+      containers:
+      - name: backend
+        image: ghcr.io/stefanprodan/podinfo:6.1.4
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=backend
+        - --level=info
+        - --cache-server=cache:6379
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
--- a/deploy/bases/backend/hpa.yaml
+++ b/deploy/bases/backend/hpa.yaml
@@ -0,0 +1,18 @@
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: backend
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: backend
+  minReplicas: 1
+  maxReplicas: 2
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 99
--- a/deploy/bases/backend/kustomization.yaml
+++ b/deploy/bases/backend/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - service.yaml
+  - deployment.yaml
+  - hpa.yaml
+
--- a/deploy/bases/backend/service.yaml
+++ b/deploy/bases/backend/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - name: http
+      port: 9898
+      protocol: TCP
+      targetPort: http
+    - port: 9999
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
--- a/deploy/bases/cache/deployment.yaml
+++ b/deploy/bases/cache/deployment.yaml
@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cache
+spec:
+  selector:
+    matchLabels:
+      app: cache
+  template:
+    metadata:
+      labels:
+        app: cache
+    spec:
+      containers:
+        - name: redis
+          image: redis:6.0.1
+          imagePullPolicy: IfNotPresent
+          command:
+            - redis-server
+            - "/redis-master/redis.conf"
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: redis
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          readinessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 128Mi
+            requests:
+              cpu: 100m
+              memory: 32Mi
+          volumeMounts:
+            - mountPath: /var/lib/redis
+              name: data
+            - mountPath: /redis-master
+              name: config
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: redis-config
+            items:
+              - key: redis.conf
+                path: redis.conf
--- a/deploy/bases/cache/kustomization.yaml
+++ b/deploy/bases/cache/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - service.yaml
+  - deployment.yaml
+configMapGenerator:
+  - name: redis-config
+    files:
+      - redis.conf
--- a/deploy/bases/cache/redis.conf
+++ b/deploy/bases/cache/redis.conf
@@ -0,0 +1,4 @@
+maxmemory 64mb
+maxmemory-policy allkeys-lru
+save ""
+appendonly no
--- a/deploy/bases/cache/service.yaml
+++ b/deploy/bases/cache/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cache
+spec:
+  type: ClusterIP
+  selector:
+    app: cache
+  ports:
+    - name: redis
+      port: 6379
+      protocol: TCP
+      targetPort: redis
--- a/deploy/bases/frontend/deployment.yaml
+++ b/deploy/bases/frontend/deployment.yaml
@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: frontend
+    spec:
+      containers:
+      - name: frontend
+        image: ghcr.io/stefanprodan/podinfo:6.1.4
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --level=info
+        - --backend-url=http://backend:9898/echo
+        - --cache-server=cache:6379
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 1000m
+            memory: 128Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
--- a/deploy/bases/frontend/hpa.yaml
+++ b/deploy/bases/frontend/hpa.yaml
@@ -0,0 +1,18 @@
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: frontend
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: frontend
+  minReplicas: 1
+  maxReplicas: 4
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 99
--- a/deploy/bases/frontend/kustomization.yaml
+++ b/deploy/bases/frontend/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - service.yaml
+  - deployment.yaml
+  - hpa.yaml
+
--- a/deploy/bases/frontend/service.yaml
+++ b/deploy/bases/frontend/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
--- a/deploy/kind.sh
+++ b/deploy/kind.sh
@@ -0,0 +1,48 @@
+#! /usr/bin/env sh
+
+mkdir -p bin
+cat > ./bin/kind.yaml <<EOF
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 443
+    protocol: TCP
+EOF
+
+# create the kind cluster
+kind create cluster --config=kind.yaml
+
+# add certificate manager
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml
+
+# wait for cert manager
+kubectl rollout status --namespace cert-manager deployment/cert-manager --timeout=2m
+kubectl rollout status --namespace cert-manager deployment/cert-manager-webhook --timeout=2m
+kubectl rollout status --namespace cert-manager deployment/cert-manager-cainjector --timeout=2m
+
+# # apply the secure webapp
+kubectl apply -f ./secure/common
+kubectl apply -f ./secure/backend
+kubectl apply -f ./secure/frontend
+
+# # wait for the podinfo frontend to come up
+kubectl rollout status --namespace secure deployment/frontend --timeout=1m
+
+# curl the endpoints (responds with info due to header regexp on route handler)
+echo
+echo "http enpdoint:"
+echo "curl http://localhost"
+echo
+curl http://localhost
+
+echo
+echo "https (secure) enpdoint:"
+echo "curl --insecure https://localhost"
+echo
+curl --insecure https://localhost
--- a/deploy/overlays/dev/kustomization.yaml
+++ b/deploy/overlays/dev/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: dev
+resources:
+  - ../../bases/backend
+  - ../../bases/frontend
+  - ../../bases/cache
+  - namespace.yaml
+transformers:
+  - labels.yaml
--- a/deploy/overlays/dev/labels.yaml
+++ b/deploy/overlays/dev/labels.yaml
@@ -0,0 +1,10 @@
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  env: dev
+  instance: webapp
+fieldSpecs:
+  - path: metadata/labels
+    create: true
--- a/deploy/overlays/dev/namespace.yaml
+++ b/deploy/overlays/dev/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dev
--- a/deploy/overlays/production/kustomization.yaml
+++ b/deploy/overlays/production/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: production
+resources:
+  - ../../bases/backend
+  - ../../bases/frontend
+  - ../../bases/cache
+  - namespace.yaml
+transformers:
+  - labels.yaml
--- a/deploy/overlays/production/labels.yaml
+++ b/deploy/overlays/production/labels.yaml
@@ -0,0 +1,10 @@
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  env: production
+  instance: webapp
+fieldSpecs:
+  - path: metadata/labels
+    create: true
--- a/deploy/overlays/production/namespace.yaml
+++ b/deploy/overlays/production/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: production
--- a/deploy/overlays/staging/kustomization.yaml
+++ b/deploy/overlays/staging/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: staging
+resources:
+  - ../../bases/backend
+  - ../../bases/frontend
+  - ../../bases/cache
+  - namespace.yaml
+transformers:
+  - labels.yaml
--- a/deploy/overlays/staging/labels.yaml
+++ b/deploy/overlays/staging/labels.yaml
@@ -0,0 +1,10 @@
+apiVersion: builtin
+kind: LabelTransformer
+metadata:
+  name: labels
+labels:
+  env: staging
+  instance: webapp
+fieldSpecs:
+  - path: metadata/labels
+    create: true
--- a/deploy/overlays/staging/namespace.yaml
+++ b/deploy/overlays/staging/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
--- a/deploy/secure/backend/deployment.yaml
+++ b/deploy/secure/backend/deployment.yaml
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: backend
+    spec:
+      serviceAccountName: secure
+      containers:
+      - name: backend
+        image: ghcr.io/stefanprodan/podinfo:5.0.3
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=backend
+        - --level=info
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
--- a/deploy/secure/backend/hpa.yaml
+++ b/deploy/secure/backend/hpa.yaml
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: backend
+  minReplicas: 1
+  maxReplicas: 2
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 99
--- a/deploy/secure/backend/service.yaml
+++ b/deploy/secure/backend/service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - name: http
+      port: 9898
+      protocol: TCP
+      targetPort: http
+    - port: 9999
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
--- a/deploy/secure/common/cluster-issuer.yaml
+++ b/deploy/secure/common/cluster-issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: self-signed
+spec:
+  selfSigned: {}
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`module: "github.com/stefanprodan/podinfo/cue"`