Merge pull request #190 from stefanprodan/release-6.1.3

Release v6.1.3

.circleci/config.yml

@@ -1,113 +0,0 @@
-version: 2.1
-jobs:
-  e2e-kubernetes:
-    machine: true
-    steps:
-      - checkout
-      - run:
-          name: Build podinfo container
-          command: e2e/build.sh
-      - run:
-          name: Start Kubernetes Kind cluster
-          command: e2e/bootstrap.sh
-      - run:
-          name: Install podinfo with Helm v3
-          command: e2e/install.sh
-      - run:
-          name: Run Helm tests
-          command: e2e/test.sh
-
-  push-container:
-    docker:
-      - image: circleci/golang:1.14
-    working_directory: ~/build
-    steps:
-      - checkout
-      - setup_remote_docker:
-          docker_layer_caching: false
-      - run: make build-container
-      - run: |
-          if [ -z "$CIRCLE_TAG" ]; then
-            echo "Not a release, skipping container push";
-          else
-            echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin;
-            echo $QUAY_PASS | docker login -u $QUAY_USER --password-stdin quay.io;
-            make push-container;
-            make push-base;
-          fi
-
-  push-binary:
-    docker:
-      - image: circleci/golang:1.14
-    steps:
-      - checkout
-      - run: curl -sL https://git.io/goreleaser | bash
-
-  push-helm-charts:
-    docker:
-      - image: circleci/golang:1.14
-    steps:
-      - checkout
-      - run:
-          name: Install kubectl
-          command: sudo curl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && sudo chmod +x /usr/local/bin/kubectl
-      - run:
-          name: Install helm
-          command: sudo curl -L https://storage.googleapis.com/kubernetes-helm/helm-v2.14.2-linux-amd64.tar.gz | tar xz && sudo mv linux-amd64/helm /bin/helm && sudo rm -rf linux-amd64
-      - run:
-          name: Initialize helm
-          command:  helm init --client-only --kubeconfig=$HOME/.kube/kubeconfig
-      - run:
-          name: Lint charts
-          command: |
-            helm lint ./charts/*
-      - run:
-          name: Package charts
-          command: |
-            mkdir $HOME/charts
-            helm package ./charts/* --destination $HOME/charts
-      - run:
-          name: Publish charts
-          command: |
-            if echo "${CIRCLE_TAG}" | grep -Eq "[0-9]+(\.[0-9]+)*(-[a-z]+)?$"; then
-              REPOSITORY="https://stefanprodan:${GITHUB_TOKEN}@github.com/stefanprodan/podinfo.git"
-              git config user.email stefanprodan@users.noreply.github.com
-              git config user.name stefanprodan
-              git remote set-url origin ${REPOSITORY}
-              git checkout gh-pages
-              mv -f $HOME/charts/*.tgz .
-              helm repo index . --url https://stefanprodan.github.io/podinfo
-              git add .
-              git commit -m "Publish Helm charts v${CIRCLE_TAG}"
-              git push origin gh-pages
-            else
-              echo "Not a release! Skip charts publish"
-            fi
-
-workflows:
-  version: 2
-  build-test:
-    jobs:
-      - e2e-kubernetes
-  release:
-    jobs:
-      - push-binary:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/
-      - push-container:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/
-      - push-helm-charts:
-          requires:
-            - push-container
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              ignore: /^chart.*/

.cosign/README.md

@@ -0,0 +1,39 @@
+# Podinfo signed releases
+
+Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
+and are signed using [cosign](https://github.com/sigstore/cosign).
+
+## Verify the artifacts with cosign
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
+```
+
+Verify a podinfo release with cosign CLI:
+
+```sh
+cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
+ghcr.io/stefanprodan/podinfo-deploy:latest
+```
+
+## Download the artifacts with crane
+
+Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
+
+```sh
+brew install crane
+```
+
+Download the podinfo deployment manifests with crane CLI:
+
+```console
+$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - 
+
+$ ls -1
+deployment.yaml
+hpa.yaml
+kustomization.yaml
+service.yaml
+```

.cosign/cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
+iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
+-----END PUBLIC KEY-----

.github/actions/helm/action.yml

@@ -0,0 +1,33 @@
+name: Setup Helm CLI
+description: A GitHub Action for running Helm commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "Helm version"
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: "Download helm binary to tmp"
+      shell: bash
+      run: |
+        VERSION=${{ inputs.version }}
+        BIN_URL="https://get.helm.sh/helm-v${VERSION}-linux-amd64.tar.gz"
+        curl -sL ${BIN_URL} -o /tmp/helm.tar.gz
+        mkdir -p /tmp/helm
+        tar -C /tmp/helm/ -zxvf /tmp/helm.tar.gz
+    - name: "Add helm binary to /usr/local/bin"
+      shell: bash
+      run: |
+        sudo cp /tmp/helm/linux-amd64/helm /usr/local/bin
+    - name: "Cleanup tmp"
+      shell: bash
+      run: |
+        rm -rf /tmp/helm/ /tmp/helm.tar.gz
+    - name: "Verify correct installation of binary"
+      shell: bash
+      run: |
+        helm version

.github/actions/release-notes/Dockerfile

@@ -0,0 +1,6 @@
+FROM stefanprodan/alpine-base:latest
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

.github/actions/release-notes/action.yml

@@ -0,0 +1,9 @@
+name: 'github-release-notes'
+description: 'A GitHub Action to run github-release-notes commands'
+author: 'Stefan Prodan'
+branding:
+  icon: 'command'
+  color: 'blue'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'

.github/actions/release-notes/entrypoint.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o pipefail
+
+VERSION=0.2.0
+BIN_DIR="$GITHUB_WORKSPACE/bin"
+
+main() {
+  mkdir -p ${BIN_DIR}
+  tmpDir=$(mktemp -d)
+
+  pushd $tmpDir >& /dev/null
+
+  curl -sSL https://github.com/buchanae/github-release-notes/releases/download/${VERSION}/github-release-notes-linux-amd64-${VERSION}.tar.gz | tar xz
+  cp github-release-notes ${BIN_DIR}/github-release-notes
+
+  popd >& /dev/null
+  rm -rf $tmpDir
+}
+
+main
+
+echo "$BIN_DIR" >> $GITHUB_PATH
+echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin" >> $GITHUB_PATH

.github/workflows/cve-scan.yml

@@ -0,0 +1,28 @@
+name: cve-scan
+
+on:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build image
+        id: build
+        run: |
+          IMAGE=test/podinfo:${GITHUB_SHA}
+          docker build -t ${IMAGE} .
+          echo "::set-output name=image::$IMAGE"
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: table
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: CRITICAL,HIGH

.github/workflows/e2e.yml

@@ -0,0 +1,38 @@
+name: e2e
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  kind-helm:
+    strategy:
+      matrix:
+        helm-version:
+          - 3.8.1
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Kubernetes
+        uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: v0.11.1
+      - name: Build container image
+        run: |
+          ./test/build.sh
+          kind load docker-image test/podinfo:latest
+      - name: Setup Helm
+        uses: ./.github/actions/helm
+        with:
+          version: ${{ matrix.helm-version }}
+      - name: Deploy
+        run: ./test/deploy.sh
+      - name: Run integration tests
+        run: ./test/test.sh
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl logs -l app=podinfo || true

.github/workflows/release.yml

@@ -0,0 +1,123 @@
+name: release
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: imjasonh/setup-crane@v0.1
+      - uses: sigstore/cosign-installer@main
+      - name: Setup Helm
+        uses: ./.github/actions/helm
+        with:
+          version: 3.8.1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=sha-${GITHUB_SHA::8}
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF/refs\/tags\//}
+          fi
+          echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile.xx
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: |
+            docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+            docker.io/stefanprodan/podinfo:latest
+            ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          labels: |
+            org.opencontainers.image.title=${{ github.event.repository.name }}
+            org.opencontainers.image.description=${{ github.event.repository.description }}
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.url=${{ github.event.repository.html_url }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
+            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+      - name: Publish Helm chart to GHCR
+        run: |
+          helm package charts/podinfo
+          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
+          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign docker.io/stefanprodan/podinfo:latest
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+      - name: Publish base image
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          platforms: linux/amd64
+          file: ./Dockerfile.base
+          tags: docker.io/stefanprodan/podinfo-base:latest
+      - name: Publish helm chart
+        uses: stefanprodan/helm-gh-pages@master
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish config artifact
+        run: |
+          cd kustomize
+          tar -cf config.tar * --numeric-owner --owner=0 --group=0
+          crane append -f config.tar -t ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          crane tag ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} latest
+          rm config.tar
+      - name: Sign config artifact
+        run: |
+          echo "$COSIGN_KEY" > /tmp/cosign.key
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest
+        env:
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - uses: ./.github/actions/release-notes
+      - name: Generate release notes
+        run: |
+          echo 'CHANGELOG' > /tmp/release.txt
+          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@v1
+        with:
+          version: latest
+          args: release --release-notes=/tmp/release.txt --skip-validate
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -1,17 +1,63 @@
-on: [push, pull_request]
 name: test
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'master'
+
 jobs:
-  validate:
+  test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
-      - name: kubeval
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Restore Go cache
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: ${{ runner.os }}-go-
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.x
+      - name: Run unit tests
+        run: make test
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@main
+      - name: Verify CUE formatting
+        working-directory: ./cue
+        run: |
+          cue fmt .
+          status=$(git status . --porcelain)
+          [[ -z "$status" ]] || {
+            echo "CUE files are not correctly formatted"
+            echo "$status"
+            git diff
+            exit 1
+          }
+      - name: Validate CUE
+        working-directory: ./cue
+        run: cue vet --all-errors --concrete .
+      - name: Check if working tree is dirty
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'run make test and commit changes'
+            exit 1
+          fi
+      - name: Validate Helm chart
         uses: stefanprodan/kube-tools@v1
         with:
+          kubectl: 1.19.11
+          helm: 2.17.0
+          helmv3: 3.6.0
           command: |
-            kustomize build ./kustomize | kubeval --strict
-      - name: conftest
+            helmv3 template ./charts/podinfo | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
+      - name: Validate kustomization
         uses: stefanprodan/kube-tools@v1
         with:
+          kubectl: 1.19.11
           command: |
+            kustomize build ./kustomize | kubeval --strict --kubernetes-version 1.19.11 --schema-location https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master
             kustomize build ./kustomize | conftest test -p .github/policy -

Dockerfile

@@ -1,4 +1,6 @@
-FROM golang:1.14 as builder
+FROM golang:1.17-alpine as builder
+
+ARG REVISION
 
 RUN mkdir -p /podinfo/
 
@@ -8,24 +10,26 @@ COPY . .
 
 RUN go mod download
 
-RUN go test -v -race ./...
-
-RUN GIT_COMMIT=$(git rev-list -1 HEAD) && \
-    CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w \
-    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${GIT_COMMIT}" \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podinfo cmd/podinfo/*
 
-RUN GIT_COMMIT=$(git rev-list -1 HEAD) && \
-    CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w \
-    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${GIT_COMMIT}" \
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
     -a -o bin/podcli cmd/podcli/*
 
-FROM alpine:3.11
+FROM alpine:3.15
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
 
 RUN addgroup -S app \
-    && adduser -S -g app app \
+    && adduser -S -G app app \
     && apk --no-cache add \
-    curl openssl netcat-openbsd
+    ca-certificates curl netcat-openbsd
 
 WORKDIR /home/app
 

Dockerfile.base

@@ -1,4 +1,4 @@
-FROM golang:1.14
+FROM golang:1.17
 
 WORKDIR /workspace
 

Dockerfile.xx

@@ -0,0 +1,53 @@
+ARG GO_VERSION=1.17
+ARG XX_VERSION=1.1.0
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG REVISION
+
+RUN mkdir -p /podinfo/
+
+WORKDIR /podinfo
+
+COPY . .
+
+RUN go mod download
+
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podinfo cmd/podinfo/*
+
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podcli cmd/podcli/*
+
+FROM alpine:3.15
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
+
+RUN addgroup -S app \
+    && adduser -S -G app app \
+    && apk --no-cache add \
+    ca-certificates curl netcat-openbsd
+
+WORKDIR /home/app
+
+COPY --from=builder /podinfo/bin/podinfo .
+COPY --from=builder /podinfo/bin/podcli /usr/local/bin/podcli
+COPY ./ui ./ui
+RUN chown -R app:app ./
+
+USER app
+
+CMD ["./podinfo"]

LICENSE

@@ -1,21 +1,201 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-Copyright (c) 2018 Stefan Prodan
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -15,13 +15,17 @@ run:
 	--level=debug --grpc-port=9999 --backend-url=https://httpbin.org/status/401 --backend-url=https://httpbin.org/status/500 \
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)
 
+.PHONY: test
 test:
-	go test -v -race ./...
+	go test ./... -coverprofile cover.out
 
 build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*
 
+tidy:
+	rm -f go.sum; go mod tidy -compat=1.17
+
 fmt:
 	gofmt -l -s -w ./
 	goimports -l -w ./
@@ -33,6 +37,13 @@ build-charts:
 build-container:
 	docker build -t $(DOCKER_IMAGE_NAME):$(VERSION) .
 
+build-xx:
+	docker buildx build \
+	--platform=linux/amd64 \
+	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
+	--load \
+	-f Dockerfile.xx .
+
 build-base:
 	docker build -f Dockerfile.base -t $(DOCKER_REPOSITORY)/podinfo-base:latest .
 
@@ -58,15 +69,17 @@ push-container:
 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
+	/usr/bin/sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" cue/main.cue && \
 	echo "Version $$next set in code, deployment, chart and kustomize"
 
 release:
@@ -75,4 +88,9 @@ release:
 
 swagger:
 	go get github.com/swaggo/swag/cmd/swag
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+
+.PHONY: cue
+cue:
+	@cd cue && cue fmt ./... && cue vet --all-errors --concrete ./...
+	@cd cue && cue gen

README.md

@@ -1,20 +1,21 @@
 # podinfo
 
-[![CircleCI](https://circleci.com/gh/stefanprodan/podinfo.svg?style=svg)](https://circleci.com/gh/stefanprodan/podinfo)
-[![conftest](https://github.com/stefanprodan/podinfo/workflows/test/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/test.yml)
+[![e2e](https://github.com/stefanprodan/podinfo/workflows/e2e/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/e2e.yml)
+[![test](https://github.com/stefanprodan/podinfo/workflows/test/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/test.yml)
+[![cve-scan](https://github.com/stefanprodan/podinfo/workflows/cve-scan/badge.svg)](https://github.com/stefanprodan/podinfo/blob/master/.github/workflows/cve-scan.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/stefanprodan/podinfo)](https://goreportcard.com/report/github.com/stefanprodan/podinfo)
 [![Docker Pulls](https://img.shields.io/docker/pulls/stefanprodan/podinfo)](https://hub.docker.com/r/stefanprodan/podinfo)
 
 Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.
+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2) and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.
 
 Specifications:
 
 * Health checks (readiness and liveness)
 * Graceful shutdown on interrupt signals
 * File watcher for secrets and configmaps
-* Instrumented with Prometheus
-* Tracing with Istio and Jaeger
-* Linkerd service profile
+* Instrumented with Prometheus and Open Telemetry
 * Structured logging with zap 
 * 12-factor app with viper
 * Fault injection (random errors and latency)
@@ -22,6 +23,9 @@ Specifications:
 * Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
 * Kustomize testing with GitHub Actions and Open Policy Agent
+* Multi-arch container image with Docker buildx and Github Actions
+* Container image signing with Sigstore cosign
+* CVE scanning with Trivy
 
 Web API:
 
@@ -41,8 +45,9 @@ Web API:
 * `POST /token` issues a JWT token valid for one minute `JWT=$(curl -sd 'anon' podinfo:9898/token | jq -r .token)`
 * `GET /token/validate` validates the JWT token `curl -H "Authorization: Bearer $JWT" podinfo:9898/token/validate`
 * `GET /configs` returns a JSON with configmaps and/or secrets mounted in the `config` volume
-* `POST /cache` saves the posted content to Redis and returns the SHA1 hash of the content
-* `GET /store/{hash}` returns the content from Redis if the key exists
+* `POST/PUT /cache/{key}` saves the posted content to Redis
+* `GET /cache/{key}` returns the content from Redis if the key exists
+* `DELETE /cache/{key}` deletes the key from Redis if exists
 * `POST /store` writes the posted content to disk at /data/hash and returns the SHA1 hash of the content
 * `GET /store/{hash}` returns the content of the file /data/hash if exists
 * `GET /ws/echo` echos content via websockets `podcli ws ws://localhost:9898/ws/echo`
@@ -71,7 +76,9 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.
 
 ### Install
 
-Helm:
+#### Helm
+
+Install from github.io:
 
 ```bash
 helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -82,23 +89,107 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo
 
-# Test pods have hook-delete-policy: hook-succeeded
 helm test frontend
 
 helm upgrade --install --wait backend \
 --namespace test \
---set hpa.enabled=true \
+--set redis.enabled=true \
 podinfo/podinfo
 ```
 
-Kustomize:
+Install from ghcr.io:
+
+```bash
+helm upgrade --install --wait podinfo --namespace default \
+oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+#### Kustomize
 
 ```bash
 kubectl apply -k github.com/stefanprodan/podinfo//kustomize
 ```
 
-Docker:
+#### Docker
 
 ```bash
 docker run -dp 9898:9898 stefanprodan/podinfo
-```
+```
+
+### Continuous Delivery
+
+In order to install podinfo on a Kubernetes cluster and keep it up to date with the latest
+release in an automated manner, you can use [Flux](https://fluxcd.io).
+
+Install the Flux CLI on MacOS and Linux using Homebrew:
+
+```sh
+brew install fluxcd/tap/flux
+```
+
+Install the Flux controllers needed for Helm operations:
+
+```sh
+flux install \
+--namespace=flux-system \
+--network-policy=false \
+--components=source-controller,helm-controller
+```
+
+Add podinfo's Helm repository to your cluster and
+configure Flux to check for new chart releases every ten minutes:
+
+```sh
+flux create source helm podinfo \
+--namespace=default \
+--url=https://stefanprodan.github.io/podinfo \
+--interval=10m
+```
+
+Create a `podinfo-values.yaml` file locally:
+
+```sh
+cat > podinfo-values.yaml <<EOL
+replicaCount: 2
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+EOL
+```
+
+Create a Helm release for deploying podinfo in the default namespace:
+
+```sh
+flux create helmrelease podinfo \
+--namespace=default \
+--source=HelmRepository/podinfo \
+--release-name=podinfo \
+--chart=podinfo \
+--chart-version=">5.0.0" \
+--values=podinfo-values.yaml
+```
+
+Based on the above definition, Flux will upgrade the release automatically
+when a new version of podinfo is released. If the upgrade fails, Flux
+can [rollback](https://toolkit.fluxcd.io/components/helm/helmreleases/#configuring-failure-remediation)
+to the previous working version.
+
+You can check what version is currently deployed with:
+
+```sh
+flux get helmreleases -n default
+```
+
+To delete podinfo's Helm repository and release from your cluster run:
+
+```sh
+flux -n default delete source helm podinfo
+flux -n default delete helmrelease podinfo
+```
+
+If you wish to manage the lifecycle of your applications in a **GitOps** manner, check out
+this [workflow example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+for multi-env deployments with Flux, Kustomize and Helm.

charts/ngrok/.helmignore

@@ -1,21 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj

charts/ngrok/Chart.yaml

@@ -1,5 +0,0 @@
-apiVersion: v1
-appVersion: "1.0"
-description: A Ngrok Helm chart for Kubernetes
-name: ngrok
-version: 0.2.0

charts/ngrok/README.md

@@ -1,64 +0,0 @@
-# Ngrok
-
-Expose Kubernetes service with [Ngrok](https://ngrok.com).
-
-## Installing the Chart
-
-To install the chart with the release name `my-release`:
-
-```console
-$ helm install sp/ngrok --name my-release \
-  --set token=NGROK-TOKEN \
-  --set expose.service=podinfo:9898
-```
-
-The command deploys Ngrok on the Kubernetes cluster in the default namespace.
-The [configuration](#configuration) section lists the parameters that can be configured during installation.
-
-## Uninstalling the Chart
-
-To uninstall/delete the `my-release` deployment:
-
-```console
-$ helm delete --purge my-release
-```
-
-The command removes all the Kubernetes components associated with the chart and deletes the release.
-
-## Configuration
-
-The following tables lists the configurable parameters of the Grafana chart and their default values.
-
-Parameter | Description | Default
---- | --- | ---
-`image.repository` | Image repository | `stefanprodan/ngrok`
-`image.pullPolicy` | Image pull policy | `IfNotPresent`
-`image.tag` | Image tag | `latest`
-`replicaCount` | desired number of pods | `1`
-`tolerations` | List of node taints to tolerate | `[]`
-`affinity` | node/pod affinities | `node`
-`nodeSelector` | node labels for pod assignment | `{}`
-`service.type` | type of service | `ClusterIP`
-`token` | Ngrok auth token | `none`
-`expose.service` | Service address to be exposed as in `service-name:port` | `none`
-`subdomain` | Ngrok subdomain | `none`
-
-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
-
-```console
-$ helm upgrade --install --wait tunel \
-  --set token=NGROK-TOKEN \
-  --set service.type=NodePort \
-  --set expose.service=podinfo:9898 \
-  sp/ngrok
-```
-
-Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
-
-```console
-$ helm install sp/grafana --name my-release -f values.yaml
-```
-
-> **Tip**: You can use the default [values.yaml](values.yaml)
-```
-

charts/ngrok/templates/NOTES.txt

@@ -1,15 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "ngrok.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get svc -w {{ template "ngrok.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "ngrok.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "ngrok.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl port-forward $POD_NAME 8080:80
-{{- end }}

charts/ngrok/templates/_helpers.tpl

@@ -1,32 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "ngrok.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "ngrok.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "ngrok.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}

charts/ngrok/templates/config.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-data:
-  ngrok.yml: |-
-    web_addr: 0.0.0.0:4040
-    update: false
-    log: stdout
-{{- if .Values.token }}
-    authtoken: {{ .Values.token }}
-{{- end }}

charts/ngrok/templates/deployment.yaml

@@ -1,65 +0,0 @@
-apiVersion: apps/v1beta2
-kind: Deployment
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-  labels:
-    app: {{ template "ngrok.name" . }}
-    chart: {{ template "ngrok.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      app: {{ template "ngrok.name" . }}
-      release: {{ .Release.Name }}
-  template:
-    metadata:
-      labels:
-        app: {{ template "ngrok.name" . }}
-        release: {{ .Release.Name }}
-      annotations:
-        prometheus.io/scrape: 'false'
-    spec:
-      containers:
-        - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command:
-            - ./ngrok
-            - http
-            {{- if .Values.subdomain }}
-            - --subdomain={{ .Values.subdomain }}
-            {{- end }}
-            - {{ .Values.expose.service }}
-          volumeMounts:
-          - name: config
-            mountPath: /home/ngrok/.ngrok2
-          ports:
-            - name: http
-              containerPort: 4040
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /api/tunnels
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 30
-          resources:
-{{ toYaml .Values.resources | indent 12 }}
-    {{- with .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-    {{- with .Values.tolerations }}
-      tolerations:
-{{ toYaml . | indent 8 }}
-    {{- end }}
-      volumes:
-      - name: config
-        configMap:
-          name: {{ template "ngrok.fullname" . }}

charts/ngrok/templates/service.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "ngrok.fullname" . }}
-  labels:
-    app: {{ template "ngrok.name" . }}
-    chart: {{ template "ngrok.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-    app: {{ template "ngrok.name" . }}
-    release: {{ .Release.Name }}

charts/ngrok/values.yaml

@@ -1,27 +0,0 @@
-# Default values for ngrok.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: stefanprodan/ngrok
-  tag: latest
-  pullPolicy: IfNotPresent
-
-service:
-  type: ClusterIP
-  port: 4040
-
-expose:
-  service: ga-podinfo:9898
-
-token: 4i3rDinhLqMHtvez71N9S_38rkS7onwv77VFNZTaUR6
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-subdomain:

charts/podinfo/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 3.3.0
-appVersion: 3.3.0
+version: 6.1.3
+appVersion: 6.1.3
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,3 +10,4 @@ maintainers:
   name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
+kubeVersion: ">=1.19.0-0"

charts/podinfo/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

charts/podinfo/README.md

@@ -1,15 +1,20 @@
 # Podinfo
 
-Podinfo is a tiny web application made with Go 
+Podinfo is a tiny web application made with Go
 that showcases best practices of running microservices in Kubernetes.
 
+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2)
+and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.
+
 ## Installing the Chart
 
 To install the chart with the release name `my-release`:
 
 ```console
-$ helm repo add sp https://stefanprodan.github.io/podinfo
-$ helm upgrade my-release --install sp/podinfo 
+$ helm repo add podinfo https://stefanprodan.github.io/podinfo
+
+$ helm upgrade -i my-release podinfo/podinfo
 ```
 
 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -20,7 +25,7 @@ The [configuration](#configuration) section lists the parameters that can be con
 To uninstall/delete the `my-release` deployment:
 
 ```console
-$ helm delete --purge my-release
+$ helm delete my-release
 ```
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -32,10 +37,11 @@ The following tables lists the configurable parameters of the podinfo chart and
 Parameter | Default | Description
 --- | --- | ---
 `replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`, `flat` or `panic`
+`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`
 `backend` | `None` | Echo backend URL
 `backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `<host>:<port>`
+`cache` | `None` | Redis address in the format `tcp://<host>:<port>`
+`redis.enabled` | `false` | Create Redis deployment for caching purposes
 `ui.color` | `#34577c` |  UI color
 `ui.message` | `None` |  UI greetings message
 `ui.logo` | `None` |  UI logo
@@ -45,7 +51,6 @@ Parameter | Default | Description
 `faults.unready` | `false` | When set, the ready state is never reached
 `faults.testFail` | `false` | When set, a helm test is included which always fails
 `faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`h2c.enabled` | `false` | Allow upgrading to h2c
 `image.repository` | `stefanprodan/podinfo` | Image repository
 `image.tag` | `<VERSION>` | Image tag
 `image.pullPolicy` | `IfNotPresent` | Image pull policy
@@ -57,6 +62,7 @@ Parameter | Default | Description
 `service.grpcPort` | `9999` | ClusterIP gPRC port
 `service.grpcService` | `podinfo` | gPRC service name
 `service.nodePort` | `31198` | NodePort for the HTTP endpoint
+`h2c.enabled` | `false` | Allow upgrading to h2c (non-TLS version of HTTP/2)
 `hpa.enabled` | `false` | Enables the Kubernetes HPA
 `hpa.maxReplicas` | `10` | Maximum amount of pods
 `hpa.cpu` | `None` | Target CPU usage per pod
@@ -64,12 +70,14 @@ Parameter | Default | Description
 `hpa.requests` | `None` | Target HTTP requests per second per pod
 `serviceAccount.enabled` | `false` | Whether a service account should be created
 `serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
+`securityContext` | `{}` | The security context to be set on the podinfo container
 `linkerd.profile.enabled` | `false` | Create Linkerd service profile
 `serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
 `serviceMonitor.interval` | `15s` | Prometheus scraping interval
+`serviceMonitor.additionalLabels` | `{}` | Add additional labels to the service monitor |
 `ingress.enabled` | `false` | Enables Ingress
+`ingress.className ` | `""` | Use ingressClassName
 `ingress.annotations` | `{}` | Ingress annotations
-`ingress.path` | `/*` | Ingress path
 `ingress.hosts` | `[]` | Ingress accepted hosts
 `ingress.tls` | `[]` | Ingress TLS configuration
 `resources.requests.cpu` | `1m` | Pod CPU request
@@ -79,18 +87,37 @@ Parameter | Default | Description
 `nodeSelector` | `{}` | Node labels for pod assignment
 `tolerations` | `[]` | List of node taints to tolerate
 `affinity` | `None` | Node/pod affinities
+`podAnnotations` | `{}` | Pod annotations
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
 ```console
-$ helm install stable/podinfo --name my-release \
+$ helm install my-release podinfo/podinfo \
   --set=serviceMonitor.enabled=true,serviceMonitor.interval=5s
 ```
 
+To add custom annotations you need to escape the annotation key string:
+
+```console
+$ helm upgrade -i my-release podinfo/podinfo \
+--set podAnnotations."appmesh\.k8s\.aws\/preview"=enabled
+```
+
 Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
 
 ```console
-$ helm install stable/podinfo --name my-release -f values.yaml
+$ helm install my-release podinfo/podinfo -f values.yaml
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
+
+## Upgrading the chart
+
+### To =< 5.0.0
+
+Version 5.0.0 is a major update.
+
+* The chart now follows the new Kubernetes label recommendations:
+<https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/>
+
+The simplest way to update is to do a force upgrade, which recreates the resources by doing a delete and an install.

charts/podinfo/templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})

charts/podinfo/templates/_helpers.tpl

@@ -1,10 +1,9 @@
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "podinfo.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
 
 {{/*
 Create a default fully qualified app name.
@@ -12,32 +11,59 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "podinfo.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
 
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "podinfo.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "podinfo.labels" -}}
+helm.sh/chart: {{ include "podinfo.chart" . }}
+{{ include "podinfo.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "podinfo.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "podinfo.fullname" . }}
+{{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "podinfo.serviceAccountName" -}}
-{{- if .Values.serviceAccount.enabled -}}
-    {{ default (include "podinfo.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
+{{- if .Values.serviceAccount.enabled }}
+{{- default (include "podinfo.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the tls secret for secure port
+*/}}
+{{- define "podinfo.tlsSecretName" -}}
+{{- $fullname := include "podinfo.fullname" . -}}
+{{- default (printf "%s-tls" $fullname) .Values.tls.secretName }}
+{{- end }}

charts/podinfo/templates/certificate.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.certificate.create -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "podinfo.fullname" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+  {{- range .Values.certificate.dnsNames }}
+    - {{ . | quote }}
+  {{- end }}
+  secretName: {{ template "podinfo.tlsSecretName" . }}
+  issuerRef:
+  {{- .Values.certificate.issuerRef | toYaml | trimSuffix "\n" | nindent 4 }}
+{{- end }}

charts/podinfo/templates/deployment.yaml

@@ -3,10 +3,7 @@ kind: Deployment
 metadata:
   name: {{ template "podinfo.fullname" . }}
   labels:
-    app: {{ template "podinfo.fullname" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
   {{- if not .Values.hpa.enabled }}
   replicas: {{ .Values.replicaCount }}
@@ -17,14 +14,17 @@ spec:
       maxUnavailable: 1
   selector:
     matchLabels:
-      app: {{ template "podinfo.fullname" . }}
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: {{ template "podinfo.fullname" . }}
+        {{- include "podinfo.selectorLabels" . | nindent 8 }}
       annotations:
         prometheus.io/scrape: "true"
         prometheus.io/port: "{{ .Values.service.httpPort }}"
+        {{- range $key, $value := .Values.podAnnotations }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
     spec:
       terminationGracePeriodSeconds: 30
       {{- if .Values.serviceAccount.enabled }}
@@ -34,9 +34,30 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }}
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+          {{- end }}
           command:
             - ./podinfo
             - --port={{ .Values.service.httpPort | default 9898 }}
+            {{- if .Values.host }}
+            - --host={{ .Values.host }}
+            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - --secure-port={{ .Values.tls.port }}
+            {{- end }}
+            {{- if .Values.tls.certPath }}
+            - --cert-path={{ .Values.tls.certPath }}
+            {{- end }}
             {{- if .Values.service.metricsPort }}
             - --port-metrics={{ .Values.service.metricsPort }}
             {{- end }}
@@ -51,6 +72,8 @@ spec:
             {{- end }}
             {{- if .Values.cache }}
             - --cache-server={{ .Values.cache }}
+            {{- else if .Values.redis.enabled }}
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
             {{- end }}
             - --level={{ .Values.logLevel }}
             - --random-delay={{ .Values.faults.delay }}
@@ -75,7 +98,7 @@ spec:
           {{- end }}
           {{- if .Values.ui.color }}
           - name: PODINFO_UI_COLOR
-            value: {{ .Values.ui.color }}
+            value: {{ quote .Values.ui.color }}
           {{- end }}
           {{- if .Values.backend }}
           - name: PODINFO_BACKEND_URL
@@ -85,6 +108,17 @@ spec:
             - name: http
               containerPort: {{ .Values.service.httpPort | default 9898 }}
               protocol: TCP
+              {{- if .Values.service.hostPort }}
+              hostPort: {{ .Values.service.hostPort }}
+              {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: https
+              containerPort: {{ .Values.tls.port | default 9899 }}
+              protocol: TCP
+              {{- if .Values.tls.hostPort }}
+              hostPort: {{ .Values.tls.hostPort }}
+              {{- end }}
+            {{- end }}
             {{- if .Values.service.metricsPort }}
             - name: http-metrics
               containerPort: {{ .Values.service.metricsPort }}
@@ -116,6 +150,11 @@ spec:
           volumeMounts:
           - name: data
             mountPath: /data
+          {{- if .Values.tls.enabled }}
+          - name: tls
+            mountPath: {{ .Values.tls.certPath | default "/data/cert" }}
+            readOnly: true
+          {{- end }}
           resources:
 {{ toYaml .Values.resources | indent 12 }}
     {{- with .Values.nodeSelector }}
@@ -133,3 +172,8 @@ spec:
       volumes:
       - name: data
         emptyDir: {}
+      {{- if .Values.tls.enabled }}
+      - name: tls
+        secret:
+          secretName: {{ template "podinfo.tlsSecretName" . }}
+      {{- end }}

charts/podinfo/templates/hpa.yaml

@@ -1,8 +1,10 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ template "podinfo.fullname" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
@@ -15,18 +17,25 @@ spec:
   - type: Resource
     resource:
       name: cpu
-      targetAverageUtilization: {{ .Values.hpa.cpu }}
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.hpa.cpu }}
   {{- end }}
   {{- if .Values.hpa.memory }}
   - type: Resource
     resource:
       name: memory
-      targetAverageValue: {{ .Values.hpa.memory }}
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.memory }}
   {{- end }}
   {{- if .Values.hpa.requests }}
-  - type: Pod
-      pods:
-        metricName: http_requests
-        targetAverageValue: {{ .Values.hpa.requests }}
+  - type: Pods
+    pods:
+      metric:
+        name: http_requests
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.requests }}
   {{- end }}
 {{- end }}

charts/podinfo/templates/ingress.yaml

@@ -1,46 +1,41 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: extensions/v1beta1
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-{{- with .Values.ingress.annotations }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
   annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . }}
-      {{- end }}
-      secretName: {{ .secretName }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
   {{- end }}
-{{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: {{ $ingressPath }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
             backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
-  {{- if not .Values.ingress.hosts }}
-    - http:
-        paths:
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}

charts/podinfo/templates/linkerd.yaml

@@ -3,6 +3,8 @@ apiVersion: linkerd.io/v1alpha2
 kind: ServiceProfile
 metadata:
   name: {{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
   routes:
     - condition:
@@ -61,6 +63,14 @@ spec:
         method: GET
         pathRegex: /status/[^/]*
       name: GET /status/{code}
+    - condition:
+        method: POST
+        pathRegex: /cache
+      name: POST /cache
+    - condition:
+        method: GET
+        pathRegex: /cache/[^/]*
+      name: GET /cache/{hash}
     - condition:
         method: POST
         pathRegex: /store

charts/podinfo/templates/redis/config.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+data:
+  redis.conf: |
+    maxmemory 64mb
+    maxmemory-policy allkeys-lru
+    save ""
+    appendonly no
+{{- end }}

charts/podinfo/templates/redis/deployment.yaml

@@ -0,0 +1,68 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+  labels:
+    app: {{ template "podinfo.fullname" . }}-redis
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: {{ template "podinfo.fullname" . }}-redis
+  template:
+    metadata:
+      labels:
+        app: {{ template "podinfo.fullname" . }}-redis
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/redis/config.yaml") . | sha256sum | quote }}
+    spec:
+      {{- if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
+      {{- end }}
+      containers:
+        - name: redis
+          image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}"
+          imagePullPolicy: IfNotPresent
+          command:
+            - redis-server
+            - "/redis-master/redis.conf"
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: redis
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          readinessProbe:
+            exec:
+              command:
+                - redis-cli
+                - ping
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+          resources:
+            limits:
+              cpu: 1000m
+              memory: 128Mi
+            requests:
+              cpu: 100m
+              memory: 32Mi
+          volumeMounts:
+            - mountPath: /var/lib/redis
+              name: data
+            - mountPath: /redis-master
+              name: config
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: {{ template "podinfo.fullname" . }}-redis
+            items:
+              - key: redis.conf
+                path: redis.conf
+{{- end }}

charts/podinfo/templates/redis/service.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "podinfo.fullname" . }}-redis
+  labels:
+    app: {{ template "podinfo.fullname" . }}-redis
+spec:
+  type: ClusterIP
+  selector:
+    app: {{ template "podinfo.fullname" . }}-redis
+  ports:
+    - name: redis
+      port: 6379
+      protocol: TCP
+      targetPort: redis
+{{- end }}

charts/podinfo/templates/service.yaml

@@ -4,10 +4,11 @@ kind: Service
 metadata:
   name: {{ template "podinfo.fullname" . }}
   labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -18,6 +19,12 @@ spec:
       {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
       nodePort: {{ .Values.service.nodePort }}
       {{- end }}
+    {{- if .Values.tls.enabled }}
+    - port: {{ .Values.tls.port | default 9899 }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    {{- end }}
     {{- if .Values.service.grpcPort }}
     - port: {{ .Values.service.grpcPort }}
       targetPort: grpc
@@ -25,5 +32,5 @@ spec:
       name: grpc
     {{- end }}
   selector:
-    app: {{ template "podinfo.fullname" . }}
-{{- end }}
+    {{- include "podinfo.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/podinfo/templates/serviceaccount.yaml

@@ -4,8 +4,5 @@ kind: ServiceAccount
 metadata:
   name: {{ template "podinfo.serviceAccountName" . }}
   labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
 {{- end -}}

charts/podinfo/templates/servicemonitor.yaml

@@ -4,16 +4,19 @@ kind: ServiceMonitor
 metadata:
   name: {{ template "podinfo.fullname" . }}
   labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   endpoints:
     - path: /metrics
       port: http
       interval: {{ .Values.serviceMonitor.interval }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
   selector:
     matchLabels:
-      app: {{ template "podinfo.fullname" . }}
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
 {{- end }}

charts/podinfo/templates/tests/cache.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.cache }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-cache-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -sd 'data' ${PODINFO_SVC}/cache/test &&
+          curl -s ${PODINFO_SVC}/cache/test | grep data &&
+          curl -s -XDELETE ${PODINFO_SVC}/cache/test
+      env:
+      - name: PODINFO_SVC
+        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+  restartPolicy: Never
+{{- end }}

charts/podinfo/templates/tests/fail.yaml

@@ -1,26 +1,21 @@
-{{- if .Values.faults.test }}
-apiVersion: batch/v1
-kind: Job
+{{- if .Values.faults.testFail }}
+apiVersion: v1
+kind: Pod
 metadata:
   name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
-  template:
-    spec:
-      containers:
-        - name: fault
-          image: alpine:3.11
-          command: ['/bin/sh']
-          args:  ['-c', 'exit 1']
-      restartPolicy: Never
+  containers:
+    - name: fault
+      image: alpine:3.11
+      command: ['/bin/sh']
+      args:  ['-c', 'exit 1']
+  restartPolicy: Never
 {{- end }}

charts/podinfo/templates/tests/grpc.yaml

@@ -1,24 +1,19 @@
-apiVersion: batch/v1
-kind: Job
+apiVersion: v1
+kind: Pod
 metadata:
   name: {{ template "podinfo.fullname" . }}-grpc-test-{{ randAlphaNum 5 | lower }}
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
-  template:
-    spec:
-      containers:
-        - name: grpc-health-probe
-          image: stefanprodan/grpc_health_probe:v0.3.0
-          command: ['grpc_health_probe']
-          args:  ['-addr={{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.grpcPort }}']
-      restartPolicy: Never
+  containers:
+    - name: grpc-health-probe
+      image: stefanprodan/grpc_health_probe:v0.3.0
+      command: ['grpc_health_probe']
+      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.grpcPort }}']
+  restartPolicy: Never

charts/podinfo/templates/tests/jwt.yaml

@@ -1,31 +1,26 @@
-apiVersion: batch/v1
-kind: Job
+apiVersion: v1
+kind: Pod
 metadata:
   name: {{ template "podinfo.fullname" . }}-jwt-test-{{ randAlphaNum 5 | lower }}
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
-  template:
-    spec:
-      containers:
-        - name: tools
-          image: giantswarm/tiny-tools
-          command:
-            - sh
-            - -c
-            - |
-              TOKEN=$(curl -sd 'test' ${PODINFO_SVC}/token | jq -r .token) &&
-              curl -sH "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
-          env:
-          - name: PODINFO_SVC
-            value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
-      restartPolicy: Never
+  containers:
+    - name: tools
+      image: giantswarm/tiny-tools
+      command:
+        - sh
+        - -c
+        - |
+          TOKEN=$(curl -sd 'test' ${PODINFO_SVC}/token | jq -r .token) &&
+          curl -sH "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
+      env:
+      - name: PODINFO_SVC
+        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+  restartPolicy: Never

charts/podinfo/templates/tests/service.yaml

@@ -1,30 +1,25 @@
-apiVersion: batch/v1
-kind: Job
+apiVersion: v1
+kind: Pod
 metadata:
   name: {{ template "podinfo.fullname" . }}-service-test-{{ randAlphaNum 5 | lower }}
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
-  template:
-    spec:
-      containers:
-        - name: curl
-          image: curlimages/curl:7.69.0
-          command:
-            - sh
-            - -c
-            - |
-              curl -s ${PODINFO_SVC}/api/info | grep version
-          env:
-            - name: PODINFO_SVC
-              value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
-      restartPolicy: Never
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -s ${PODINFO_SVC}/api/info | grep version
+      env:
+        - name: PODINFO_SVC
+          value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+  restartPolicy: Never

charts/podinfo/templates/tests/timeout.yaml

@@ -1,26 +1,21 @@
-{{- if .Values.faults.test }}
-apiVersion: batch/v1
-kind: Job
+{{- if .Values.faults.testTimeout }}
+apiVersion: v1
+kind: Pod
 metadata:
   name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     sidecar.istio.io/inject: "false"
     linkerd.io/inject: disabled
     appmesh.k8s.aws/sidecarInjectorWebhook: disabled
 spec:
-  template:
-    spec:
-      containers:
-        - name: fault
-          image: alpine:3.11
-          command: ['/bin/sh']
-          args:  ['-c', 'while sleep 3600; do :; done']
-      restartPolicy: Never
+  containers:
+    - name: fault
+      image: alpine:3.11
+      command: ['/bin/sh']
+      args:  ['-c', 'while sleep 3600; do :; done']
+  restartPolicy: Never
 {{- end }}

charts/podinfo/templates/tests/tls.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.tls.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-tls-test-{{ randAlphaNum 5 | lower }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -sk ${PODINFO_SVC}/api/info | grep version
+      env:
+        - name: PODINFO_SVC
+          value: "https://{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.tls.port }}"
+  restartPolicy: Never
+{{- end }}

charts/podinfo/values-prod.yaml

@@ -0,0 +1,137 @@
+# Production values for podinfo.
+# Includes Redis deployment and memory limits.
+
+replicaCount: 1
+logLevel: info
+backend: #http://backend-podinfo:9898/echo
+backends: []
+
+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.1.3
+  pullPolicy: IfNotPresent
+
+ui:
+  color: "#34577c"
+  message: ""
+  logo: ""
+
+# failure conditions
+faults:
+  delay: false
+  error: false
+  unhealthy: false
+  unready: false
+  testFail: false
+  testTimeout: false
+
+# Kubernetes Service settings
+service:
+  enabled: true
+  annotations: {}
+  type: ClusterIP
+  metricsPort: 9797
+  httpPort: 9898
+  externalPort: 9898
+  grpcPort: 9999
+  grpcService: podinfo
+  nodePort: 31198
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
+
+# metrics-server add-on required
+hpa:
+  enabled: true
+  maxReplicas: 5
+  # average total CPU usage per pod (1-100)
+  cpu: 99
+  # average memory usage per pod (100Mi-1Gi)
+  memory:
+  # average http requests per second per pod (k8s-prometheus-adapter)
+  requests:
+
+# Redis address in the format tcp://<host>:<port>
+cache: ""
+# Redis deployment
+redis:
+  enabled: true
+  repository: redis
+  tag: 6.0.8
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  enabled: false
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+# set container security context
+securityContext: {}
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+linkerd:
+  profile:
+    enabled: false
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+podAnnotations: {}

charts/podinfo/values.yaml

@@ -2,15 +2,21 @@
 
 replicaCount: 1
 logLevel: info
+host: #0.0.0.0
 backend: #http://backend-podinfo:9898/echo
 backends: []
-cache: ""
+
+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.1.3
+  pullPolicy: IfNotPresent
 
 ui:
   color: "#34577c"
   message: ""
   logo: ""
 
+# failure conditions
 faults:
   delay: false
   error: false
@@ -19,16 +25,10 @@ faults:
   testFail: false
   testTimeout: false
 
-h2c:
-  enabled: false
-
-image:
-  repository: stefanprodan/podinfo
-  tag: 3.3.0
-  pullPolicy: IfNotPresent
-
+# Kubernetes Service settings
 service:
   enabled: true
+  annotations: {}
   type: ClusterIP
   metricsPort: 9797
   httpPort: 9898
@@ -36,6 +36,39 @@ service:
   grpcPort: 9999
   grpcService: podinfo
   nodePort: 31198
+  # the port used to bind the http port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
 
 # metrics-server add-on required
 hpa:
@@ -48,6 +81,14 @@ hpa:
   # average http requests per second per pod (k8s-prometheus-adapter)
   requests:
 
+# Redis address in the format tcp://<host>:<port>
+cache: ""
+# Redis deployment
+redis:
+  enabled: false
+  repository: redis
+  tag: 6.0.8
+
 serviceAccount:
   # Specifies whether a service account should be created
   enabled: false
@@ -55,27 +96,35 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name:
 
-linkerd:
-  profile:
-    enabled: false
-
-serviceMonitor:
-  enabled: false
-  interval: 15s
+# set container security context
+securityContext: {}
 
 ingress:
   enabled: false
+  className: ""
   annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-#    - podinfo.local
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
 
+linkerd:
+  profile:
+    enabled: false
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
 resources:
   limits:
   requests:
@@ -88,3 +137,4 @@ tolerations: []
 
 affinity: {}
 
+podAnnotations: {}

cmd/podcli/code.go

@@ -1,365 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strings"
-
-	"github.com/hashicorp/go-getter"
-	"github.com/spf13/cobra"
-)
-
-var (
-	codeProjectName string
-	codeGitUser     string
-	codeVersion     string
-	codeProjectPath string
-)
-
-var codeCmd = &cobra.Command{
-	Use:   `code`,
-	Short: "Code commands",
-}
-
-var codeInitCmd = &cobra.Command{
-	Use:     `init [name]`,
-	Short:   "initialize podinfo code repo",
-	Example: `  code init demo-app --version=v1.2.0 --git-user=stefanprodan`,
-	RunE:    runCodeInit,
-}
-
-func init() {
-	codeInitCmd.Flags().StringVar(&codeGitUser, "git-user", "", "GitHub user or org")
-	codeInitCmd.Flags().StringVar(&codeVersion, "version", "master", "podinfo repo tag or branch name")
-	codeInitCmd.Flags().StringVar(&codeProjectPath, "path", ".", "destination repo")
-
-	codeCmd.AddCommand(codeInitCmd)
-
-	rootCmd.AddCommand(codeCmd)
-}
-
-func runCodeInit(cmd *cobra.Command, args []string) error {
-
-	if len(codeGitUser) < 0 {
-		return fmt.Errorf("--git-user is required")
-	}
-	if len(args) < 1 {
-		return fmt.Errorf("project name is required")
-	}
-
-	codeProjectName = args[0]
-
-	pwd, err := os.Getwd()
-	if err != nil {
-		log.Fatalf("Error getting pwd: %s", err)
-		os.Exit(1)
-	}
-
-	tmpPath := "/tmp/k8s-podinfo"
-	versionName := fmt.Sprintf("k8s-podinfo-%s", codeVersion)
-
-	downloadURL := fmt.Sprintf("https://github.com/stefanprodan/podinfo/archive/%s.zip", codeVersion)
-	client := &getter.Client{
-		Src:  downloadURL,
-		Dst:  tmpPath,
-		Pwd:  pwd,
-		Mode: getter.ClientModeAny,
-	}
-
-	fmt.Printf("Downloading %s\n", downloadURL)
-
-	if err := client.Get(); err != nil {
-		log.Fatalf("Error downloading: %s", err)
-		os.Exit(1)
-	}
-
-	pkgFrom := "github.com/stefanprodan/podinfo"
-	pkgTo := fmt.Sprintf("github.com/%s/%s", codeGitUser, codeProjectName)
-
-	if err := replaceImports(tmpPath, pkgFrom, pkgTo); err != nil {
-		log.Fatalf("Error parsing imports: %s", err)
-		os.Exit(1)
-	}
-
-	dirs := []string{"pkg", "cmd", "ui", "vendor", ".github"}
-	for _, dir := range dirs {
-
-		err = os.MkdirAll(path.Join(codeProjectPath, dir), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-		if err := copyDir(path.Join(tmpPath, versionName, dir), path.Join(codeProjectPath, dir)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	files := []string{"Gopkg.toml", "Gopkg.lock"}
-	for _, file := range files {
-		if err := copyFile(path.Join(tmpPath, versionName, file), path.Join(codeProjectPath, file)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), pkgFrom, pkgTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	projFrom := "stefanprodan/podinfo"
-	projTo := fmt.Sprintf("%s/%s", codeGitUser, codeProjectName)
-
-	makeFiles := []string{"Makefile.gh", "Dockerfile.gh"}
-	for _, file := range makeFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, ".gh", "", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	workflows := []string{".github/main.workflow"}
-	for _, file := range workflows {
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), "Dockerfile.gh", "Dockerfile", -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	dockerFiles := []string{"Dockerfile.ci"}
-	for _, file := range dockerFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	travisFiles := []string{"travis.lite.yml"}
-	for _, file := range travisFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, "travis.lite.yml", ".travis.yml", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	err = gitPush()
-	if err != nil {
-		log.Fatalf("git push error: %s", err)
-		os.Exit(1)
-	}
-
-	fmt.Println("Initialization finished")
-	return nil
-}
-
-func gitPush() error {
-	cmdPush := fmt.Sprintf("git add . && git commit -m \"sync %s\" && git push", codeVersion)
-	cmd := exec.Command("sh", "-c", cmdPush)
-	output, err := cmd.Output()
-	if err != nil {
-		return err
-	}
-	fmt.Println(string(output))
-	return nil
-}
-
-func replaceImports(projectPath string, pkgFrom string, pkgTo string) error {
-	regexImport, err := regexp.Compile(`(?s)(import(.*?)\)|import.*$)`)
-	if err != nil {
-		return err
-	}
-
-	regexImportedPackage, err := regexp.Compile(`"(.*?)"`)
-	if err != nil {
-		return err
-	}
-
-	found := []string{}
-
-	err = filepath.Walk(projectPath, func(path string, info os.FileInfo, err error) error {
-		if filepath.Ext(path) == ".go" {
-			bts, err := ioutil.ReadFile(path)
-			if err != nil {
-				return err
-			}
-
-			content := string(bts)
-			matches := regexImport.FindAllString(content, -1)
-			isExists := false
-
-		isReplaceable:
-			for _, each := range matches {
-				for _, eachLine := range strings.Split(each, "\n") {
-					matchesInline := regexImportedPackage.FindAllString(eachLine, -1)
-					if err != nil {
-						return err
-					}
-
-					for _, eachSubline := range matchesInline {
-						if strings.Contains(eachSubline, pkgFrom) {
-							isExists = true
-							break isReplaceable
-						}
-					}
-				}
-			}
-
-			if isExists {
-				content = strings.Replace(content, `"`+pkgFrom+`"`, `"`+pkgTo+`"`, -1)
-				content = strings.Replace(content, `"`+pkgFrom+`/`, `"`+pkgTo+`/`, -1)
-				found = append(found, path)
-			}
-
-			err = ioutil.WriteFile(path, []byte(content), info.Mode())
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		fmt.Println("ERROR", err.Error())
-	}
-
-	if len(found) == 0 {
-		fmt.Println("Nothing replaced")
-	} else {
-		fmt.Printf("Go imports total %d file replaced\n", len(found))
-	}
-
-	return nil
-}
-
-func copyDir(src string, dst string) error {
-	si, err := os.Stat(src)
-	if err != nil {
-		return err
-	}
-	if !si.IsDir() {
-		return fmt.Errorf("source is not a directory")
-	}
-
-	err = os.MkdirAll(dst, si.Mode())
-	if err != nil {
-		return err
-	}
-
-	entries, err := ioutil.ReadDir(src)
-	if err != nil {
-		return err
-	}
-
-	for _, entry := range entries {
-		srcPath := filepath.Join(src, entry.Name())
-		dstPath := filepath.Join(dst, entry.Name())
-
-		if entry.IsDir() {
-			err = copyDir(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		} else {
-			// Skip symlinks.
-			if entry.Mode()&os.ModeSymlink != 0 {
-				continue
-			}
-
-			err = copyFile(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func copyFile(src, dst string) (err error) {
-	in, err := os.Open(src)
-	if err != nil {
-		return
-	}
-	defer in.Close()
-
-	out, err := os.Create(dst)
-	if err != nil {
-		return
-	}
-	defer func() {
-		if e := out.Close(); e != nil {
-			err = e
-		}
-	}()
-
-	_, err = io.Copy(out, in)
-	if err != nil {
-		return
-	}
-
-	err = out.Sync()
-	if err != nil {
-		return
-	}
-
-	si, err := os.Stat(src)
-	if err != nil {
-		return
-	}
-	err = os.Chmod(dst, si.Mode())
-	if err != nil {
-		return
-	}
-
-	return
-}

cmd/podinfo/main.go

@@ -23,30 +23,37 @@ import (
 func main() {
 	// flags definition
 	fs := pflag.NewFlagSet("default", pflag.ContinueOnError)
-	fs.Int("port", 9898, "HTTP port")
+	fs.String("host", "", "Host to bind service to")
+	fs.Int("port", 9898, "HTTP port to bind service to")
+	fs.Int("secure-port", 0, "HTTPS port")
 	fs.Int("port-metrics", 0, "metrics port")
 	fs.Int("grpc-port", 0, "gRPC port")
 	fs.String("grpc-service-name", "podinfo", "gPRC service name")
-	fs.String("level", "info", "log level debug, info, warn, error, flat or panic")
+	fs.String("level", "info", "log level debug, info, warn, error, fatal or panic")
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
 	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
+	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
 	fs.String("config", "config.yaml", "config file name")
 	fs.String("ui-path", "./ui", "UI local path")
 	fs.String("ui-logo", "", "UI logo")
 	fs.String("ui-color", "#34577c", "UI color")
 	fs.String("ui-message", fmt.Sprintf("greetings from podinfo v%v", version.VERSION), "UI message")
 	fs.Bool("h2c", false, "allow upgrading to H2C")
-	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay")
+	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay by default")
+	fs.String("random-delay-unit", "s", "either s(seconds) or ms(milliseconds")
+	fs.Int("random-delay-min", 0, "min for random delay: 0 by default")
+	fs.Int("random-delay-max", 5, "max for random delay: 5 by default")
 	fs.Bool("random-error", false, "1/3 chances of a random response error")
 	fs.Bool("unhealthy", false, "when set, healthy state is never reached")
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
+	fs.String("otel-service-name", "", "service name for reporting to open telemetry address, when not set tracing is disabled")
 
 	versionFlag := fs.BoolP("version", "v", false, "get version number")
 
@@ -78,11 +85,11 @@ func main() {
 	viper.AutomaticEnv()
 
 	// load config from file
-	if _, err := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); err == nil {
+	if _, fileErr := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); fileErr == nil {
 		viper.SetConfigName(strings.Split(viper.GetString("config"), ".")[0])
 		viper.AddConfigPath(viper.GetString("config-path"))
-		if err := viper.ReadInConfig(); err != nil {
-			fmt.Printf("Error reading config file, %v\n", err)
+		if readErr := viper.ReadInConfig(); readErr != nil {
+			fmt.Printf("Error reading config file, %v\n", readErr)
 		}
 	}
 
@@ -101,6 +108,26 @@ func main() {
 		viper.Set("port", strconv.Itoa(port))
 	}
 
+	// validate secure port
+	if _, err := strconv.Atoi(viper.GetString("secure-port")); err != nil {
+		securePort, _ := fs.GetInt("secure-port")
+		viper.Set("secure-port", strconv.Itoa(securePort))
+	}
+
+	// validate random delay options
+	if viper.GetInt("random-delay-max") < viper.GetInt("random-delay-min") {
+		logger.Panic("`--random-delay-max` should be greater than `--random-delay-min`")
+	}
+
+	switch delayUnit := viper.GetString("random-delay-unit"); delayUnit {
+	case
+		"s",
+		"ms":
+		break
+	default:
+		logger.Panic("`random-delay-unit` accepted values are: s|ms")
+	}
+
 	// load gRPC server config
 	var grpcCfg grpc.Config
 	if err := viper.Unmarshal(&grpcCfg); err != nil {

cue/README.md

@@ -0,0 +1,15 @@
+# CUE Demo
+
+This directory contains a [cuelang module](https://cuelang.org/docs/) and tooling to generate podinfo resources.
+
+It defines a `podinfo.#Application` definition which takes a `podinfo.#Config` as input. The `podinfo.#Config` definition is modelled on the `podinfo` Helm chart `values.yaml` file.
+
+## Configuration
+
+Configure the application in `main.cue`.
+
+## Generate the manifests
+
+```shell
+cue gen
+```

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/const_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+package v1
+
+#ACMEFinalizer: "finalizer.acme.cert-manager.io"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/doc_go_gen.cue

@@ -0,0 +1,8 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+// Package v1 is the v1 version of the API.
+// +k8s:deepcopy-gen=package,register
+// +groupName=acme.cert-manager.io
+package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_challenge_go_gen.cue

@@ -0,0 +1,128 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+)
+
+// Challenge is a type to represent a Challenge request with an ACME server
+// +k8s:openapi-gen=true
+// +kubebuilder:printcolumn:name="State",type="string",JSONPath=".status.state"
+// +kubebuilder:printcolumn:name="Domain",type="string",JSONPath=".spec.dnsName"
+// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason",description="",priority=1
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC."
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:path=challenges
+#Challenge: {
+	metav1.#TypeMeta
+	metadata: metav1.#ObjectMeta @go(ObjectMeta)
+	spec:     #ChallengeSpec     @go(Spec)
+
+	// +optional
+	status: #ChallengeStatus @go(Status)
+}
+
+// ChallengeList is a list of Challenges
+#ChallengeList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#Challenge] @go(Items,[]Challenge)
+}
+
+#ChallengeSpec: {
+	// The URL of the ACME Challenge resource for this challenge.
+	// This can be used to lookup details about the status of this challenge.
+	url: string @go(URL)
+
+	// The URL to the ACME Authorization resource that this
+	// challenge is a part of.
+	authorizationURL: string @go(AuthorizationURL)
+
+	// dnsName is the identifier that this challenge is for, e.g. example.com.
+	// If the requested DNSName is a 'wildcard', this field MUST be set to the
+	// non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`.
+	dnsName: string @go(DNSName)
+
+	// wildcard will be true if this challenge is for a wildcard identifier,
+	// for example '*.example.com'.
+	// +optional
+	wildcard: bool @go(Wildcard)
+
+	// The type of ACME challenge this resource represents.
+	// One of "HTTP-01" or "DNS-01".
+	type: #ACMEChallengeType @go(Type)
+
+	// The ACME challenge token for this challenge.
+	// This is the raw value returned from the ACME server.
+	token: string @go(Token)
+
+	// The ACME challenge key for this challenge
+	// For HTTP01 challenges, this is the value that must be responded with to
+	// complete the HTTP01 challenge in the format:
+	// `<private key JWK thumbprint>.<key from acme server for challenge>`.
+	// For DNS01 challenges, this is the base64 encoded SHA256 sum of the
+	// `<private key JWK thumbprint>.<key from acme server for challenge>`
+	// text that must be set as the TXT record content.
+	key: string @go(Key)
+
+	// Contains the domain solving configuration that should be used to
+	// solve this challenge resource.
+	solver: #ACMEChallengeSolver @go(Solver)
+
+	// References a properly configured ACME-type Issuer which should
+	// be used to create this Challenge.
+	// If the Issuer does not exist, processing will be retried.
+	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+	// Challenge will be marked as failed.
+	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
+}
+
+// The type of ACME challenge. Only HTTP-01 and DNS-01 are supported.
+// +kubebuilder:validation:Enum=HTTP-01;DNS-01
+#ACMEChallengeType: string // #enumACMEChallengeType
+
+#enumACMEChallengeType:
+	#ACMEChallengeTypeHTTP01 |
+	#ACMEChallengeTypeDNS01
+
+// ACMEChallengeTypeHTTP01 denotes a Challenge is of type http-01
+// More info: https://letsencrypt.org/docs/challenge-types/#http-01-challenge
+#ACMEChallengeTypeHTTP01: #ACMEChallengeType & "HTTP-01"
+
+// ACMEChallengeTypeDNS01 denotes a Challenge is of type dns-01
+// More info: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
+#ACMEChallengeTypeDNS01: #ACMEChallengeType & "DNS-01"
+
+#ChallengeStatus: {
+	// Used to denote whether this challenge should be processed or not.
+	// This field will only be set to true by the 'scheduling' component.
+	// It will only be set to false by the 'challenges' controller, after the
+	// challenge has reached a final state or timed out.
+	// If this field is set to false, the challenge controller will not take
+	// any more action.
+	// +optional
+	processing: bool @go(Processing)
+
+	// presented will be set to true if the challenge values for this challenge
+	// are currently 'presented'.
+	// This *does not* imply the self check is passing. Only that the values
+	// have been 'submitted' for the appropriate challenge mechanism (i.e. the
+	// DNS01 TXT record has been presented, or the HTTP01 configuration has been
+	// configured).
+	// +optional
+	presented: bool @go(Presented)
+
+	// Contains human readable information on why the Challenge is in the
+	// current state.
+	// +optional
+	reason?: string @go(Reason)
+
+	// Contains the current 'state' of the challenge.
+	// If not set, the state of the challenge is unknown.
+	// +optional
+	state?: #State @go(State)
+}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_go_gen.cue

@@ -0,0 +1,41 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+package v1
+
+// ACMECertificateHTTP01IngressNameOverride is annotation to override ingress name.
+// If this annotation is specified on a Certificate or Order resource when
+// using the HTTP01 solver type, the ingress.name field of the HTTP01
+// solver's configuration will be set to the value given here.
+// This is especially useful for users of Ingress controllers that maintain
+// a 1:1 mapping between endpoint IP and Ingress resource.
+#ACMECertificateHTTP01IngressNameOverride: "acme.cert-manager.io/http01-override-ingress-name"
+
+// ACMECertificateHTTP01IngressClassOverride is annotation to override ingress class.
+// If this annotation is specified on a Certificate or Order resource when
+// using the HTTP01 solver type, the ingress.class field of the HTTP01
+// solver's configuration will be set to the value given here.
+// This is especially useful for users deploying many different ingress
+// classes into a single cluster that want to be able to re-use a single
+// solver for each ingress class.
+#ACMECertificateHTTP01IngressClassOverride: "acme.cert-manager.io/http01-override-ingress-class"
+
+// IngressEditInPlaceAnnotationKey is used to toggle the use of ingressClass instead
+// of ingress on the created Certificate resource
+#IngressEditInPlaceAnnotationKey: "acme.cert-manager.io/http01-edit-in-place"
+
+// DomainLabelKey is added to the labels of a Pod serving an ACME challenge.
+// Its value will be the hash of the domain name that is being verified.
+#DomainLabelKey: "acme.cert-manager.io/http-domain"
+
+// TokenLabelKey is added to the labels of a Pod serving an ACME challenge.
+// Its value will be the hash of the challenge token that is being served by the pod.
+#TokenLabelKey: "acme.cert-manager.io/http-token"
+
+// SolverIdentificationLabelKey is added to the labels of a Pod serving an ACME challenge.
+// Its value will be the "true" if the Pod is an HTTP-01 solver.
+#SolverIdentificationLabelKey: "acme.cert-manager.io/http01-solver"
+
+#OrderKind:     "Order"
+#ChallengeKind: "Challenge"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_issuer_go_gen.cue

@@ -0,0 +1,591 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+package v1
+
+import (
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// ACMEIssuer contains the specification for an ACME issuer.
+// This uses the RFC8555 specification to obtain certificates by completing
+// 'challenges' to prove ownership of domain identifiers.
+// Earlier draft versions of the ACME specification are not supported.
+#ACMEIssuer: {
+	// Email is the email address to be associated with the ACME account.
+	// This field is optional, but it is strongly recommended to be set.
+	// It will be used to contact you in case of issues with your account or
+	// certificates, including expiry notification emails.
+	// This field may be updated after the account is initially registered.
+	// +optional
+	email?: string @go(Email)
+
+	// Server is the URL used to access the ACME server's 'directory' endpoint.
+	// For example, for Let's Encrypt's staging endpoint, you would use:
+	// "https://acme-staging-v02.api.letsencrypt.org/directory".
+	// Only ACME v2 endpoints (i.e. RFC 8555) are supported.
+	server: string @go(Server)
+
+	// PreferredChain is the chain to use if the ACME server outputs multiple.
+	// PreferredChain is no guarantee that this one gets delivered by the ACME
+	// endpoint.
+	// For example, for Let's Encrypt's DST crosssign you would use:
+	// "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA.
+	// This value picks the first certificate bundle in the ACME alternative
+	// chains that has a certificate with this value as its issuer's CN
+	// +optional
+	// +kubebuilder:validation:MaxLength=64
+	preferredChain: string @go(PreferredChain)
+
+	// Enables or disables validation of the ACME server TLS certificate.
+	// If true, requests to the ACME server will not have their TLS certificate
+	// validated (i.e. insecure connections will be allowed).
+	// Only enable this option in development environments.
+	// The cert-manager system installed roots will be used to verify connections
+	// to the ACME server if this is false.
+	// Defaults to false.
+	// +optional
+	skipTLSVerify?: bool @go(SkipTLSVerify)
+
+	// ExternalAccountBinding is a reference to a CA external account of the ACME
+	// server.
+	// If set, upon registration cert-manager will attempt to associate the given
+	// external account credentials with the registered ACME account.
+	// +optional
+	externalAccountBinding?: null | #ACMEExternalAccountBinding @go(ExternalAccountBinding,*ACMEExternalAccountBinding)
+
+	// PrivateKey is the name of a Kubernetes Secret resource that will be used to
+	// store the automatically generated ACME account private key.
+	// Optionally, a `key` may be specified to select a specific entry within
+	// the named Secret resource.
+	// If `key` is not specified, a default of `tls.key` will be used.
+	privateKeySecretRef: cmmeta.#SecretKeySelector @go(PrivateKey)
+
+	// Solvers is a list of challenge solvers that will be used to solve
+	// ACME challenges for the matching domains.
+	// Solver configurations must be provided in order to obtain certificates
+	// from an ACME server.
+	// For more information, see: https://cert-manager.io/docs/configuration/acme/
+	// +optional
+	solvers?: [...#ACMEChallengeSolver] @go(Solvers,[]ACMEChallengeSolver)
+
+	// Enables or disables generating a new ACME account key.
+	// If true, the Issuer resource will *not* request a new account but will expect
+	// the account key to be supplied via an existing secret.
+	// If false, the cert-manager system will generate a new ACME account key
+	// for the Issuer.
+	// Defaults to false.
+	// +optional
+	disableAccountKeyGeneration?: bool @go(DisableAccountKeyGeneration)
+
+	// Enables requesting a Not After date on certificates that matches the
+	// duration of the certificate. This is not supported by all ACME servers
+	// like Let's Encrypt. If set to true when the ACME server does not support
+	// it it will create an error on the Order.
+	// Defaults to false.
+	// +optional
+	enableDurationFeature?: bool @go(EnableDurationFeature)
+}
+
+// ACMEExternalAccountBinding is a reference to a CA external account of the ACME
+// server.
+#ACMEExternalAccountBinding: {
+	// keyID is the ID of the CA key that the External Account is bound to.
+	keyID: string @go(KeyID)
+
+	// keySecretRef is a Secret Key Selector referencing a data item in a Kubernetes
+	// Secret which holds the symmetric MAC key of the External Account Binding.
+	// The `key` is the index string that is paired with the key data in the
+	// Secret and should not be confused with the key data itself, or indeed with
+	// the External Account Binding keyID above.
+	// The secret key stored in the Secret **must** be un-padded, base64 URL
+	// encoded data.
+	keySecretRef: cmmeta.#SecretKeySelector @go(Key)
+
+	// Deprecated: keyAlgorithm field exists for historical compatibility
+	// reasons and should not be used. The algorithm is now hardcoded to HS256
+	// in golang/x/crypto/acme.
+	// +optional
+	keyAlgorithm?: #HMACKeyAlgorithm @go(KeyAlgorithm)
+}
+
+// HMACKeyAlgorithm is the name of a key algorithm used for HMAC encryption
+// +kubebuilder:validation:Enum=HS256;HS384;HS512
+#HMACKeyAlgorithm: string // #enumHMACKeyAlgorithm
+
+#enumHMACKeyAlgorithm:
+	#HS256 |
+	#HS384 |
+	#HS512
+
+#HS256: #HMACKeyAlgorithm & "HS256"
+#HS384: #HMACKeyAlgorithm & "HS384"
+#HS512: #HMACKeyAlgorithm & "HS512"
+
+// An ACMEChallengeSolver describes how to solve ACME challenges for the issuer it is part of.
+// A selector may be provided to use different solving strategies for different DNS names.
+// Only one of HTTP01 or DNS01 must be provided.
+#ACMEChallengeSolver: {
+	// Selector selects a set of DNSNames on the Certificate resource that
+	// should be solved using this challenge solver.
+	// If not specified, the solver will be treated as the 'default' solver
+	// with the lowest priority, i.e. if any other solver has a more specific
+	// match, it will be used instead.
+	// +optional
+	selector?: null | #CertificateDNSNameSelector @go(Selector,*CertificateDNSNameSelector)
+
+	// Configures cert-manager to attempt to complete authorizations by
+	// performing the HTTP01 challenge flow.
+	// It is not possible to obtain certificates for wildcard domain names
+	// (e.g. `*.example.com`) using the HTTP01 challenge mechanism.
+	// +optional
+	http01?: null | #ACMEChallengeSolverHTTP01 @go(HTTP01,*ACMEChallengeSolverHTTP01)
+
+	// Configures cert-manager to attempt to complete authorizations by
+	// performing the DNS01 challenge flow.
+	// +optional
+	dns01?: null | #ACMEChallengeSolverDNS01 @go(DNS01,*ACMEChallengeSolverDNS01)
+}
+
+// CertificateDNSNameSelector selects certificates using a label selector, and
+// can optionally select individual DNS names within those certificates.
+// If both MatchLabels and DNSNames are empty, this selector will match all
+// certificates and DNS names within them.
+#CertificateDNSNameSelector: {
+	// A label selector that is used to refine the set of certificate's that
+	// this challenge solver will apply to.
+	// +optional
+	matchLabels?: {[string]: string} @go(MatchLabels,map[string]string)
+
+	// List of DNSNames that this solver will be used to solve.
+	// If specified and a match is found, a dnsNames selector will take
+	// precedence over a dnsZones selector.
+	// If multiple solvers match with the same dnsNames value, the solver
+	// with the most matching labels in matchLabels will be selected.
+	// If neither has more matches, the solver defined earlier in the list
+	// will be selected.
+	// +optional
+	dnsNames?: [...string] @go(DNSNames,[]string)
+
+	// List of DNSZones that this solver will be used to solve.
+	// The most specific DNS zone match specified here will take precedence
+	// over other DNS zone matches, so a solver specifying sys.example.com
+	// will be selected over one specifying example.com for the domain
+	// www.sys.example.com.
+	// If multiple solvers match with the same dnsZones value, the solver
+	// with the most matching labels in matchLabels will be selected.
+	// If neither has more matches, the solver defined earlier in the list
+	// will be selected.
+	// +optional
+	dnsZones?: [...string] @go(DNSZones,[]string)
+}
+
+// ACMEChallengeSolverHTTP01 contains configuration detailing how to solve
+// HTTP01 challenges within a Kubernetes cluster.
+// Typically this is accomplished through creating 'routes' of some description
+// that configure ingress controllers to direct traffic to 'solver pods', which
+// are responsible for responding to the ACME server's HTTP requests.
+// Only one of Ingress / Gateway can be specified.
+#ACMEChallengeSolverHTTP01: {
+	// The ingress based HTTP01 challenge solver will solve challenges by
+	// creating or modifying Ingress resources in order to route requests for
+	// '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are
+	// provisioned by cert-manager for each Challenge to be completed.
+	// +optional
+	ingress?: null | #ACMEChallengeSolverHTTP01Ingress @go(Ingress,*ACMEChallengeSolverHTTP01Ingress)
+
+	// The Gateway API is a sig-network community API that models service networking
+	// in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will
+	// create HTTPRoutes with the specified labels in the same namespace as the challenge.
+	// This solver is experimental, and fields / behaviour may change in the future.
+	// +optional
+	gatewayHTTPRoute?: null | #ACMEChallengeSolverHTTP01GatewayHTTPRoute @go(GatewayHTTPRoute,*ACMEChallengeSolverHTTP01GatewayHTTPRoute)
+}
+
+#ACMEChallengeSolverHTTP01Ingress: {
+	// Optional service type for Kubernetes solver service. Supported values
+	// are NodePort or ClusterIP. If unset, defaults to NodePort.
+	// +optional
+	serviceType?: corev1.#ServiceType @go(ServiceType)
+
+	// The ingress class to use when creating Ingress resources to solve ACME
+	// challenges that use this challenge solver.
+	// Only one of 'class' or 'name' may be specified.
+	// +optional
+	class?: null | string @go(Class,*string)
+
+	// The name of the ingress resource that should have ACME challenge solving
+	// routes inserted into it in order to solve HTTP01 challenges.
+	// This is typically used in conjunction with ingress controllers like
+	// ingress-gce, which maintains a 1:1 mapping between external IPs and
+	// ingress resources.
+	// +optional
+	name?: string @go(Name)
+
+	// Optional pod template used to configure the ACME challenge solver pods
+	// used for HTTP01 challenges.
+	// +optional
+	podTemplate?: null | #ACMEChallengeSolverHTTP01IngressPodTemplate @go(PodTemplate,*ACMEChallengeSolverHTTP01IngressPodTemplate)
+
+	// Optional ingress template used to configure the ACME challenge solver
+	// ingress used for HTTP01 challenges.
+	// +optional
+	ingressTemplate?: null | #ACMEChallengeSolverHTTP01IngressTemplate @go(IngressTemplate,*ACMEChallengeSolverHTTP01IngressTemplate)
+}
+
+// The ACMEChallengeSolverHTTP01GatewayHTTPRoute solver will create HTTPRoute objects for a Gateway class
+// routing to an ACME challenge solver pod.
+#ACMEChallengeSolverHTTP01GatewayHTTPRoute: {
+	// Optional service type for Kubernetes solver service. Supported values
+	// are NodePort or ClusterIP. If unset, defaults to NodePort.
+	// +optional
+	serviceType?: corev1.#ServiceType @go(ServiceType)
+
+	// The labels that cert-manager will use when creating the temporary
+	// HTTPRoute needed for solving the HTTP-01 challenge. These labels
+	// must match the label selector of at least one Gateway.
+	labels?: {[string]: string} @go(Labels,map[string]string)
+}
+
+#ACMEChallengeSolverHTTP01IngressPodTemplate: {
+	// ObjectMeta overrides for the pod used to solve HTTP01 challenges.
+	// Only the 'labels' and 'annotations' fields may be set.
+	// If labels or annotations overlap with in-built values, the values here
+	// will override the in-built values.
+	// +optional
+	metadata: #ACMEChallengeSolverHTTP01IngressPodObjectMeta @go(ACMEChallengeSolverHTTP01IngressPodObjectMeta)
+
+	// PodSpec defines overrides for the HTTP01 challenge solver pod.
+	// Only the 'priorityClassName', 'nodeSelector', 'affinity',
+	// 'serviceAccountName' and 'tolerations' fields are supported currently.
+	// All other fields will be ignored.
+	// +optional
+	spec: #ACMEChallengeSolverHTTP01IngressPodSpec @go(Spec)
+}
+
+#ACMEChallengeSolverHTTP01IngressPodObjectMeta: {
+	// Annotations that should be added to the create ACME HTTP01 solver pods.
+	// +optional
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+
+	// Labels that should be added to the created ACME HTTP01 solver pods.
+	// +optional
+	labels?: {[string]: string} @go(Labels,map[string]string)
+}
+
+#ACMEChallengeSolverHTTP01IngressPodSpec: {
+	// NodeSelector is a selector which must be true for the pod to fit on a node.
+	// Selector which must match a node's labels for the pod to be scheduled on that node.
+	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+	// +optional
+	nodeSelector?: {[string]: string} @go(NodeSelector,map[string]string)
+
+	// If specified, the pod's scheduling constraints
+	// +optional
+	affinity?: null | corev1.#Affinity @go(Affinity,*corev1.Affinity)
+
+	// If specified, the pod's tolerations.
+	// +optional
+	tolerations?: [...corev1.#Toleration] @go(Tolerations,[]corev1.Toleration)
+
+	// If specified, the pod's priorityClassName.
+	// +optional
+	priorityClassName?: string @go(PriorityClassName)
+
+	// If specified, the pod's service account
+	// +optional
+	serviceAccountName?: string @go(ServiceAccountName)
+}
+
+#ACMEChallengeSolverHTTP01IngressTemplate: {
+	// ObjectMeta overrides for the ingress used to solve HTTP01 challenges.
+	// Only the 'labels' and 'annotations' fields may be set.
+	// If labels or annotations overlap with in-built values, the values here
+	// will override the in-built values.
+	// +optional
+	metadata: #ACMEChallengeSolverHTTP01IngressObjectMeta @go(ACMEChallengeSolverHTTP01IngressObjectMeta)
+}
+
+#ACMEChallengeSolverHTTP01IngressObjectMeta: {
+	// Annotations that should be added to the created ACME HTTP01 solver ingress.
+	// +optional
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+
+	// Labels that should be added to the created ACME HTTP01 solver ingress.
+	// +optional
+	labels?: {[string]: string} @go(Labels,map[string]string)
+}
+
+// Used to configure a DNS01 challenge provider to be used when solving DNS01
+// challenges.
+// Only one DNS provider may be configured per solver.
+#ACMEChallengeSolverDNS01: {
+	// CNAMEStrategy configures how the DNS01 provider should handle CNAME
+	// records when found in DNS zones.
+	// +optional
+	cnameStrategy?: #CNAMEStrategy @go(CNAMEStrategy)
+
+	// Use the Akamai DNS zone management API to manage DNS01 challenge records.
+	// +optional
+	akamai?: null | #ACMEIssuerDNS01ProviderAkamai @go(Akamai,*ACMEIssuerDNS01ProviderAkamai)
+
+	// Use the Google Cloud DNS API to manage DNS01 challenge records.
+	// +optional
+	cloudDNS?: null | #ACMEIssuerDNS01ProviderCloudDNS @go(CloudDNS,*ACMEIssuerDNS01ProviderCloudDNS)
+
+	// Use the Cloudflare API to manage DNS01 challenge records.
+	// +optional
+	cloudflare?: null | #ACMEIssuerDNS01ProviderCloudflare @go(Cloudflare,*ACMEIssuerDNS01ProviderCloudflare)
+
+	// Use the AWS Route53 API to manage DNS01 challenge records.
+	// +optional
+	route53?: null | #ACMEIssuerDNS01ProviderRoute53 @go(Route53,*ACMEIssuerDNS01ProviderRoute53)
+
+	// Use the Microsoft Azure DNS API to manage DNS01 challenge records.
+	// +optional
+	azureDNS?: null | #ACMEIssuerDNS01ProviderAzureDNS @go(AzureDNS,*ACMEIssuerDNS01ProviderAzureDNS)
+
+	// Use the DigitalOcean DNS API to manage DNS01 challenge records.
+	// +optional
+	digitalocean?: null | #ACMEIssuerDNS01ProviderDigitalOcean @go(DigitalOcean,*ACMEIssuerDNS01ProviderDigitalOcean)
+
+	// Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage
+	// DNS01 challenge records.
+	// +optional
+	acmeDNS?: null | #ACMEIssuerDNS01ProviderAcmeDNS @go(AcmeDNS,*ACMEIssuerDNS01ProviderAcmeDNS)
+
+	// Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/)
+	// to manage DNS01 challenge records.
+	// +optional
+	rfc2136?: null | #ACMEIssuerDNS01ProviderRFC2136 @go(RFC2136,*ACMEIssuerDNS01ProviderRFC2136)
+
+	// Configure an external webhook based DNS01 challenge solver to manage
+	// DNS01 challenge records.
+	// +optional
+	webhook?: null | #ACMEIssuerDNS01ProviderWebhook @go(Webhook,*ACMEIssuerDNS01ProviderWebhook)
+}
+
+// CNAMEStrategy configures how the DNS01 provider should handle CNAME records
+// when found in DNS zones.
+// By default, the None strategy will be applied (i.e. do not follow CNAMEs).
+// +kubebuilder:validation:Enum=None;Follow
+#CNAMEStrategy: string
+
+// NoneStrategy indicates that no CNAME resolution strategy should be used
+// when determining which DNS zone to update during DNS01 challenges.
+#NoneStrategy: "None"
+
+// FollowStrategy will cause cert-manager to recurse through CNAMEs in
+// order to determine which DNS zone to update during DNS01 challenges.
+// This is useful if you do not want to grant cert-manager access to your
+// root DNS zone, and instead delegate the _acme-challenge.example.com
+// subdomain to some other, less privileged domain.
+#FollowStrategy: "Follow"
+
+// ACMEIssuerDNS01ProviderAkamai is a structure containing the DNS
+// configuration for Akamai DNS—Zone Record Management API
+#ACMEIssuerDNS01ProviderAkamai: {
+	serviceConsumerDomain: string                    @go(ServiceConsumerDomain)
+	clientTokenSecretRef:  cmmeta.#SecretKeySelector @go(ClientToken)
+	clientSecretSecretRef: cmmeta.#SecretKeySelector @go(ClientSecret)
+	accessTokenSecretRef:  cmmeta.#SecretKeySelector @go(AccessToken)
+}
+
+// ACMEIssuerDNS01ProviderCloudDNS is a structure containing the DNS
+// configuration for Google Cloud DNS
+#ACMEIssuerDNS01ProviderCloudDNS: {
+	// +optional
+	serviceAccountSecretRef?: null | cmmeta.#SecretKeySelector @go(ServiceAccount,*cmmeta.SecretKeySelector)
+	project:                  string                           @go(Project)
+
+	// HostedZoneName is an optional field that tells cert-manager in which
+	// Cloud DNS zone the challenge record has to be created.
+	// If left empty cert-manager will automatically choose a zone.
+	// +optional
+	hostedZoneName?: string @go(HostedZoneName)
+}
+
+// ACMEIssuerDNS01ProviderCloudflare is a structure containing the DNS
+// configuration for Cloudflare.
+// One of `apiKeySecretRef` or `apiTokenSecretRef` must be provided.
+#ACMEIssuerDNS01ProviderCloudflare: {
+	// Email of the account, only required when using API key based authentication.
+	// +optional
+	email?: string @go(Email)
+
+	// API key to use to authenticate with Cloudflare.
+	// Note: using an API token to authenticate is now the recommended method
+	// as it allows greater control of permissions.
+	// +optional
+	apiKeySecretRef?: null | cmmeta.#SecretKeySelector @go(APIKey,*cmmeta.SecretKeySelector)
+
+	// API token used to authenticate with Cloudflare.
+	// +optional
+	apiTokenSecretRef?: null | cmmeta.#SecretKeySelector @go(APIToken,*cmmeta.SecretKeySelector)
+}
+
+// ACMEIssuerDNS01ProviderDigitalOcean is a structure containing the DNS
+// configuration for DigitalOcean Domains
+#ACMEIssuerDNS01ProviderDigitalOcean: {
+	tokenSecretRef: cmmeta.#SecretKeySelector @go(Token)
+}
+
+// ACMEIssuerDNS01ProviderRoute53 is a structure containing the Route 53
+// configuration for AWS
+#ACMEIssuerDNS01ProviderRoute53: {
+	// The AccessKeyID is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
+	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+	// +optional
+	accessKeyID?: string @go(AccessKeyID)
+
+	// The SecretAccessKey is used for authentication. If not set we fall-back to using env vars, shared credentials file or AWS Instance metadata
+	// https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+	// +optional
+	secretAccessKeySecretRef: cmmeta.#SecretKeySelector @go(SecretAccessKey)
+
+	// Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey
+	// or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata
+	// +optional
+	role?: string @go(Role)
+
+	// If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
+	// +optional
+	hostedZoneID?: string @go(HostedZoneID)
+
+	// Always set the region when using AccessKeyID and SecretAccessKey
+	region: string @go(Region)
+}
+
+// ACMEIssuerDNS01ProviderAzureDNS is a structure containing the
+// configuration for Azure DNS
+#ACMEIssuerDNS01ProviderAzureDNS: {
+	// if both this and ClientSecret are left unset MSI will be used
+	// +optional
+	clientID?: string @go(ClientID)
+
+	// if both this and ClientID are left unset MSI will be used
+	// +optional
+	clientSecretSecretRef?: null | cmmeta.#SecretKeySelector @go(ClientSecret,*cmmeta.SecretKeySelector)
+
+	// ID of the Azure subscription
+	subscriptionID: string @go(SubscriptionID)
+
+	// when specifying ClientID and ClientSecret then this field is also needed
+	// +optional
+	tenantID?: string @go(TenantID)
+
+	// resource group the DNS zone is located in
+	resourceGroupName: string @go(ResourceGroupName)
+
+	// name of the DNS zone that should be used
+	// +optional
+	hostedZoneName?: string @go(HostedZoneName)
+
+	// name of the Azure environment (default AzurePublicCloud)
+	// +optional
+	environment?: #AzureDNSEnvironment @go(Environment)
+
+	// managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID
+	// +optional
+	managedIdentity?: null | #AzureManagedIdentity @go(ManagedIdentity,*AzureManagedIdentity)
+}
+
+#AzureManagedIdentity: {
+	// client ID of the managed identity, can not be used at the same time as resourceID
+	// +optional
+	clientID?: string @go(ClientID)
+
+	// resource ID of the managed identity, can not be used at the same time as clientID
+	// +optional
+	resourceID?: string @go(ResourceID)
+}
+
+// +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud
+#AzureDNSEnvironment: string // #enumAzureDNSEnvironment
+
+#enumAzureDNSEnvironment:
+	#AzurePublicCloud |
+	#AzureChinaCloud |
+	#AzureGermanCloud |
+	#AzureUSGovernmentCloud
+
+#AzurePublicCloud:       #AzureDNSEnvironment & "AzurePublicCloud"
+#AzureChinaCloud:        #AzureDNSEnvironment & "AzureChinaCloud"
+#AzureGermanCloud:       #AzureDNSEnvironment & "AzureGermanCloud"
+#AzureUSGovernmentCloud: #AzureDNSEnvironment & "AzureUSGovernmentCloud"
+
+// ACMEIssuerDNS01ProviderAcmeDNS is a structure containing the
+// configuration for ACME-DNS servers
+#ACMEIssuerDNS01ProviderAcmeDNS: {
+	host:             string                    @go(Host)
+	accountSecretRef: cmmeta.#SecretKeySelector @go(AccountSecret)
+}
+
+// ACMEIssuerDNS01ProviderRFC2136 is a structure containing the
+// configuration for RFC2136 DNS
+#ACMEIssuerDNS01ProviderRFC2136: {
+	// The IP address or hostname of an authoritative DNS server supporting
+	// RFC2136 in the form host:port. If the host is an IPv6 address it must be
+	// enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.
+	// This field is required.
+	nameserver: string @go(Nameserver)
+
+	// The name of the secret containing the TSIG value.
+	// If ``tsigKeyName`` is defined, this field is required.
+	// +optional
+	tsigSecretSecretRef?: cmmeta.#SecretKeySelector @go(TSIGSecret)
+
+	// The TSIG Key name configured in the DNS.
+	// If ``tsigSecretSecretRef`` is defined, this field is required.
+	// +optional
+	tsigKeyName?: string @go(TSIGKeyName)
+
+	// The TSIG Algorithm configured in the DNS supporting RFC2136. Used only
+	// when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined.
+	// Supported values are (case-insensitive): ``HMACMD5`` (default),
+	// ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.
+	// +optional
+	tsigAlgorithm?: string @go(TSIGAlgorithm)
+}
+
+// ACMEIssuerDNS01ProviderWebhook specifies configuration for a webhook DNS01
+// provider, including where to POST ChallengePayload resources.
+#ACMEIssuerDNS01ProviderWebhook: {
+	// The API group name that should be used when POSTing ChallengePayload
+	// resources to the webhook apiserver.
+	// This should be the same as the GroupName specified in the webhook
+	// provider implementation.
+	groupName: string @go(GroupName)
+
+	// The name of the solver to use, as defined in the webhook provider
+	// implementation.
+	// This will typically be the name of the provider, e.g. 'cloudflare'.
+	solverName: string @go(SolverName)
+
+	// Additional configuration that should be passed to the webhook apiserver
+	// when challenges are processed.
+	// This can contain arbitrary JSON data.
+	// Secret values should not be specified in this stanza.
+	// If secret values are needed (e.g. credentials for a DNS service), you
+	// should use a SecretKeySelector to reference a Secret resource.
+	// For details on the schema of this field, consult the webhook provider
+	// implementation's documentation.
+	// +optional
+	config?: null | apiextensionsv1.#JSON @go(Config,*apiextensionsv1.JSON)
+}
+
+#ACMEIssuerStatus: {
+	// URI is the unique account identifier, which can also be used to retrieve
+	// account details from the CA
+	// +optional
+	uri?: string @go(URI)
+
+	// LastRegisteredEmail is the email associated with the latest registered
+	// ACME account, in order to track changes made to registered account
+	// associated with the  Issuer
+	// +optional
+	lastRegisteredEmail?: string @go(LastRegisteredEmail)
+}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/acme/v1/types_order_go_gen.cue

@@ -0,0 +1,228 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/acme/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+)
+
+// Order is a type to represent an Order with an ACME server
+// +k8s:openapi-gen=true
+#Order: {
+	metav1.#TypeMeta
+	metadata: metav1.#ObjectMeta @go(ObjectMeta)
+	spec:     #OrderSpec         @go(Spec)
+
+	// +optional
+	status: #OrderStatus @go(Status)
+}
+
+// OrderList is a list of Orders
+#OrderList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#Order] @go(Items,[]Order)
+}
+
+#OrderSpec: {
+	// Certificate signing request bytes in DER encoding.
+	// This will be used when finalizing the order.
+	// This field must be set on the order.
+	request: bytes @go(Request,[]byte)
+
+	// IssuerRef references a properly configured ACME-type Issuer which should
+	// be used to create this Order.
+	// If the Issuer does not exist, processing will be retried.
+	// If the Issuer is not an 'ACME' Issuer, an error will be returned and the
+	// Order will be marked as failed.
+	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
+
+	// CommonName is the common name as specified on the DER encoded CSR.
+	// If specified, this value must also be present in `dnsNames` or `ipAddresses`.
+	// This field must match the corresponding field on the DER encoded CSR.
+	// +optional
+	commonName?: string @go(CommonName)
+
+	// DNSNames is a list of DNS names that should be included as part of the Order
+	// validation process.
+	// This field must match the corresponding field on the DER encoded CSR.
+	//+optional
+	dnsNames?: [...string] @go(DNSNames,[]string)
+
+	// IPAddresses is a list of IP addresses that should be included as part of the Order
+	// validation process.
+	// This field must match the corresponding field on the DER encoded CSR.
+	// +optional
+	ipAddresses?: [...string] @go(IPAddresses,[]string)
+
+	// Duration is the duration for the not after date for the requested certificate.
+	// this is set on order creation as pe the ACME spec.
+	// +optional
+	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
+}
+
+#OrderStatus: {
+	// URL of the Order.
+	// This will initially be empty when the resource is first created.
+	// The Order controller will populate this field when the Order is first processed.
+	// This field will be immutable after it is initially set.
+	// +optional
+	url?: string @go(URL)
+
+	// FinalizeURL of the Order.
+	// This is used to obtain certificates for this order once it has been completed.
+	// +optional
+	finalizeURL?: string @go(FinalizeURL)
+
+	// Authorizations contains data returned from the ACME server on what
+	// authorizations must be completed in order to validate the DNS names
+	// specified on the Order.
+	// +optional
+	authorizations?: [...#ACMEAuthorization] @go(Authorizations,[]ACMEAuthorization)
+
+	// Certificate is a copy of the PEM encoded certificate for this Order.
+	// This field will be populated after the order has been successfully
+	// finalized with the ACME server, and the order has transitioned to the
+	// 'valid' state.
+	// +optional
+	certificate?: bytes @go(Certificate,[]byte)
+
+	// State contains the current state of this Order resource.
+	// States 'success' and 'expired' are 'final'
+	// +optional
+	state?: #State @go(State)
+
+	// Reason optionally provides more information about a why the order is in
+	// the current state.
+	// +optional
+	reason?: string @go(Reason)
+
+	// FailureTime stores the time that this order failed.
+	// This is used to influence garbage collection and back-off.
+	// +optional
+	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
+}
+
+// ACMEAuthorization contains data returned from the ACME server on an
+// authorization that must be completed in order validate a DNS name on an ACME
+// Order resource.
+#ACMEAuthorization: {
+	// URL is the URL of the Authorization that must be completed
+	url: string @go(URL)
+
+	// Identifier is the DNS name to be validated as part of this authorization
+	// +optional
+	identifier?: string @go(Identifier)
+
+	// Wildcard will be true if this authorization is for a wildcard DNS name.
+	// If this is true, the identifier will be the *non-wildcard* version of
+	// the DNS name.
+	// For example, if '*.example.com' is the DNS name being validated, this
+	// field will be 'true' and the 'identifier' field will be 'example.com'.
+	// +optional
+	wildcard?: null | bool @go(Wildcard,*bool)
+
+	// InitialState is the initial state of the ACME authorization when first
+	// fetched from the ACME server.
+	// If an Authorization is already 'valid', the Order controller will not
+	// create a Challenge resource for the authorization. This will occur when
+	// working with an ACME server that enables 'authz reuse' (such as Let's
+	// Encrypt's production endpoint).
+	// If not set and 'identifier' is set, the state is assumed to be pending
+	// and a Challenge will be created.
+	// +optional
+	initialState?: #State @go(InitialState)
+
+	// Challenges specifies the challenge types offered by the ACME server.
+	// One of these challenge types will be selected when validating the DNS
+	// name and an appropriate Challenge resource will be created to perform
+	// the ACME challenge process.
+	// +optional
+	challenges?: [...#ACMEChallenge] @go(Challenges,[]ACMEChallenge)
+}
+
+// Challenge specifies a challenge offered by the ACME server for an Order.
+// An appropriate Challenge resource can be created to perform the ACME
+// challenge process.
+#ACMEChallenge: {
+	// URL is the URL of this challenge. It can be used to retrieve additional
+	// metadata about the Challenge from the ACME server.
+	url: string @go(URL)
+
+	// Token is the token that must be presented for this challenge.
+	// This is used to compute the 'key' that must also be presented.
+	token: string @go(Token)
+
+	// Type is the type of challenge being offered, e.g. 'http-01', 'dns-01',
+	// 'tls-sni-01', etc.
+	// This is the raw value retrieved from the ACME server.
+	// Only 'http-01' and 'dns-01' are supported by cert-manager, other values
+	// will be ignored.
+	type: string @go(Type)
+}
+
+// State represents the state of an ACME resource, such as an Order.
+// The possible options here map to the corresponding values in the
+// ACME specification.
+// Full details of these values can be found here: https://tools.ietf.org/html/draft-ietf-acme-acme-15#section-7.1.6
+// Clients utilising this type must also gracefully handle unknown
+// values, as the contents of this enumeration may be added to over time.
+// +kubebuilder:validation:Enum=valid;ready;pending;processing;invalid;expired;errored
+#State: string // #enumState
+
+#enumState:
+	#Unknown |
+	#Valid |
+	#Ready |
+	#Pending |
+	#Processing |
+	#Invalid |
+	#Expired |
+	#Errored
+
+// Unknown is not a real state as part of the ACME spec.
+// It is used to represent an unrecognised value.
+#Unknown: #State & ""
+
+// Valid signifies that an ACME resource is in a valid state.
+// If an order is 'valid', it has been finalized with the ACME server and
+// the certificate can be retrieved from the ACME server using the
+// certificate URL stored in the Order's status subresource.
+// This is a final state.
+#Valid: #State & "valid"
+
+// Ready signifies that an ACME resource is in a ready state.
+// If an order is 'ready', all of its challenges have been completed
+// successfully and the order is ready to be finalized.
+// Once finalized, it will transition to the Valid state.
+// This is a transient state.
+#Ready: #State & "ready"
+
+// Pending signifies that an ACME resource is still pending and is not yet ready.
+// If an Order is marked 'Pending', the validations for that Order are still in progress.
+// This is a transient state.
+#Pending: #State & "pending"
+
+// Processing signifies that an ACME resource is being processed by the server.
+// If an Order is marked 'Processing', the validations for that Order are currently being processed.
+// This is a transient state.
+#Processing: #State & "processing"
+
+// Invalid signifies that an ACME resource is invalid for some reason.
+// If an Order is marked 'invalid', one of its validations be have invalid for some reason.
+// This is a final state.
+#Invalid: #State & "invalid"
+
+// Expired signifies that an ACME resource has expired.
+// If an Order is marked 'Expired', one of its validations may have expired or the Order itself.
+// This is a final state.
+#Expired: #State & "expired"
+
+// Errored signifies that the ACME resource has errored for some reason.
+// This is a catch-all state, and is used for marking internal cert-manager
+// errors such as validation failures.
+// This is a final state.
+#Errored: #State & "errored"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/const_go_gen.cue

@@ -0,0 +1,27 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+import "time"
+
+// minimum permitted certificate duration by cert-manager
+#MinimumCertificateDuration: time.#Duration & 3600000000000
+
+// default certificate duration if Issuer.spec.duration is not set
+#DefaultCertificateDuration: time.#Duration & 7776000000000000
+
+// minimum certificate duration before certificate expiration
+#MinimumRenewBefore: time.#Duration & 300000000000
+
+// Deprecated: the default is now 2/3 of Certificate's duration
+#DefaultRenewBefore: time.#Duration & 2592000000000000
+
+// Default index key for the Secret reference for Token authentication
+#DefaultVaultTokenAuthSecretKey: "token"
+
+// Default mount path location for Kubernetes ServiceAccount authentication
+// (/v1/auth/kubernetes). The endpoint will then be called at `/login`, so
+// left as the default, `/v1/auth/kubernetes/login` will be called.
+#DefaultVaultKubernetesAuthMountPath: "/v1/auth/kubernetes"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/doc_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+// Package v1 is the v1 version of the API.
+// +k8s:deepcopy-gen=package,register
+// +groupName=cert-manager.io
+// +groupGoName=Certmanager
+package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/generic_issuer_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+#GenericIssuer: _

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificate_go_gen.cue

@@ -0,0 +1,496 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+)
+
+// A Certificate resource should be created to ensure an up to date and signed
+// x509 certificate is stored in the Kubernetes Secret resource named in `spec.secretName`.
+//
+// The stored certificate will be renewed before it expires (as configured by `spec.renewBefore`).
+// +k8s:openapi-gen=true
+#Certificate: {
+	metav1.#TypeMeta
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
+
+	// Desired state of the Certificate resource.
+	spec: #CertificateSpec @go(Spec)
+
+	// Status of the Certificate. This is set and managed automatically.
+	// +optional
+	status: #CertificateStatus @go(Status)
+}
+
+// CertificateList is a list of Certificates
+#CertificateList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#Certificate] @go(Items,[]Certificate)
+}
+
+// +kubebuilder:validation:Enum=RSA;ECDSA;Ed25519
+#PrivateKeyAlgorithm: string // #enumPrivateKeyAlgorithm
+
+#enumPrivateKeyAlgorithm:
+	#RSAKeyAlgorithm |
+	#ECDSAKeyAlgorithm |
+	#Ed25519KeyAlgorithm
+
+// Denotes the RSA private key type.
+#RSAKeyAlgorithm: #PrivateKeyAlgorithm & "RSA"
+
+// Denotes the ECDSA private key type.
+#ECDSAKeyAlgorithm: #PrivateKeyAlgorithm & "ECDSA"
+
+// Denotes the Ed25519 private key type.
+#Ed25519KeyAlgorithm: #PrivateKeyAlgorithm & "Ed25519"
+
+// +kubebuilder:validation:Enum=PKCS1;PKCS8
+#PrivateKeyEncoding: string // #enumPrivateKeyEncoding
+
+#enumPrivateKeyEncoding:
+	#PKCS1 |
+	#PKCS8
+
+// PKCS1 key encoding will produce PEM files that include the type of
+// private key as part of the PEM header, e.g. `BEGIN RSA PRIVATE KEY`.
+// If the keyAlgorithm is set to 'ECDSA', this will produce private keys
+// that use the `BEGIN EC PRIVATE KEY` header.
+#PKCS1: #PrivateKeyEncoding & "PKCS1"
+
+// PKCS8 key encoding will produce PEM files with the `BEGIN PRIVATE KEY`
+// header. It encodes the keyAlgorithm of the private key as part of the
+// DER encoded PEM block.
+#PKCS8: #PrivateKeyEncoding & "PKCS8"
+
+// CertificateSpec defines the desired state of Certificate.
+// A valid Certificate requires at least one of a CommonName, DNSName, or
+// URISAN to be valid.
+#CertificateSpec: {
+	// Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name).
+	// +optional
+	subject?: null | #X509Subject @go(Subject,*X509Subject)
+
+	// CommonName is a common name to be used on the Certificate.
+	// The CommonName should have a length of 64 characters or fewer to avoid
+	// generating invalid CSRs.
+	// This value is ignored by TLS clients when any subject alt name is set.
+	// This is x509 behaviour: https://tools.ietf.org/html/rfc6125#section-6.4.4
+	// +optional
+	commonName?: string @go(CommonName)
+
+	// The requested 'duration' (i.e. lifetime) of the Certificate. This option
+	// may be ignored/overridden by some issuer types. If unset this defaults to
+	// 90 days. Certificate will be renewed either 2/3 through its duration or
+	// `renewBefore` period before its expiry, whichever is later. Minimum
+	// accepted duration is 1 hour. Value must be in units accepted by Go
+	// time.ParseDuration https://golang.org/pkg/time/#ParseDuration
+	// +optional
+	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
+
+	// How long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. The default is 2/3 of the
+	// issued certificate's duration. Minimum accepted value is 5 minutes.
+	// Value must be in units accepted by Go time.ParseDuration
+	// https://golang.org/pkg/time/#ParseDuration
+	// +optional
+	renewBefore?: null | metav1.#Duration @go(RenewBefore,*metav1.Duration)
+
+	// DNSNames is a list of DNS subjectAltNames to be set on the Certificate.
+	// +optional
+	dnsNames?: [...string] @go(DNSNames,[]string)
+
+	// IPAddresses is a list of IP address subjectAltNames to be set on the Certificate.
+	// +optional
+	ipAddresses?: [...string] @go(IPAddresses,[]string)
+
+	// URIs is a list of URI subjectAltNames to be set on the Certificate.
+	// +optional
+	uris?: [...string] @go(URIs,[]string)
+
+	// EmailAddresses is a list of email subjectAltNames to be set on the Certificate.
+	// +optional
+	emailAddresses?: [...string] @go(EmailAddresses,[]string)
+
+	// SecretName is the name of the secret resource that will be automatically
+	// created and managed by this Certificate resource.
+	// It will be populated with a private key and certificate, signed by the
+	// denoted issuer.
+	secretName: string @go(SecretName)
+
+	// SecretTemplate defines annotations and labels to be copied to the
+	// Certificate's Secret. Labels and annotations on the Secret will be changed
+	// as they appear on the SecretTemplate when added or removed. SecretTemplate
+	// annotations are added in conjunction with, and cannot overwrite, the base
+	// set of annotations cert-manager sets on the Certificate's Secret.
+	// +optional
+	secretTemplate?: null | #CertificateSecretTemplate @go(SecretTemplate,*CertificateSecretTemplate)
+
+	// Keystores configures additional keystore output formats stored in the
+	// `secretName` Secret resource.
+	// +optional
+	keystores?: null | #CertificateKeystores @go(Keystores,*CertificateKeystores)
+
+	// IssuerRef is a reference to the issuer for this certificate.
+	// If the `kind` field is not set, or set to `Issuer`, an Issuer resource
+	// with the given name in the same namespace as the Certificate will be used.
+	// If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with the
+	// provided name will be used.
+	// The `name` field in this stanza is required at all times.
+	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
+
+	// IsCA will mark this Certificate as valid for certificate signing.
+	// This will automatically add the `cert sign` usage to the list of `usages`.
+	// +optional
+	isCA?: bool @go(IsCA)
+
+	// Usages is the set of x509 usages that are requested for the certificate.
+	// Defaults to `digital signature` and `key encipherment` if not specified.
+	// +optional
+	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
+
+	// Options to control private keys used for the Certificate.
+	// +optional
+	privateKey?: null | #CertificatePrivateKey @go(PrivateKey,*CertificatePrivateKey)
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	// +optional
+	encodeUsagesInRequest?: null | bool @go(EncodeUsagesInRequest,*bool)
+
+	// revisionHistoryLimit is the maximum number of CertificateRequest revisions
+	// that are maintained in the Certificate's history. Each revision represents
+	// a single `CertificateRequest` created by this Certificate, either when it
+	// was created, renewed, or Spec was changed. Revisions will be removed by
+	// oldest first if the number of revisions exceeds this number. If set,
+	// revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`),
+	// revisions will not be garbage collected. Default value is `nil`.
+	// +kubebuilder:validation:ExclusiveMaximum=false
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32)
+
+	// AdditionalOutputFormats defines extra output formats of the private key
+	// and signed certificate chain to be written to this Certificate's target
+	// Secret. This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=AdditionalCertificateOutputFormats=true` option on both
+	// the controller and webhook components.
+	// +optional
+	additionalOutputFormats?: [...#CertificateAdditionalOutputFormat] @go(AdditionalOutputFormats,[]CertificateAdditionalOutputFormat)
+}
+
+// CertificatePrivateKey contains configuration options for private keys
+// used by the Certificate controller.
+// This allows control of how private keys are rotated.
+#CertificatePrivateKey: {
+	// RotationPolicy controls how private keys should be regenerated when a
+	// re-issuance is being processed.
+	// If set to Never, a private key will only be generated if one does not
+	// already exist in the target `spec.secretName`. If one does exists but it
+	// does not have the correct algorithm or size, a warning will be raised
+	// to await user intervention.
+	// If set to Always, a private key matching the specified requirements
+	// will be generated whenever a re-issuance occurs.
+	// Default is 'Never' for backward compatibility.
+	// +optional
+	rotationPolicy?: #PrivateKeyRotationPolicy @go(RotationPolicy)
+
+	// The private key cryptography standards (PKCS) encoding for this
+	// certificate's private key to be encoded in.
+	// If provided, allowed values are `PKCS1` and `PKCS8` standing for PKCS#1
+	// and PKCS#8, respectively.
+	// Defaults to `PKCS1` if not specified.
+	// +optional
+	encoding?: #PrivateKeyEncoding @go(Encoding)
+
+	// Algorithm is the private key algorithm of the corresponding private key
+	// for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA`
+	// If `algorithm` is specified and `size` is not provided,
+	// key size of 256 will be used for `ECDSA` key algorithm and
+	// key size of 2048 will be used for `RSA` key algorithm.
+	// key size is ignored when using the `Ed25519` key algorithm.
+	// +optional
+	algorithm?: #PrivateKeyAlgorithm @go(Algorithm)
+
+	// Size is the key bit size of the corresponding private key for this certificate.
+	// If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`,
+	// and will default to `2048` if not specified.
+	// If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`,
+	// and will default to `256` if not specified.
+	// If `algorithm` is set to `Ed25519`, Size is ignored.
+	// No other values are allowed.
+	// +optional
+	size?: int @go(Size)
+}
+
+// Denotes how private keys should be generated or sourced when a Certificate
+// is being issued.
+#PrivateKeyRotationPolicy: string
+
+// CertificateOutputFormatType specifies which additional output formats should
+// be written to the Certificate's target Secret.
+// Allowed values are `DER` or `CombinedPEM`.
+// When Type is set to `DER` an additional entry `key.der` will be written to
+// the Secret, containing the binary format of the private key.
+// When Type is set to `CombinedPEM` an additional entry `tls-combined.pem`
+// will be written to the Secret, containing the PEM formatted private key and
+// signed certificate chain (tls.key + tls.crt concatenated).
+// +kubebuilder:validation:Enum=DER;CombinedPEM
+#CertificateOutputFormatType: string // #enumCertificateOutputFormatType
+
+#enumCertificateOutputFormatType:
+	#CertificateOutputFormatDER |
+	#CertificateOutputFormatCombinedPEM
+
+// CertificateOutputFormatDERKey is the name of the data entry in the Secret
+// resource used to store the DER formatted private key.
+#CertificateOutputFormatDERKey: "key.der"
+
+// CertificateOutputFormatDER  writes the Certificate's private key in DER
+// binary format to the `key.der` target Secret Data key.
+#CertificateOutputFormatDER: #CertificateOutputFormatType & "DER"
+
+// CertificateOutputFormatCombinedPEMKey is the name of the data entry in the Secret
+// resource used to store the combined PEM (key + signed certificate).
+#CertificateOutputFormatCombinedPEMKey: "tls-combined.pem"
+
+// CertificateOutputFormatCombinedPEM  writes the Certificate's signed
+// certificate chain and private key, in PEM format, to the
+// `tls-combined.pem` target Secret Data key. The value at this key will
+// include the private key PEM document, followed by at least one new line
+// character, followed by the chain of signed certificate PEM documents
+// (`<private key> + \n + <signed certificate chain>`).
+#CertificateOutputFormatCombinedPEM: #CertificateOutputFormatType & "CombinedPEM"
+
+// CertificateAdditionalOutputFormat defines an additional output format of a
+// Certificate resource. These contain supplementary data formats of the signed
+// certificate chain and paired private key.
+#CertificateAdditionalOutputFormat: {
+	// Type is the name of the format type that should be written to the
+	// Certificate's target Secret.
+	type: #CertificateOutputFormatType @go(Type)
+}
+
+// X509Subject Full X509 name specification
+#X509Subject: {
+	// Organizations to be used on the Certificate.
+	// +optional
+	organizations?: [...string] @go(Organizations,[]string)
+
+	// Countries to be used on the Certificate.
+	// +optional
+	countries?: [...string] @go(Countries,[]string)
+
+	// Organizational Units to be used on the Certificate.
+	// +optional
+	organizationalUnits?: [...string] @go(OrganizationalUnits,[]string)
+
+	// Cities to be used on the Certificate.
+	// +optional
+	localities?: [...string] @go(Localities,[]string)
+
+	// State/Provinces to be used on the Certificate.
+	// +optional
+	provinces?: [...string] @go(Provinces,[]string)
+
+	// Street addresses to be used on the Certificate.
+	// +optional
+	streetAddresses?: [...string] @go(StreetAddresses,[]string)
+
+	// Postal codes to be used on the Certificate.
+	// +optional
+	postalCodes?: [...string] @go(PostalCodes,[]string)
+
+	// Serial number to be used on the Certificate.
+	// +optional
+	serialNumber?: string @go(SerialNumber)
+}
+
+// CertificateKeystores configures additional keystore output formats to be
+// created in the Certificate's output Secret.
+#CertificateKeystores: {
+	// JKS configures options for storing a JKS keystore in the
+	// `spec.secretName` Secret resource.
+	// +optional
+	jks?: null | #JKSKeystore @go(JKS,*JKSKeystore)
+
+	// PKCS12 configures options for storing a PKCS12 keystore in the
+	// `spec.secretName` Secret resource.
+	// +optional
+	pkcs12?: null | #PKCS12Keystore @go(PKCS12,*PKCS12Keystore)
+}
+
+// JKS configures options for storing a JKS keystore in the `spec.secretName`
+// Secret resource.
+#JKSKeystore: {
+	// Create enables JKS keystore creation for the Certificate.
+	// If true, a file named `keystore.jks` will be created in the target
+	// Secret resource, encrypted using the password stored in
+	// `passwordSecretRef`.
+	// The keystore file will only be updated upon re-issuance.
+	// A file named `truststore.jks` will also be created in the target
+	// Secret resource, encrypted using the password stored in
+	// `passwordSecretRef` containing the issuing Certificate Authority
+	create: bool @go(Create)
+
+	// PasswordSecretRef is a reference to a key in a Secret resource
+	// containing the password used to encrypt the JKS keystore.
+	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
+}
+
+// PKCS12 configures options for storing a PKCS12 keystore in the
+// `spec.secretName` Secret resource.
+#PKCS12Keystore: {
+	// Create enables PKCS12 keystore creation for the Certificate.
+	// If true, a file named `keystore.p12` will be created in the target
+	// Secret resource, encrypted using the password stored in
+	// `passwordSecretRef`.
+	// The keystore file will only be updated upon re-issuance.
+	// A file named `truststore.p12` will also be created in the target
+	// Secret resource, encrypted using the password stored in
+	// `passwordSecretRef` containing the issuing Certificate Authority
+	create: bool @go(Create)
+
+	// PasswordSecretRef is a reference to a key in a Secret resource
+	// containing the password used to encrypt the PKCS12 keystore.
+	passwordSecretRef: cmmeta.#SecretKeySelector @go(PasswordSecretRef)
+}
+
+// CertificateStatus defines the observed state of Certificate
+#CertificateStatus: {
+	// List of status conditions to indicate the status of certificates.
+	// Known condition types are `Ready` and `Issuing`.
+	// +optional
+	conditions?: [...#CertificateCondition] @go(Conditions,[]CertificateCondition)
+
+	// LastFailureTime is the time as recorded by the Certificate controller
+	// of the most recent failure to complete a CertificateRequest for this
+	// Certificate resource.
+	// If set, cert-manager will not re-request another Certificate until
+	// 1 hour has elapsed from this time.
+	// +optional
+	lastFailureTime?: null | metav1.#Time @go(LastFailureTime,*metav1.Time)
+
+	// The time after which the certificate stored in the secret named
+	// by this resource in spec.secretName is valid.
+	// +optional
+	notBefore?: null | metav1.#Time @go(NotBefore,*metav1.Time)
+
+	// The expiration time of the certificate stored in the secret named
+	// by this resource in `spec.secretName`.
+	// +optional
+	notAfter?: null | metav1.#Time @go(NotAfter,*metav1.Time)
+
+	// RenewalTime is the time at which the certificate will be next
+	// renewed.
+	// If not set, no upcoming renewal is scheduled.
+	// +optional
+	renewalTime?: null | metav1.#Time @go(RenewalTime,*metav1.Time)
+
+	// The current 'revision' of the certificate as issued.
+	//
+	// When a CertificateRequest resource is created, it will have the
+	// `cert-manager.io/certificate-revision` set to one greater than the
+	// current value of this field.
+	//
+	// Upon issuance, this field will be set to the value of the annotation
+	// on the CertificateRequest resource used to issue the certificate.
+	//
+	// Persisting the value on the CertificateRequest resource allows the
+	// certificates controller to know whether a request is part of an old
+	// issuance or if it is part of the ongoing revision's issuance by
+	// checking if the revision value in the annotation is greater than this
+	// field.
+	// +optional
+	revision?: null | int @go(Revision,*int)
+
+	// The name of the Secret resource containing the private key to be used
+	// for the next certificate iteration.
+	// The keymanager controller will automatically set this field if the
+	// `Issuing` condition is set to `True`.
+	// It will automatically unset this field when the Issuing condition is
+	// not set or False.
+	// +optional
+	nextPrivateKeySecretName?: null | string @go(NextPrivateKeySecretName,*string)
+}
+
+// CertificateCondition contains condition information for an Certificate.
+#CertificateCondition: {
+	// Type of the condition, known values are (`Ready`, `Issuing`).
+	type: #CertificateConditionType @go(Type)
+
+	// Status of the condition, one of (`True`, `False`, `Unknown`).
+	status: cmmeta.#ConditionStatus @go(Status)
+
+	// LastTransitionTime is the timestamp corresponding to the last status
+	// change of this condition.
+	// +optional
+	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
+
+	// Reason is a brief machine readable explanation for the condition's last
+	// transition.
+	// +optional
+	reason?: string @go(Reason)
+
+	// Message is a human readable description of the details of the last
+	// transition, complementing reason.
+	// +optional
+	message?: string @go(Message)
+
+	// If set, this represents the .metadata.generation that the condition was
+	// set based upon.
+	// For instance, if .metadata.generation is currently 12, but the
+	// .status.condition[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the Certificate.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration)
+}
+
+// CertificateConditionType represents an Certificate condition value.
+#CertificateConditionType: string // #enumCertificateConditionType
+
+#enumCertificateConditionType:
+	#CertificateConditionReady |
+	#CertificateConditionIssuing
+
+// CertificateConditionReady indicates that a certificate is ready for use.
+// This is defined as:
+// - The target secret exists
+// - The target secret contains a certificate that has not expired
+// - The target secret contains a private key valid for the certificate
+// - The commonName and dnsNames attributes match those specified on the Certificate
+#CertificateConditionReady: #CertificateConditionType & "Ready"
+
+// A condition added to Certificate resources when an issuance is required.
+// This condition will be automatically added and set to true if:
+//   * No keypair data exists in the target Secret
+//   * The data stored in the Secret cannot be decoded
+//   * The private key and certificate do not have matching public keys
+//   * If a CertificateRequest for the current revision exists and the
+//     certificate data stored in the Secret does not match the
+//    `status.certificate` on the CertificateRequest.
+//   * If no CertificateRequest resource exists for the current revision,
+//     the options on the Certificate resource are compared against the
+//     x509 data in the Secret, similar to what's done in earlier versions.
+//     If there is a mismatch, an issuance is triggered.
+// This condition may also be added by external API consumers to trigger
+// a re-issuance manually for any other reason.
+//
+// It will be removed by the 'issuing' controller upon completing issuance.
+#CertificateConditionIssuing: #CertificateConditionType & "Issuing"
+
+// CertificateSecretTemplate defines the default labels and annotations
+// to be copied to the Kubernetes Secret resource named in `CertificateSpec.secretName`.
+#CertificateSecretTemplate: {
+	// Annotations is a key value map to be copied to the target Kubernetes Secret.
+	// +optional
+	annotations?: {[string]: string} @go(Annotations,map[string]string)
+
+	// Labels is a key value map to be copied to the target Kubernetes Secret.
+	// +optional
+	labels?: {[string]: string} @go(Labels,map[string]string)
+}

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_certificaterequest_go_gen.cue

@@ -0,0 +1,195 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+)
+
+// Pending indicates that a CertificateRequest is still in progress.
+#CertificateRequestReasonPending: "Pending"
+
+// Failed indicates that a CertificateRequest has failed, either due to
+// timing out or some other critical failure.
+#CertificateRequestReasonFailed: "Failed"
+
+// Issued indicates that a CertificateRequest has been completed, and that
+// the `status.certificate` field is set.
+#CertificateRequestReasonIssued: "Issued"
+
+// Denied is a Ready condition reason that indicates that a
+// CertificateRequest has been denied, and the CertificateRequest will never
+// be issued.
+#CertificateRequestReasonDenied: "Denied"
+
+// A CertificateRequest is used to request a signed certificate from one of the
+// configured issuers.
+//
+// All fields within the CertificateRequest's `spec` are immutable after creation.
+// A CertificateRequest will either succeed or fail, as denoted by its `status.state`
+// field.
+//
+// A CertificateRequest is a one-shot resource, meaning it represents a single
+// point in time request for a certificate and cannot be re-used.
+// +k8s:openapi-gen=true
+#CertificateRequest: {
+	metav1.#TypeMeta
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
+
+	// Desired state of the CertificateRequest resource.
+	spec: #CertificateRequestSpec @go(Spec)
+
+	// Status of the CertificateRequest. This is set and managed automatically.
+	// +optional
+	status: #CertificateRequestStatus @go(Status)
+}
+
+// CertificateRequestList is a list of Certificates
+#CertificateRequestList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#CertificateRequest] @go(Items,[]CertificateRequest)
+}
+
+// CertificateRequestSpec defines the desired state of CertificateRequest
+#CertificateRequestSpec: {
+	// The requested 'duration' (i.e. lifetime) of the Certificate.
+	// This option may be ignored/overridden by some issuer types.
+	// +optional
+	duration?: null | metav1.#Duration @go(Duration,*metav1.Duration)
+
+	// IssuerRef is a reference to the issuer for this CertificateRequest.  If
+	// the `kind` field is not set, or set to `Issuer`, an Issuer resource with
+	// the given name in the same namespace as the CertificateRequest will be
+	// used.  If the `kind` field is set to `ClusterIssuer`, a ClusterIssuer with
+	// the provided name will be used. The `name` field in this stanza is
+	// required at all times. The group field refers to the API group of the
+	// issuer which defaults to `cert-manager.io` if empty.
+	issuerRef: cmmeta.#ObjectReference @go(IssuerRef)
+
+	// The PEM-encoded x509 certificate signing request to be submitted to the
+	// CA for signing.
+	request: bytes @go(Request,[]byte)
+
+	// IsCA will request to mark the certificate as valid for certificate signing
+	// when submitting to the issuer.
+	// This will automatically add the `cert sign` usage to the list of `usages`.
+	// +optional
+	isCA?: bool @go(IsCA)
+
+	// Usages is the set of x509 usages that are requested for the certificate.
+	// If usages are set they SHOULD be encoded inside the CSR spec
+	// Defaults to `digital signature` and `key encipherment` if not specified.
+	// +optional
+	usages?: [...#KeyUsage] @go(Usages,[]KeyUsage)
+
+	// Username contains the name of the user that created the CertificateRequest.
+	// Populated by the cert-manager webhook on creation and immutable.
+	// +optional
+	username?: string @go(Username)
+
+	// UID contains the uid of the user that created the CertificateRequest.
+	// Populated by the cert-manager webhook on creation and immutable.
+	// +optional
+	uid?: string @go(UID)
+
+	// Groups contains group membership of the user that created the CertificateRequest.
+	// Populated by the cert-manager webhook on creation and immutable.
+	// +listType=atomic
+	// +optional
+	groups?: [...string] @go(Groups,[]string)
+
+	// Extra contains extra attributes of the user that created the CertificateRequest.
+	// Populated by the cert-manager webhook on creation and immutable.
+	// +optional
+	extra?: {[string]: [...string]} @go(Extra,map[string][]string)
+}
+
+// CertificateRequestStatus defines the observed state of CertificateRequest and
+// resulting signed certificate.
+#CertificateRequestStatus: {
+	// List of status conditions to indicate the status of a CertificateRequest.
+	// Known condition types are `Ready` and `InvalidRequest`.
+	// +optional
+	conditions?: [...#CertificateRequestCondition] @go(Conditions,[]CertificateRequestCondition)
+
+	// The PEM encoded x509 certificate resulting from the certificate
+	// signing request.
+	// If not set, the CertificateRequest has either not been completed or has
+	// failed. More information on failure can be found by checking the
+	// `conditions` field.
+	// +optional
+	certificate?: bytes @go(Certificate,[]byte)
+
+	// The PEM encoded x509 certificate of the signer, also known as the CA
+	// (Certificate Authority).
+	// This is set on a best-effort basis by different issuers.
+	// If not set, the CA is assumed to be unknown/not available.
+	// +optional
+	ca?: bytes @go(CA,[]byte)
+
+	// FailureTime stores the time that this CertificateRequest failed. This is
+	// used to influence garbage collection and back-off.
+	// +optional
+	failureTime?: null | metav1.#Time @go(FailureTime,*metav1.Time)
+}
+
+// CertificateRequestCondition contains condition information for a CertificateRequest.
+#CertificateRequestCondition: {
+	// Type of the condition, known values are (`Ready`, `InvalidRequest`,
+	// `Approved`, `Denied`).
+	type: #CertificateRequestConditionType @go(Type)
+
+	// Status of the condition, one of (`True`, `False`, `Unknown`).
+	status: cmmeta.#ConditionStatus @go(Status)
+
+	// LastTransitionTime is the timestamp corresponding to the last status
+	// change of this condition.
+	// +optional
+	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
+
+	// Reason is a brief machine readable explanation for the condition's last
+	// transition.
+	// +optional
+	reason?: string @go(Reason)
+
+	// Message is a human readable description of the details of the last
+	// transition, complementing reason.
+	// +optional
+	message?: string @go(Message)
+}
+
+// CertificateRequestConditionType represents an Certificate condition value.
+#CertificateRequestConditionType: string // #enumCertificateRequestConditionType
+
+#enumCertificateRequestConditionType:
+	#CertificateRequestConditionReady |
+	#CertificateRequestConditionInvalidRequest |
+	#CertificateRequestConditionApproved |
+	#CertificateRequestConditionDenied
+
+// CertificateRequestConditionReady indicates that a certificate is ready for use.
+// This is defined as:
+// - The target certificate exists in CertificateRequest.Status
+#CertificateRequestConditionReady: #CertificateRequestConditionType & "Ready"
+
+// CertificateRequestConditionInvalidRequest indicates that a certificate
+// signer has refused to sign the request due to at least one of the input
+// parameters being invalid. Additional information about why the request
+// was rejected can be found in the `reason` and `message` fields.
+#CertificateRequestConditionInvalidRequest: #CertificateRequestConditionType & "InvalidRequest"
+
+// CertificateRequestConditionApproved indicates that a certificate request
+// is approved and ready for signing. Condition must never have a status of
+// `False`, and cannot be modified once set. Cannot be set alongside
+// `Denied`.
+#CertificateRequestConditionApproved: #CertificateRequestConditionType & "Approved"
+
+// CertificateRequestConditionDenied indicates that a certificate request is
+// denied, and must never be signed. Condition must never have a status of
+// `False`, and cannot be modified once set. Cannot be set alongside
+// `Approved`.
+#CertificateRequestConditionDenied: #CertificateRequestConditionType & "Denied"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_go_gen.cue

@@ -0,0 +1,195 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+// Annotation key for DNS subjectAltNames.
+#AltNamesAnnotationKey: "cert-manager.io/alt-names"
+
+// Annotation key for IP subjectAltNames.
+#IPSANAnnotationKey: "cert-manager.io/ip-sans"
+
+// Annotation key for URI subjectAltNames.
+#URISANAnnotationKey: "cert-manager.io/uri-sans"
+
+// Annotation key for certificate common name.
+#CommonNameAnnotationKey: "cert-manager.io/common-name"
+
+// Duration key for certificate duration.
+#DurationAnnotationKey: "cert-manager.io/duration"
+
+// Annotation key for certificate renewBefore.
+#RenewBeforeAnnotationKey: "cert-manager.io/renew-before"
+
+// Annotation key for certificate key usages.
+#UsagesAnnotationKey: "cert-manager.io/usages"
+
+// Annotation key the 'name' of the Issuer resource.
+#IssuerNameAnnotationKey: "cert-manager.io/issuer-name"
+
+// Annotation key for the 'kind' of the Issuer resource.
+#IssuerKindAnnotationKey: "cert-manager.io/issuer-kind"
+
+// Annotation key for the 'group' of the Issuer resource.
+#IssuerGroupAnnotationKey: "cert-manager.io/issuer-group"
+
+// Annotation key for the name of the certificate that a resource is related to.
+#CertificateNameKey: "cert-manager.io/certificate-name"
+
+// Annotation key used to denote whether a Secret is named on a Certificate
+// as a 'next private key' Secret resource.
+#IsNextPrivateKeySecretLabelKey: "cert-manager.io/next-private-key"
+
+// IngressIssuerNameAnnotationKey holds the issuerNameAnnotation value which can be
+// used to override the issuer specified on the created Certificate resource.
+#IngressIssuerNameAnnotationKey: "cert-manager.io/issuer"
+
+// IngressClusterIssuerNameAnnotationKey holds the clusterIssuerNameAnnotation value which
+// can be used to override the issuer specified on the created Certificate resource. The Certificate
+// will reference the specified *ClusterIssuer* instead of normal issuer.
+#IngressClusterIssuerNameAnnotationKey: "cert-manager.io/cluster-issuer"
+
+// IngressACMEIssuerHTTP01IngressClassAnnotationKey holds the acmeIssuerHTTP01IngressClassAnnotation value
+// which can be used to override the http01 ingressClass if the challenge type is set to http01
+#IngressACMEIssuerHTTP01IngressClassAnnotationKey: "acme.cert-manager.io/http01-ingress-class"
+
+// IngressClassAnnotationKey picks a specific "class" for the Ingress. The
+// controller only processes Ingresses with this annotation either unset, or
+// set to either the configured value or the empty string.
+#IngressClassAnnotationKey: "kubernetes.io/ingress.class"
+
+// Annotation added to CertificateRequest resources to denote the name of
+// a Secret resource containing the private key used to sign the CSR stored
+// on the resource.
+// This annotation *may* not be present, and is used by the 'self signing'
+// issuer type to self-sign certificates.
+#CertificateRequestPrivateKeyAnnotationKey: "cert-manager.io/private-key-secret-name"
+
+// Annotation to declare the CertificateRequest "revision", belonging to a Certificate Resource
+#CertificateRequestRevisionAnnotationKey: "cert-manager.io/certificate-revision"
+
+// IssueTemporaryCertificateAnnotation is an annotation that can be added to
+// Certificate resources.
+// If it is present, a temporary internally signed certificate will be
+// stored in the target Secret resource whilst the real Issuer is processing
+// the certificate request.
+#IssueTemporaryCertificateAnnotation: "cert-manager.io/issue-temporary-certificate"
+
+#ClusterIssuerKind:      "ClusterIssuer"
+#IssuerKind:             "Issuer"
+#CertificateKind:        "Certificate"
+#CertificateRequestKind: "CertificateRequest"
+
+// WantInjectAnnotation is the annotation that specifies that a particular
+// object wants injection of CAs.  It takes the form of a reference to a certificate
+// as namespace/name.  The certificate is expected to have the is-serving-for annotations.
+#WantInjectAnnotation: "cert-manager.io/inject-ca-from"
+
+// WantInjectAPIServerCAAnnotation will - if set to "true" - make the cainjector
+// inject the CA certificate for the Kubernetes apiserver into the resource.
+// It discovers the apiserver's CA by inspecting the service account credentials
+// mounted into the cainjector pod.
+#WantInjectAPIServerCAAnnotation: "cert-manager.io/inject-apiserver-ca"
+
+// WantInjectFromSecretAnnotation is the annotation that specifies that a particular
+// object wants injection of CAs.  It takes the form of a reference to a Secret
+// as namespace/name.
+#WantInjectFromSecretAnnotation: "cert-manager.io/inject-ca-from-secret"
+
+// AllowsInjectionFromSecretAnnotation is an annotation that must be added
+// to Secret resource that want to denote that they can be directly
+// injected into injectables that have a `inject-ca-from-secret` annotation.
+// If an injectable references a Secret that does NOT have this annotation,
+// the cainjector will refuse to inject the secret.
+#AllowsInjectionFromSecretAnnotation: "cert-manager.io/allow-direct-injection"
+
+// VenafiCustomFieldsAnnotationKey is the annotation that passes on JSON encoded custom fields to the Venafi issuer
+// This will only work with Venafi TPP v19.3 and higher
+// The value is an array with objects containing the name and value keys
+// for example: `[{"name": "custom-field", "value": "custom-value"}]`
+#VenafiCustomFieldsAnnotationKey: "venafi.cert-manager.io/custom-fields"
+
+// VenafiPickupIDAnnotationKey is the annotation key used to record the
+// Venafi Pickup ID of a certificate signing request that has been submitted
+// to the Venafi API for collection later.
+#VenafiPickupIDAnnotationKey: "venafi.cert-manager.io/pickup-id"
+
+// KeyUsage specifies valid usage contexts for keys.
+// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+//      https://tools.ietf.org/html/rfc5280#section-4.2.1.12
+// Valid KeyUsage values are as follows:
+// "signing",
+// "digital signature",
+// "content commitment",
+// "key encipherment",
+// "key agreement",
+// "data encipherment",
+// "cert sign",
+// "crl sign",
+// "encipher only",
+// "decipher only",
+// "any",
+// "server auth",
+// "client auth",
+// "code signing",
+// "email protection",
+// "s/mime",
+// "ipsec end system",
+// "ipsec tunnel",
+// "ipsec user",
+// "timestamping",
+// "ocsp signing",
+// "microsoft sgc",
+// "netscape sgc"
+// +kubebuilder:validation:Enum="signing";"digital signature";"content commitment";"key encipherment";"key agreement";"data encipherment";"cert sign";"crl sign";"encipher only";"decipher only";"any";"server auth";"client auth";"code signing";"email protection";"s/mime";"ipsec end system";"ipsec tunnel";"ipsec user";"timestamping";"ocsp signing";"microsoft sgc";"netscape sgc"
+#KeyUsage: string // #enumKeyUsage
+
+#enumKeyUsage:
+	#UsageSigning |
+	#UsageDigitalSignature |
+	#UsageContentCommitment |
+	#UsageKeyEncipherment |
+	#UsageKeyAgreement |
+	#UsageDataEncipherment |
+	#UsageCertSign |
+	#UsageCRLSign |
+	#UsageEncipherOnly |
+	#UsageDecipherOnly |
+	#UsageAny |
+	#UsageServerAuth |
+	#UsageClientAuth |
+	#UsageCodeSigning |
+	#UsageEmailProtection |
+	#UsageSMIME |
+	#UsageIPsecEndSystem |
+	#UsageIPsecTunnel |
+	#UsageIPsecUser |
+	#UsageTimestamping |
+	#UsageOCSPSigning |
+	#UsageMicrosoftSGC |
+	#UsageNetscapeSGC
+
+#UsageSigning:           #KeyUsage & "signing"
+#UsageDigitalSignature:  #KeyUsage & "digital signature"
+#UsageContentCommitment: #KeyUsage & "content commitment"
+#UsageKeyEncipherment:   #KeyUsage & "key encipherment"
+#UsageKeyAgreement:      #KeyUsage & "key agreement"
+#UsageDataEncipherment:  #KeyUsage & "data encipherment"
+#UsageCertSign:          #KeyUsage & "cert sign"
+#UsageCRLSign:           #KeyUsage & "crl sign"
+#UsageEncipherOnly:      #KeyUsage & "encipher only"
+#UsageDecipherOnly:      #KeyUsage & "decipher only"
+#UsageAny:               #KeyUsage & "any"
+#UsageServerAuth:        #KeyUsage & "server auth"
+#UsageClientAuth:        #KeyUsage & "client auth"
+#UsageCodeSigning:       #KeyUsage & "code signing"
+#UsageEmailProtection:   #KeyUsage & "email protection"
+#UsageSMIME:             #KeyUsage & "s/mime"
+#UsageIPsecEndSystem:    #KeyUsage & "ipsec end system"
+#UsageIPsecTunnel:       #KeyUsage & "ipsec tunnel"
+#UsageIPsecUser:         #KeyUsage & "ipsec user"
+#UsageTimestamping:      #KeyUsage & "timestamping"
+#UsageOCSPSigning:       #KeyUsage & "ocsp signing"
+#UsageMicrosoftSGC:      #KeyUsage & "microsoft sgc"
+#UsageNetscapeSGC:       #KeyUsage & "netscape sgc"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/certmanager/v1/types_issuer_go_gen.cue

@@ -0,0 +1,316 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/certmanager/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cmacme "github.com/jetstack/cert-manager/pkg/apis/acme/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+)
+
+// A ClusterIssuer represents a certificate issuing authority which can be
+// referenced as part of `issuerRef` fields.
+// It is similar to an Issuer, however it is cluster-scoped and therefore can
+// be referenced by resources that exist in *any* namespace, not just the same
+// namespace as the referent.
+#ClusterIssuer: {
+	metav1.#TypeMeta
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
+
+	// Desired state of the ClusterIssuer resource.
+	spec: #IssuerSpec @go(Spec)
+
+	// Status of the ClusterIssuer. This is set and managed automatically.
+	// +optional
+	status: #IssuerStatus @go(Status)
+}
+
+// ClusterIssuerList is a list of Issuers
+#ClusterIssuerList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#ClusterIssuer] @go(Items,[]ClusterIssuer)
+}
+
+// An Issuer represents a certificate issuing authority which can be
+// referenced as part of `issuerRef` fields.
+// It is scoped to a single namespace and can therefore only be referenced by
+// resources within the same namespace.
+#Issuer: {
+	metav1.#TypeMeta
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta)
+
+	// Desired state of the Issuer resource.
+	spec: #IssuerSpec @go(Spec)
+
+	// Status of the Issuer. This is set and managed automatically.
+	// +optional
+	status: #IssuerStatus @go(Status)
+}
+
+// IssuerList is a list of Issuers
+#IssuerList: {
+	metav1.#TypeMeta
+	metadata: metav1.#ListMeta @go(ListMeta)
+	items: [...#Issuer] @go(Items,[]Issuer)
+}
+
+// IssuerSpec is the specification of an Issuer. This includes any
+// configuration required for the issuer.
+#IssuerSpec: {
+	#IssuerConfig
+}
+
+// The configuration for the issuer.
+// Only one of these can be set.
+#IssuerConfig: {
+	// ACME configures this issuer to communicate with a RFC8555 (ACME) server
+	// to obtain signed x509 certificates.
+	// +optional
+	acme?: null | cmacme.#ACMEIssuer @go(ACME,*cmacme.ACMEIssuer)
+
+	// CA configures this issuer to sign certificates using a signing CA keypair
+	// stored in a Secret resource.
+	// This is used to build internal PKIs that are managed by cert-manager.
+	// +optional
+	ca?: null | #CAIssuer @go(CA,*CAIssuer)
+
+	// Vault configures this issuer to sign certificates using a HashiCorp Vault
+	// PKI backend.
+	// +optional
+	vault?: null | #VaultIssuer @go(Vault,*VaultIssuer)
+
+	// SelfSigned configures this issuer to 'self sign' certificates using the
+	// private key used to create the CertificateRequest object.
+	// +optional
+	selfSigned?: null | #SelfSignedIssuer @go(SelfSigned,*SelfSignedIssuer)
+
+	// Venafi configures this issuer to sign certificates using a Venafi TPP
+	// or Venafi Cloud policy zone.
+	// +optional
+	venafi?: null | #VenafiIssuer @go(Venafi,*VenafiIssuer)
+}
+
+// Configures an issuer to sign certificates using a Venafi TPP
+// or Cloud policy zone.
+#VenafiIssuer: {
+	// Zone is the Venafi Policy Zone to use for this issuer.
+	// All requests made to the Venafi platform will be restricted by the named
+	// zone policy.
+	// This field is required.
+	zone: string @go(Zone)
+
+	// TPP specifies Trust Protection Platform configuration settings.
+	// Only one of TPP or Cloud may be specified.
+	// +optional
+	tpp?: null | #VenafiTPP @go(TPP,*VenafiTPP)
+
+	// Cloud specifies the Venafi cloud configuration settings.
+	// Only one of TPP or Cloud may be specified.
+	// +optional
+	cloud?: null | #VenafiCloud @go(Cloud,*VenafiCloud)
+}
+
+// VenafiTPP defines connection configuration details for a Venafi TPP instance
+#VenafiTPP: {
+	// URL is the base URL for the vedsdk endpoint of the Venafi TPP instance,
+	// for example: "https://tpp.example.com/vedsdk".
+	url: string @go(URL)
+
+	// CredentialsRef is a reference to a Secret containing the username and
+	// password for the TPP server.
+	// The secret must contain two keys, 'username' and 'password'.
+	credentialsRef: cmmeta.#LocalObjectReference @go(CredentialsRef)
+
+	// CABundle is a PEM encoded TLS certificate to use to verify connections to
+	// the TPP instance.
+	// If specified, system roots will not be used and the issuing CA for the
+	// TPP instance must be verifiable using the provided root.
+	// If not specified, the connection will be verified using the cert-manager
+	// system root certificates.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte)
+}
+
+// VenafiCloud defines connection configuration details for Venafi Cloud
+#VenafiCloud: {
+	// URL is the base URL for Venafi Cloud.
+	// Defaults to "https://api.venafi.cloud/v1".
+	// +optional
+	url?: string @go(URL)
+
+	// APITokenSecretRef is a secret key selector for the Venafi Cloud API token.
+	apiTokenSecretRef: cmmeta.#SecretKeySelector @go(APITokenSecretRef)
+}
+
+// Configures an issuer to 'self sign' certificates using the
+// private key used to create the CertificateRequest object.
+#SelfSignedIssuer: {
+	// The CRL distribution points is an X.509 v3 certificate extension which identifies
+	// the location of the CRL from which the revocation of this certificate can be checked.
+	// If not set certificate will be issued without CDP. Values are strings.
+	// +optional
+	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
+}
+
+// Configures an issuer to sign certificates using a HashiCorp Vault
+// PKI backend.
+#VaultIssuer: {
+	// Auth configures how cert-manager authenticates with the Vault server.
+	auth: #VaultAuth @go(Auth)
+
+	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+	server: string @go(Server)
+
+	// Path is the mount path of the Vault PKI backend's `sign` endpoint, e.g:
+	// "my_pki_mount/sign/my-role-name".
+	path: string @go(Path)
+
+	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1"
+	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+	// +optional
+	namespace?: string @go(Namespace)
+
+	// PEM-encoded CA bundle (base64-encoded) used to validate Vault server
+	// certificate. Only used if the Server URL is using HTTPS protocol. This
+	// parameter is ignored for plain HTTP protocol connection. If not set the
+	// system root certificates are used to validate the TLS connection.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte)
+}
+
+// Configuration used to authenticate with a Vault server.
+// Only one of `tokenSecretRef`, `appRole` or `kubernetes` may be specified.
+#VaultAuth: {
+	// TokenSecretRef authenticates with Vault by presenting a token.
+	// +optional
+	tokenSecretRef?: null | cmmeta.#SecretKeySelector @go(TokenSecretRef,*cmmeta.SecretKeySelector)
+
+	// AppRole authenticates with Vault using the App Role auth mechanism,
+	// with the role and secret stored in a Kubernetes Secret resource.
+	// +optional
+	appRole?: null | #VaultAppRole @go(AppRole,*VaultAppRole)
+
+	// Kubernetes authenticates with Vault by passing the ServiceAccount
+	// token stored in the named Secret resource to the Vault server.
+	// +optional
+	kubernetes?: null | #VaultKubernetesAuth @go(Kubernetes,*VaultKubernetesAuth)
+}
+
+// VaultAppRole authenticates with Vault using the App Role auth mechanism,
+// with the role and secret stored in a Kubernetes Secret resource.
+#VaultAppRole: {
+	// Path where the App Role authentication backend is mounted in Vault, e.g:
+	// "approle"
+	path: string @go(Path)
+
+	// RoleID configured in the App Role authentication backend when setting
+	// up the authentication backend in Vault.
+	roleId: string @go(RoleId)
+
+	// Reference to a key in a Secret that contains the App Role secret used
+	// to authenticate with Vault.
+	// The `key` field must be specified and denotes which entry within the Secret
+	// resource is used as the app role secret.
+	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
+}
+
+// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// a Secret.
+#VaultKubernetesAuth: {
+	// The Vault mountPath here is the mount path to use when authenticating with
+	// Vault. For example, setting a value to `/v1/auth/foo`, will use the path
+	// `/v1/auth/foo/login` to authenticate with Vault. If unspecified, the
+	// default value "/v1/auth/kubernetes" will be used.
+	// +optional
+	mountPath?: string @go(Path)
+
+	// The required Secret field containing a Kubernetes ServiceAccount JWT used
+	// for authenticating with Vault. Use of 'ambient credentials' is not
+	// supported.
+	secretRef: cmmeta.#SecretKeySelector @go(SecretRef)
+
+	// A required field containing the Vault Role to assume. A Role binds a
+	// Kubernetes ServiceAccount with a set of Vault policies.
+	role: string @go(Role)
+}
+
+#CAIssuer: {
+	// SecretName is the name of the secret used to sign Certificates issued
+	// by this Issuer.
+	secretName: string @go(SecretName)
+
+	// The CRL distribution points is an X.509 v3 certificate extension which identifies
+	// the location of the CRL from which the revocation of this certificate can be checked.
+	// If not set, certificates will be issued without distribution points set.
+	// +optional
+	crlDistributionPoints?: [...string] @go(CRLDistributionPoints,[]string)
+
+	// The OCSP server list is an X.509 v3 extension that defines a list of
+	// URLs of OCSP responders. The OCSP responders can be queried for the
+	// revocation status of an issued certificate. If not set, the
+	// certificate will be issued with no OCSP servers set. For example, an
+	// OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org".
+	// +optional
+	ocspServers?: [...string] @go(OCSPServers,[]string)
+}
+
+// IssuerStatus contains status information about an Issuer
+#IssuerStatus: {
+	// List of status conditions to indicate the status of a CertificateRequest.
+	// Known condition types are `Ready`.
+	// +optional
+	conditions?: [...#IssuerCondition] @go(Conditions,[]IssuerCondition)
+
+	// ACME specific status options.
+	// This field should only be set if the Issuer is configured to use an ACME
+	// server to issue certificates.
+	// +optional
+	acme?: null | cmacme.#ACMEIssuerStatus @go(ACME,*cmacme.ACMEIssuerStatus)
+}
+
+// IssuerCondition contains condition information for an Issuer.
+#IssuerCondition: {
+	// Type of the condition, known values are (`Ready`).
+	type: #IssuerConditionType @go(Type)
+
+	// Status of the condition, one of (`True`, `False`, `Unknown`).
+	status: cmmeta.#ConditionStatus @go(Status)
+
+	// LastTransitionTime is the timestamp corresponding to the last status
+	// change of this condition.
+	// +optional
+	lastTransitionTime?: null | metav1.#Time @go(LastTransitionTime,*metav1.Time)
+
+	// Reason is a brief machine readable explanation for the condition's last
+	// transition.
+	// +optional
+	reason?: string @go(Reason)
+
+	// Message is a human readable description of the details of the last
+	// transition, complementing reason.
+	// +optional
+	message?: string @go(Message)
+
+	// If set, this represents the .metadata.generation that the condition was
+	// set based upon.
+	// For instance, if .metadata.generation is currently 12, but the
+	// .status.condition[x].observedGeneration is 9, the condition is out of date
+	// with respect to the current state of the Issuer.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration)
+}
+
+// IssuerConditionType represents an Issuer condition value.
+#IssuerConditionType: string // #enumIssuerConditionType
+
+#enumIssuerConditionType:
+	#IssuerConditionReady
+
+// IssuerConditionReady represents the fact that a given Issuer condition
+// is in ready state and able to issue certificates.
+// If the `status` of this condition is `False`, CertificateRequest controllers
+// should prevent attempts to sign certificates.
+#IssuerConditionReady: #IssuerConditionType & "Ready"

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/doc_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
+
+// Package v1 contains meta types for cert-manager APIs
+// +k8s:deepcopy-gen=package
+// +gencrdrefdocs:force
+// +groupName=meta.cert-manager.io
+package v1

cue/cue.mod/gen/github.com/jetstack/cert-manager/pkg/apis/meta/v1/types_go_gen.cue

@@ -0,0 +1,64 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go github.com/jetstack/cert-manager/pkg/apis/meta/v1
+
+package v1
+
+// ConditionStatus represents a condition's status.
+// +kubebuilder:validation:Enum=True;False;Unknown
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+// ConditionTrue represents the fact that a given condition is true
+#ConditionTrue: #ConditionStatus & "True"
+
+// ConditionFalse represents the fact that a given condition is false
+#ConditionFalse: #ConditionStatus & "False"
+
+// ConditionUnknown represents the fact that a given condition is unknown
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// A reference to an object in the same namespace as the referent.
+// If the referent is a cluster-scoped resource (e.g. a ClusterIssuer),
+// the reference instead refers to the resource with the given name in the
+// configured 'cluster resource namespace', which is set as a flag on the
+// controller component (and defaults to the namespace that cert-manager
+// runs in).
+#LocalObjectReference: {
+	// Name of the resource being referred to.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	name: string @go(Name)
+}
+
+// ObjectReference is a reference to an object with a given name, kind and group.
+#ObjectReference: {
+	// Name of the resource being referred to.
+	name: string @go(Name)
+
+	// Kind of the resource being referred to.
+	// +optional
+	kind?: string @go(Kind)
+
+	// Group of the resource being referred to.
+	// +optional
+	group?: string @go(Group)
+}
+
+// A reference to a specific 'key' within a Secret resource.
+// In some instances, `key` is a required field.
+#SecretKeySelector: {
+	#LocalObjectReference
+
+	// The key of the entry in the Secret resource's `data` field to be used.
+	// Some instances of this field may be defaulted, in others it may be
+	// required.
+	// +optional
+	key?: string @go(Key)
+}
+
+// Used as a data key in Secret resources to store a CA certificate.
+#TLSCAKey: "ca.crt"

cue/cue.mod/gen/k8s.io/api/apps/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+#GroupName: "apps"

cue/cue.mod/gen/k8s.io/api/apps/v1/types_go_gen.cue

@@ -0,0 +1,907 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/apps/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+#ControllerRevisionHashLabelKey: "controller-revision-hash"
+#StatefulSetRevisionLabel:       "controller-revision-hash"
+#DeprecatedRollbackTo:           "deprecated.deployment.rollback.to"
+#DeprecatedTemplateGeneration:   "deprecated.daemonset.template.generation"
+#StatefulSetPodNameLabel:        "statefulset.kubernetes.io/pod-name"
+
+// StatefulSet represents a set of pods with consistent identities.
+// Identities are defined as:
+//  - Network: A single stable DNS and hostname.
+//  - Storage: As many VolumeClaims as requested.
+// The StatefulSet guarantees that a given network identity will always
+// map to the same storage identity.
+#StatefulSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the desired identities of pods in this set.
+	// +optional
+	spec?: #StatefulSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current status of Pods in this StatefulSet. This data
+	// may be out of date by some window of time.
+	// +optional
+	status?: #StatefulSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// PodManagementPolicyType defines the policy for creating pods under a stateful set.
+// +enum
+#PodManagementPolicyType: string // #enumPodManagementPolicyType
+
+#enumPodManagementPolicyType:
+	#OrderedReadyPodManagement |
+	#ParallelPodManagement
+
+// OrderedReadyPodManagement will create pods in strictly increasing order on
+// scale up and strictly decreasing order on scale down, progressing only when
+// the previous pod is ready or terminated. At most one pod will be changed
+// at any time.
+#OrderedReadyPodManagement: #PodManagementPolicyType & "OrderedReady"
+
+// ParallelPodManagement will create and delete pods as soon as the stateful set
+// replica count is changed, and will not wait for pods to be ready or complete
+// termination.
+#ParallelPodManagement: #PodManagementPolicyType & "Parallel"
+
+// StatefulSetUpdateStrategy indicates the strategy that the StatefulSet
+// controller will use to perform updates. It includes any additional parameters
+// necessary to perform the update for the indicated strategy.
+#StatefulSetUpdateStrategy: {
+	// Type indicates the type of the StatefulSetUpdateStrategy.
+	// Default is RollingUpdate.
+	// +optional
+	type?: #StatefulSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetStrategyType)
+
+	// RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateStatefulSetStrategy @go(RollingUpdate,*RollingUpdateStatefulSetStrategy) @protobuf(2,bytes,opt)
+}
+
+// StatefulSetUpdateStrategyType is a string enumeration type that enumerates
+// all possible update strategies for the StatefulSet controller.
+// +enum
+#StatefulSetUpdateStrategyType: string // #enumStatefulSetUpdateStrategyType
+
+#enumStatefulSetUpdateStrategyType:
+	#RollingUpdateStatefulSetStrategyType |
+	#OnDeleteStatefulSetStrategyType
+
+// RollingUpdateStatefulSetStrategyType indicates that update will be
+// applied to all Pods in the StatefulSet with respect to the StatefulSet
+// ordering constraints. When a scale operation is performed with this
+// strategy, new Pods will be created from the specification version indicated
+// by the StatefulSet's updateRevision.
+#RollingUpdateStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "RollingUpdate"
+
+// OnDeleteStatefulSetStrategyType triggers the legacy behavior. Version
+// tracking and ordered rolling restarts are disabled. Pods are recreated
+// from the StatefulSetSpec when they are manually deleted. When a scale
+// operation is performed with this strategy,specification version indicated
+// by the StatefulSet's currentRevision.
+#OnDeleteStatefulSetStrategyType: #StatefulSetUpdateStrategyType & "OnDelete"
+
+// RollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.
+#RollingUpdateStatefulSetStrategy: {
+	// Partition indicates the ordinal at which the StatefulSet should be
+	// partitioned.
+	// Default value is 0.
+	// +optional
+	partition?: null | int32 @go(Partition,*int32) @protobuf(1,varint,opt)
+}
+
+// PersistentVolumeClaimRetentionPolicyType is a string enumeration of the policies that will determine
+// when volumes from the VolumeClaimTemplates will be deleted when the controlling StatefulSet is
+// deleted or scaled down.
+#PersistentVolumeClaimRetentionPolicyType: string // #enumPersistentVolumeClaimRetentionPolicyType
+
+#enumPersistentVolumeClaimRetentionPolicyType:
+	#RetainPersistentVolumeClaimRetentionPolicyType |
+	#DeletePersistentVolumeClaimRetentionPolicyType
+
+// RetainPersistentVolumeClaimRetentionPolicyType is the default
+// PersistentVolumeClaimRetentionPolicy and specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will not be deleted.
+#RetainPersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Retain"
+
+// RetentionPersistentVolumeClaimRetentionPolicyType specifies that
+// PersistentVolumeClaims associated with StatefulSet VolumeClaimTemplates
+// will be deleted in the scenario specified in
+// StatefulSetPersistentVolumeClaimRetentionPolicy.
+#DeletePersistentVolumeClaimRetentionPolicyType: #PersistentVolumeClaimRetentionPolicyType & "Delete"
+
+// StatefulSetPersistentVolumeClaimRetentionPolicy describes the policy used for PVCs
+// created from the StatefulSet VolumeClaimTemplates.
+#StatefulSetPersistentVolumeClaimRetentionPolicy: {
+	// WhenDeleted specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is deleted. The default policy
+	// of `Retain` causes PVCs to not be affected by StatefulSet deletion. The
+	// `Delete` policy causes those PVCs to be deleted.
+	whenDeleted?: #PersistentVolumeClaimRetentionPolicyType @go(WhenDeleted) @protobuf(1,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+
+	// WhenScaled specifies what happens to PVCs created from StatefulSet
+	// VolumeClaimTemplates when the StatefulSet is scaled down. The default
+	// policy of `Retain` causes PVCs to not be affected by a scaledown. The
+	// `Delete` policy causes the associated PVCs for any excess pods above
+	// the replica count to be deleted.
+	whenScaled?: #PersistentVolumeClaimRetentionPolicyType @go(WhenScaled) @protobuf(2,bytes,opt,casttype=PersistentVolumeClaimRetentionPolicyType)
+}
+
+// A StatefulSetSpec is the specification of a StatefulSet.
+#StatefulSetSpec: {
+	// replicas is the desired number of replicas of the given Template.
+	// These are replicas in the sense that they are instantiations of the
+	// same Template, but individual replicas also have a consistent identity.
+	// If unspecified, defaults to 1.
+	// TODO: Consider a rename of this field.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// selector is a label query over pods that should match the replica count.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// template is the object that describes the pod that will be created if
+	// insufficient replicas are detected. Each pod stamped out by the StatefulSet
+	// will fulfill this Template, but have a unique identity from the rest
+	// of the StatefulSet.
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// volumeClaimTemplates is a list of claims that pods are allowed to reference.
+	// The StatefulSet controller is responsible for mapping network identities to
+	// claims in a way that maintains the identity of a pod. Every claim in
+	// this list must have at least one matching (by name) volumeMount in one
+	// container in the template. A claim in this list takes precedence over
+	// any volumes in the template, with the same name.
+	// TODO: Define the behavior if a claim already exists with the same name.
+	// +optional
+	volumeClaimTemplates?: [...v1.#PersistentVolumeClaim] @go(VolumeClaimTemplates,[]v1.PersistentVolumeClaim) @protobuf(4,bytes,rep)
+
+	// serviceName is the name of the service that governs this StatefulSet.
+	// This service must exist before the StatefulSet, and is responsible for
+	// the network identity of the set. Pods get DNS/hostnames that follow the
+	// pattern: pod-specific-string.serviceName.default.svc.cluster.local
+	// where "pod-specific-string" is managed by the StatefulSet controller.
+	serviceName: string @go(ServiceName) @protobuf(5,bytes,opt)
+
+	// podManagementPolicy controls how pods are created during initial scale up,
+	// when replacing pods on nodes, or when scaling down. The default policy is
+	// `OrderedReady`, where pods are created in increasing order (pod-0, then
+	// pod-1, etc) and the controller will wait until each pod is ready before
+	// continuing. When scaling down, the pods are removed in the opposite order.
+	// The alternative policy is `Parallel` which will create pods in parallel
+	// to match the desired scale without waiting, and on scale down will delete
+	// all pods at once.
+	// +optional
+	podManagementPolicy?: #PodManagementPolicyType @go(PodManagementPolicy) @protobuf(6,bytes,opt,casttype=PodManagementPolicyType)
+
+	// updateStrategy indicates the StatefulSetUpdateStrategy that will be
+	// employed to update Pods in the StatefulSet when a revision is made to
+	// Template.
+	updateStrategy?: #StatefulSetUpdateStrategy @go(UpdateStrategy) @protobuf(7,bytes,opt)
+
+	// revisionHistoryLimit is the maximum number of revisions that will
+	// be maintained in the StatefulSet's revision history. The revision history
+	// consists of all revisions not represented by a currently applied
+	// StatefulSetSpec version. The default value is 10.
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(8,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// This is an alpha field and requires enabling StatefulSetMinReadySeconds feature gate.
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(9,varint,opt)
+
+	// persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent
+	// volume claims created from volumeClaimTemplates. By default, all persistent
+	// volume claims are created as needed and retained until manually deleted. This
+	// policy allows the lifecycle to be altered, for example by deleting persistent
+	// volume claims when their stateful set is deleted, or when their pod is scaled
+	// down. This requires the StatefulSetAutoDeletePVC feature gate to be enabled,
+	// which is alpha.  +optional
+	persistentVolumeClaimRetentionPolicy?: null | #StatefulSetPersistentVolumeClaimRetentionPolicy @go(PersistentVolumeClaimRetentionPolicy,*StatefulSetPersistentVolumeClaimRetentionPolicy) @protobuf(10,bytes,opt)
+}
+
+// StatefulSetStatus represents the current state of a StatefulSet.
+#StatefulSetStatus: {
+	// observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the
+	// StatefulSet's generation, which is updated on mutation by the API Server.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// replicas is the number of Pods created by the StatefulSet controller.
+	replicas: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods created for this StatefulSet with a Ready Condition.
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(3,varint,opt)
+
+	// currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by currentRevision.
+	currentReplicas?: int32 @go(CurrentReplicas) @protobuf(4,varint,opt)
+
+	// updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version
+	// indicated by updateRevision.
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(5,varint,opt)
+
+	// currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the
+	// sequence [0,currentReplicas).
+	currentRevision?: string @go(CurrentRevision) @protobuf(6,bytes,opt)
+
+	// updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence
+	// [replicas-updatedReplicas,replicas)
+	updateRevision?: string @go(UpdateRevision) @protobuf(7,bytes,opt)
+
+	// collisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller
+	// uses this field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a statefulset's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#StatefulSetCondition] @go(Conditions,[]StatefulSetCondition) @protobuf(10,bytes,rep)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
+	// This is a beta field and enabled/disabled by StatefulSetMinReadySeconds feature gate.
+	availableReplicas: int32 @go(AvailableReplicas) @protobuf(11,varint,opt)
+}
+
+#StatefulSetConditionType: string
+
+// StatefulSetCondition describes the state of a statefulset at a certain point.
+#StatefulSetCondition: {
+	// Type of statefulset condition.
+	type: #StatefulSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=StatefulSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// StatefulSetList is a collection of StatefulSets.
+#StatefulSetList: {
+	metav1.#TypeMeta
+
+	// Standard list's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of stateful sets.
+	items: [...#StatefulSet] @go(Items,[]StatefulSet) @protobuf(2,bytes,rep)
+}
+
+// Deployment enables declarative updates for Pods and ReplicaSets.
+#Deployment: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior of the Deployment.
+	// +optional
+	spec?: #DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Most recently observed status of the Deployment.
+	// +optional
+	status?: #DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DeploymentSpec is the specification of the desired behavior of the Deployment.
+#DeploymentSpec: {
+	// Number of desired pods. This is a pointer to distinguish between explicit
+	// zero and not specified. Defaults to 1.
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Label selector for pods. Existing ReplicaSets whose pods are
+	// selected by this will be the ones affected by this deployment.
+	// It must match the pod template's labels.
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template describes the pods that will be created.
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+
+	// The deployment strategy to use to replace existing pods with new ones.
+	// +optional
+	// +patchStrategy=retainKeys
+	strategy?: #DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
+
+	// The number of old ReplicaSets to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+
+	// Indicates that the deployment is paused.
+	// +optional
+	paused?: bool @go(Paused) @protobuf(7,varint,opt)
+
+	// The maximum time in seconds for a deployment to make progress before it
+	// is considered to be failed. The deployment controller will continue to
+	// process failed deployments and a condition with a ProgressDeadlineExceeded
+	// reason will be surfaced in the deployment status. Note that progress will
+	// not be estimated during the time a deployment is paused. Defaults to 600s.
+	progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
+}
+
+// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
+// to existing ReplicaSets (and label key that is added to its pods) to prevent the existing ReplicaSets
+// to select new pods (and old pods being select by new ReplicaSet).
+#DefaultDeploymentUniqueLabelKey: "pod-template-hash"
+
+// DeploymentStrategy describes how to replace existing pods with new ones.
+#DeploymentStrategy: {
+	// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
+	// +optional
+	type?: #DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
+
+	// Rolling update config params. Present only if DeploymentStrategyType =
+	// RollingUpdate.
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be.
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DeploymentStrategyType: string // #enumDeploymentStrategyType
+
+#enumDeploymentStrategyType:
+	#RecreateDeploymentStrategyType |
+	#RollingUpdateDeploymentStrategyType
+
+// Kill all existing pods before creating new ones.
+#RecreateDeploymentStrategyType: #DeploymentStrategyType & "Recreate"
+
+// Replace the old ReplicaSets by new one using rolling update i.e gradually scale down the old ReplicaSets and scale up the new one.
+#RollingUpdateDeploymentStrategyType: #DeploymentStrategyType & "RollingUpdate"
+
+// Spec to control the desired behavior of rolling update.
+#RollingUpdateDeployment: {
+	// The maximum number of pods that can be unavailable during the update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// Absolute number is calculated from percentage by rounding down.
+	// This can not be 0 if MaxSurge is 0.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+	// immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+	// can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+	// that the total number of pods available at all times during the update is at
+	// least 70% of desired pods.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of pods that can be scheduled above the desired number of
+	// pods.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up.
+	// Defaults to 25%.
+	// Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+	// the rolling update starts, such that the total number of old and new pods do not exceed
+	// 130% of desired pods. Once old pods have been killed,
+	// new ReplicaSet can be scaled up further, ensuring that total number of pods running
+	// at any time during the update is at most 130% of desired pods.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DeploymentStatus is the most recently observed status of the Deployment.
+#DeploymentStatus: {
+	// The generation observed by the deployment controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
+	// +optional
+	replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
+
+	// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
+	// +optional
+	updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this Deployment with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
+
+	// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
+
+	// Total number of unavailable pods targeted by this deployment. This is the total number of
+	// pods that are still required for the deployment to have 100% available capacity. They may
+	// either be pods that are running but not yet available or pods that still have not been created.
+	// +optional
+	unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
+
+	// Represents the latest available observations of a deployment's current state.
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
+
+	// Count of hash collisions for the Deployment. The Deployment controller uses this
+	// field as a collision avoidance mechanism when it needs to create the name for the
+	// newest ReplicaSet.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
+}
+
+#DeploymentConditionType: string // #enumDeploymentConditionType
+
+#enumDeploymentConditionType:
+	#DeploymentAvailable |
+	#DeploymentProgressing |
+	#DeploymentReplicaFailure
+
+// Available means the deployment is available, ie. at least the minimum available
+// replicas required are up and running for at least minReadySeconds.
+#DeploymentAvailable: #DeploymentConditionType & "Available"
+
+// Progressing means the deployment is progressing. Progress for a deployment is
+// considered when a new replica set is created or adopted, and when new pods scale
+// up or old pods scale down. Progress is not estimated for paused deployments or
+// when progressDeadlineSeconds is not specified.
+#DeploymentProgressing: #DeploymentConditionType & "Progressing"
+
+// ReplicaFailure is added in a deployment when one of its pods fails to be created
+// or deleted.
+#DeploymentReplicaFailure: #DeploymentConditionType & "ReplicaFailure"
+
+// DeploymentCondition describes the state of a deployment at a certain point.
+#DeploymentCondition: {
+	// Type of deployment condition.
+	type: #DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time this condition was updated.
+	lastUpdateTime?: metav1.#Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
+
+	// Last time the condition transitioned from one status to another.
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
+
+	// The reason for the condition's last transition.
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DeploymentList is a list of Deployments.
+#DeploymentList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Deployments.
+	items: [...#Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
+}
+
+// DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.
+#DaemonSetUpdateStrategy: {
+	// Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.
+	// +optional
+	type?: #DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
+
+	// Rolling update config params. Present only if type = "RollingUpdate".
+	//---
+	// TODO: Update this to follow our convention for oneOf, whatever we decide it
+	// to be. Same as Deployment `strategy.rollingUpdate`.
+	// See https://github.com/kubernetes/kubernetes/issues/35345
+	// +optional
+	rollingUpdate?: null | #RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
+}
+
+// +enum
+#DaemonSetUpdateStrategyType: string // #enumDaemonSetUpdateStrategyType
+
+#enumDaemonSetUpdateStrategyType:
+	#RollingUpdateDaemonSetStrategyType |
+	#OnDeleteDaemonSetStrategyType
+
+// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
+#RollingUpdateDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "RollingUpdate"
+
+// Replace the old daemons only when it's killed
+#OnDeleteDaemonSetStrategyType: #DaemonSetUpdateStrategyType & "OnDelete"
+
+// Spec to control the desired behavior of daemon set rolling update.
+#RollingUpdateDaemonSet: {
+	// The maximum number of DaemonSet pods that can be unavailable during the
+	// update. Value can be an absolute number (ex: 5) or a percentage of total
+	// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+	// number is calculated from percentage by rounding up.
+	// This cannot be 0 if MaxSurge is 0
+	// Default value is 1.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their pods stopped for an update at any given time. The update
+	// starts by stopping at most 30% of those DaemonSet pods and then brings
+	// up new DaemonSet pods in their place. Once the new pods are available,
+	// it then proceeds onto other DaemonSet pods, thus ensuring that at least
+	// 70% of original number of DaemonSet pods are available at all times during
+	// the update.
+	// +optional
+	maxUnavailable?: null | intstr.#IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
+
+	// The maximum number of nodes with an existing available DaemonSet pod that
+	// can have an updated DaemonSet pod during during an update.
+	// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+	// This can not be 0 if MaxUnavailable is 0.
+	// Absolute number is calculated from percentage by rounding up to a minimum of 1.
+	// Default value is 0.
+	// Example: when this is set to 30%, at most 30% of the total number of nodes
+	// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+	// can have their a new pod created before the old pod is marked as deleted.
+	// The update starts by launching new pods on 30% of nodes. Once an updated
+	// pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+	// on that node is marked deleted. If the old pod becomes unavailable for any
+	// reason (Ready transitions to false, is evicted, or is drained) an updated
+	// pod is immediatedly created on that node without considering surge limits.
+	// Allowing surge implies the possibility that the resources consumed by the
+	// daemonset on any given node can double if the readiness check fails, and
+	// so resource intensive daemonsets should take into account that they may
+	// cause evictions during disruption.
+	// This is beta field and enabled/disabled by DaemonSetUpdateSurge feature gate.
+	// +optional
+	maxSurge?: null | intstr.#IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
+}
+
+// DaemonSetSpec is the specification of a daemon set.
+#DaemonSetSpec: {
+	// A label query over pods that are managed by the daemon set.
+	// Must match in order to be controlled.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// An object that describes the pod that will be created.
+	// The DaemonSet will create exactly one copy of this pod on every node
+	// that matches the template's node selector (or on every node if no node
+	// selector is specified).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	template: v1.#PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
+
+	// An update strategy to replace existing DaemonSet pods with new pods.
+	// +optional
+	updateStrategy?: #DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
+
+	// The minimum number of seconds for which a newly created DaemonSet pod should
+	// be ready without any of its container crashing, for it to be considered
+	// available. Defaults to 0 (pod will be considered available as soon as it
+	// is ready).
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// The number of old history to retain to allow rollback.
+	// This is a pointer to distinguish between explicit zero and not specified.
+	// Defaults to 10.
+	// +optional
+	revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
+}
+
+// DaemonSetStatus represents the current status of a daemon set.
+#DaemonSetStatus: {
+	// The number of nodes that are running at least 1
+	// daemon pod and are supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
+
+	// The number of nodes that are running the daemon pod, but are
+	// not supposed to run the daemon pod.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
+
+	// The total number of nodes that should be running the daemon
+	// pod (including nodes correctly running the daemon pod).
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+	desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
+
+	// numberReady is the number of nodes that should be running the daemon pod and have one
+	// or more of the daemon pod running with a Ready Condition.
+	numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
+
+	// The most recent generation observed by the daemon set controller.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
+
+	// The total number of nodes that are running updated daemon pod
+	// +optional
+	updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have one or more of the daemon pod running and
+	// available (ready for at least spec.minReadySeconds)
+	// +optional
+	numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
+
+	// The number of nodes that should be running the
+	// daemon pod and have none of the daemon pod running and available
+	// (ready for at least spec.minReadySeconds)
+	// +optional
+	numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
+
+	// Count of hash collisions for the DaemonSet. The DaemonSet controller
+	// uses this field as a collision avoidance mechanism when it needs to
+	// create the name for the newest ControllerRevision.
+	// +optional
+	collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
+
+	// Represents the latest available observations of a DaemonSet's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
+}
+
+#DaemonSetConditionType: string
+
+// DaemonSetCondition describes the state of a DaemonSet at a certain point.
+#DaemonSetCondition: {
+	// Type of DaemonSet condition.
+	type: #DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// Last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// DaemonSet represents the configuration of a daemon set.
+#DaemonSet: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// The desired behavior of this daemon set.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// The current status of this daemon set. This data may be
+	// out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// DefaultDaemonSetUniqueLabelKey is the default label key that is added
+// to existing DaemonSet pods to distinguish between old and new
+// DaemonSet pods during DaemonSet template updates.
+#DefaultDaemonSetUniqueLabelKey: "controller-revision-hash"
+
+// DaemonSetList is a collection of daemon sets.
+#DaemonSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// A list of daemon sets.
+	items: [...#DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
+#ReplicaSet: {
+	metav1.#TypeMeta
+
+	// If the Labels of a ReplicaSet are empty, they are defaulted to
+	// be the same as the Pod(s) that the ReplicaSet manages.
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec defines the specification of the desired behavior of the ReplicaSet.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the most recently observed status of the ReplicaSet.
+	// This data may be out of date by some window of time.
+	// Populated by the system.
+	// Read-only.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetList is a collection of ReplicaSets.
+#ReplicaSetList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// List of ReplicaSets.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
+	items: [...#ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
+}
+
+// ReplicaSetSpec is the specification of a ReplicaSet.
+#ReplicaSetSpec: {
+	// Replicas is the number of desired replicas.
+	// This is a pointer to distinguish between explicit zero and unspecified.
+	// Defaults to 1.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	// +optional
+	replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
+
+	// Minimum number of seconds for which a newly created pod should be ready
+	// without any of its container crashing, for it to be considered available.
+	// Defaults to 0 (pod will be considered available as soon as it is ready)
+	// +optional
+	minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
+
+	// Selector is a label query over pods that should match the replica count.
+	// Label keys and values that must match in order to be controlled by this replica set.
+	// It must match the pod template's labels.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// Template is the object that describes the pod that will be created if
+	// insufficient replicas are detected.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
+	// +optional
+	template?: v1.#PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
+}
+
+// ReplicaSetStatus represents the current status of a ReplicaSet.
+#ReplicaSetStatus: {
+	// Replicas is the most recently oberved number of replicas.
+	// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
+	replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
+
+	// The number of pods that have labels matching the labels of the pod template of the replicaset.
+	// +optional
+	fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
+
+	// readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition.
+	// +optional
+	readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
+
+	// The number of available replicas (ready for at least minReadySeconds) for this replica set.
+	// +optional
+	availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
+
+	// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
+	// +optional
+	observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
+
+	// Represents the latest available observations of a replica set's current state.
+	// +optional
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	conditions?: [...#ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
+}
+
+#ReplicaSetConditionType: string // #enumReplicaSetConditionType
+
+#enumReplicaSetConditionType:
+	#ReplicaSetReplicaFailure
+
+// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
+// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
+// due to kubelet being down or finalizers are failing.
+#ReplicaSetReplicaFailure: #ReplicaSetConditionType & "ReplicaFailure"
+
+// ReplicaSetCondition describes the state of a replica set at a certain point.
+#ReplicaSetCondition: {
+	// Type of replica set condition.
+	type: #ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
+
+	// Status of the condition, one of True, False, Unknown.
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
+
+	// The last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// The reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// A human readable message indicating details about the transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// ControllerRevision implements an immutable snapshot of state data. Clients
+// are responsible for serializing and deserializing the objects that contain
+// their internal state.
+// Once a ControllerRevision has been successfully created, it can not be updated.
+// The API Server will fail validation of all requests that attempt to mutate
+// the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both
+// the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However,
+// it may be subject to name and representation changes in future releases, and clients should not
+// depend on its stability. It is primarily for internal use by controllers.
+#ControllerRevision: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Data is the serialized representation of the state.
+	data?: runtime.#RawExtension @go(Data) @protobuf(2,bytes,opt)
+
+	// Revision indicates the revision of the state represented by Data.
+	revision: int64 @go(Revision) @protobuf(3,varint,opt)
+}
+
+// ControllerRevisionList is a resource containing a list of ControllerRevision objects.
+#ControllerRevisionList: {
+	metav1.#TypeMeta
+
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of ControllerRevisions
+	items: [...#ControllerRevision] @go(Items,[]ControllerRevision) @protobuf(2,bytes,rep)
+}

cue/cue.mod/gen/k8s.io/api/autoscaling/v2beta2/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2beta2
+
+package v2beta2
+
+#GroupName: "autoscaling"

cue/cue.mod/gen/k8s.io/api/autoscaling/v2beta2/types_go_gen.cue

@@ -0,0 +1,586 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/autoscaling/v2beta2
+
+package v2beta2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
+)
+
+// HorizontalPodAutoscaler is the configuration for a horizontal pod
+// autoscaler, which automatically manages the replica count of any resource
+// implementing the scale subresource based on the metrics specified.
+#HorizontalPodAutoscaler: {
+	metav1.#TypeMeta
+
+	// metadata is the standard object metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec is the specification for the behaviour of the autoscaler.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
+	// +optional
+	spec?: #HorizontalPodAutoscalerSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status is the current information about the autoscaler.
+	// +optional
+	status?: #HorizontalPodAutoscalerStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerSpec: {
+	// scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+	// should be collected, as well as to actually change the replica count.
+	scaleTargetRef: #CrossVersionObjectReference @go(ScaleTargetRef) @protobuf(1,bytes,opt)
+
+	// minReplicas is the lower limit for the number of replicas to which the autoscaler
+	// can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+	// alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+	// metric is configured.  Scaling is active as long as at least one metric value is
+	// available.
+	// +optional
+	minReplicas?: null | int32 @go(MinReplicas,*int32) @protobuf(2,varint,opt)
+
+	// maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+	// It cannot be less that minReplicas.
+	maxReplicas: int32 @go(MaxReplicas) @protobuf(3,varint,opt)
+
+	// metrics contains the specifications for which to use to calculate the
+	// desired replica count (the maximum replica count across all metrics will
+	// be used).  The desired replica count is calculated multiplying the
+	// ratio between the target value and the current value by the current
+	// number of pods.  Ergo, metrics used must decrease as the pod count is
+	// increased, and vice-versa.  See the individual metric source types for
+	// more information about how each type of metric must respond.
+	// If not set, the default metric will be set to 80% average CPU utilization.
+	// +optional
+	metrics?: [...#MetricSpec] @go(Metrics,[]MetricSpec) @protobuf(4,bytes,rep)
+
+	// behavior configures the scaling behavior of the target
+	// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+	// If not set, the default HPAScalingRules for scale up and scale down are used.
+	// +optional
+	behavior?: null | #HorizontalPodAutoscalerBehavior @go(Behavior,*HorizontalPodAutoscalerBehavior) @protobuf(5,bytes,opt)
+}
+
+// CrossVersionObjectReference contains enough information to let you identify the referred resource.
+#CrossVersionObjectReference: {
+	// Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+	kind: string @go(Kind) @protobuf(1,bytes,opt)
+
+	// Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// API version of the referent
+	// +optional
+	apiVersion?: string @go(APIVersion) @protobuf(3,bytes,opt)
+}
+
+// MetricSpec specifies how to scale based on a single metric
+// (only `type` and one other matching field should be set at once).
+#MetricSpec: {
+	// type is the type of metric source.  It should be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricSource @go(Object,*ObjectMetricSource) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricSource @go(Pods,*PodsMetricSource) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricSource @go(Resource,*ResourceMetricSource) @protobuf(4,bytes,opt)
+
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in
+	// each pod of the current scale target (e.g. CPU or memory). Such metrics are
+	// built in to Kubernetes, and have special scaling options on top of those
+	// available to normal per-pod metrics using the "pods" source.
+	// This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricSource @go(ContainerResource,*ContainerResourceMetricSource) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricSource @go(External,*ExternalMetricSource) @protobuf(5,bytes,opt)
+}
+
+// HorizontalPodAutoscalerBehavior configures the scaling behavior of the target
+// in both Up and Down directions (scaleUp and scaleDown fields respectively).
+#HorizontalPodAutoscalerBehavior: {
+	// scaleUp is scaling policy for scaling Up.
+	// If not set, the default value is the higher of:
+	//   * increase no more than 4 pods per 60 seconds
+	//   * double the number of pods per 60 seconds
+	// No stabilization is used.
+	// +optional
+	scaleUp?: null | #HPAScalingRules @go(ScaleUp,*HPAScalingRules) @protobuf(1,bytes,opt)
+
+	// scaleDown is scaling policy for scaling Down.
+	// If not set, the default value is to allow to scale down to minReplicas pods, with a
+	// 300 second stabilization window (i.e., the highest recommendation for
+	// the last 300sec is used).
+	// +optional
+	scaleDown?: null | #HPAScalingRules @go(ScaleDown,*HPAScalingRules) @protobuf(2,bytes,opt)
+}
+
+// ScalingPolicySelect is used to specify which policy should be used while scaling in a certain direction
+#ScalingPolicySelect: string // #enumScalingPolicySelect
+
+#enumScalingPolicySelect:
+	#MaxPolicySelect |
+	#MinPolicySelect |
+	#DisabledPolicySelect
+
+// MaxPolicySelect selects the policy with the highest possible change.
+#MaxPolicySelect: #ScalingPolicySelect & "Max"
+
+// MinPolicySelect selects the policy with the lowest possible change.
+#MinPolicySelect: #ScalingPolicySelect & "Min"
+
+// DisabledPolicySelect disables the scaling in this direction.
+#DisabledPolicySelect: #ScalingPolicySelect & "Disabled"
+
+// HPAScalingRules configures the scaling behavior for one direction.
+// These Rules are applied after calculating DesiredReplicas from metrics for the HPA.
+// They can limit the scaling velocity by specifying scaling policies.
+// They can prevent flapping by specifying the stabilization window, so that the
+// number of replicas is not set instantly, instead, the safest value from the stabilization
+// window is chosen.
+#HPAScalingRules: {
+	// StabilizationWindowSeconds is the number of seconds for which past recommendations should be
+	// considered while scaling up or scaling down.
+	// StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+	// If not set, use the default values:
+	// - For scale up: 0 (i.e. no stabilization is done).
+	// - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+	// +optional
+	stabilizationWindowSeconds?: null | int32 @go(StabilizationWindowSeconds,*int32) @protobuf(3,varint,opt)
+
+	// selectPolicy is used to specify which policy should be used.
+	// If not set, the default value MaxPolicySelect is used.
+	// +optional
+	selectPolicy?: null | #ScalingPolicySelect @go(SelectPolicy,*ScalingPolicySelect) @protobuf(1,bytes,opt)
+
+	// policies is a list of potential scaling polices which can be used during scaling.
+	// At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
+	// +optional
+	policies?: [...#HPAScalingPolicy] @go(Policies,[]HPAScalingPolicy) @protobuf(2,bytes,rep)
+}
+
+// HPAScalingPolicyType is the type of the policy which could be used while making scaling decisions.
+#HPAScalingPolicyType: string // #enumHPAScalingPolicyType
+
+#enumHPAScalingPolicyType:
+	#PodsScalingPolicy |
+	#PercentScalingPolicy
+
+// PodsScalingPolicy is a policy used to specify a change in absolute number of pods.
+#PodsScalingPolicy: #HPAScalingPolicyType & "Pods"
+
+// PercentScalingPolicy is a policy used to specify a relative amount of change with respect to
+// the current number of pods.
+#PercentScalingPolicy: #HPAScalingPolicyType & "Percent"
+
+// HPAScalingPolicy is a single policy which must hold true for a specified past interval.
+#HPAScalingPolicy: {
+	// Type is used to specify the scaling policy.
+	type: #HPAScalingPolicyType @go(Type) @protobuf(1,bytes,opt,casttype=HPAScalingPolicyType)
+
+	// Value contains the amount of change which is permitted by the policy.
+	// It must be greater than zero
+	value: int32 @go(Value) @protobuf(2,varint,opt)
+
+	// PeriodSeconds specifies the window of time for which the policy should hold true.
+	// PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+	periodSeconds: int32 @go(PeriodSeconds) @protobuf(3,varint,opt)
+}
+
+// MetricSourceType indicates the type of metric.
+#MetricSourceType: string // #enumMetricSourceType
+
+#enumMetricSourceType:
+	#ObjectMetricSourceType |
+	#PodsMetricSourceType |
+	#ResourceMetricSourceType |
+	#ContainerResourceMetricSourceType |
+	#ExternalMetricSourceType
+
+// ObjectMetricSourceType is a metric describing a kubernetes object
+// (for example, hits-per-second on an Ingress object).
+#ObjectMetricSourceType: #MetricSourceType & "Object"
+
+// PodsMetricSourceType is a metric describing each pod in the current scale
+// target (for example, transactions-processed-per-second).  The values
+// will be averaged together before being compared to the target value.
+#PodsMetricSourceType: #MetricSourceType & "Pods"
+
+// ResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ResourceMetricSourceType: #MetricSourceType & "Resource"
+
+// ContainerResourceMetricSourceType is a resource metric known to Kubernetes, as
+// specified in requests and limits, describing a single container in each pod in the current
+// scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available
+// to normal per-pod metrics (the "pods" source).
+#ContainerResourceMetricSourceType: #MetricSourceType & "ContainerResource"
+
+// ExternalMetricSourceType is a global metric that is not associated
+// with any Kubernetes object. It allows autoscaling based on information
+// coming from components running outside of cluster
+// (for example length of queue in cloud messaging service, or
+// QPS from loadbalancer running outside of cluster).
+#ExternalMetricSourceType: #MetricSourceType & "External"
+
+// ObjectMetricSource indicates how to scale on a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricSource: {
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(3,bytes)
+}
+
+// PodsMetricSource indicates how to scale on a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+// The values will be averaged together before being compared to the target
+// value.
+#PodsMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricSource indicates how to scale on a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  The values will be averaged
+// together before being compared to the target.  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.  Only one "target" type
+// should be set.
+#ContainerResourceMetricSource: {
+	// name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+
+	// container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricSource indicates how to scale on a metric not associated with
+// any Kubernetes object (for example length of queue in cloud
+// messaging service, or QPS from loadbalancer running outside of cluster).
+#ExternalMetricSource: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// target specifies the target value for the given metric
+	target: #MetricTarget @go(Target) @protobuf(2,bytes)
+}
+
+// MetricIdentifier defines the name and optionally selector for a metric
+#MetricIdentifier: {
+	// name is the name of the given metric
+	name: string @go(Name) @protobuf(1,bytes)
+
+	// selector is the string-encoded form of a standard kubernetes label selector for the given metric
+	// When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+	// When unset, just the metricName will be used to gather metrics.
+	// +optional
+	selector?: null | metav1.#LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes)
+}
+
+// MetricTarget defines the target value, average value, or average utilization of a specific metric
+#MetricTarget: {
+	// type represents whether the metric type is Utilization, Value, or AverageValue
+	type: #MetricTargetType @go(Type) @protobuf(1,bytes)
+
+	// value is the target value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// averageValue is the target value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(3,bytes,opt)
+
+	// averageUtilization is the target value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// Currently only valid for Resource metric source type
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(4,bytes,opt)
+}
+
+// MetricTargetType specifies the type of metric being targeted, and should be either
+// "Value", "AverageValue", or "Utilization"
+#MetricTargetType: string // #enumMetricTargetType
+
+#enumMetricTargetType:
+	#UtilizationMetricType |
+	#ValueMetricType |
+	#AverageValueMetricType
+
+// UtilizationMetricType declares a MetricTarget is an AverageUtilization value
+#UtilizationMetricType: #MetricTargetType & "Utilization"
+
+// ValueMetricType declares a MetricTarget is a raw value
+#ValueMetricType: #MetricTargetType & "Value"
+
+// AverageValueMetricType declares a MetricTarget is an
+#AverageValueMetricType: #MetricTargetType & "AverageValue"
+
+// HorizontalPodAutoscalerStatus describes the current status of a horizontal pod autoscaler.
+#HorizontalPodAutoscalerStatus: {
+	// observedGeneration is the most recent generation observed by this autoscaler.
+	// +optional
+	observedGeneration?: null | int64 @go(ObservedGeneration,*int64) @protobuf(1,varint,opt)
+
+	// lastScaleTime is the last time the HorizontalPodAutoscaler scaled the number of pods,
+	// used by the autoscaler to control how often the number of pods is changed.
+	// +optional
+	lastScaleTime?: null | metav1.#Time @go(LastScaleTime,*metav1.Time) @protobuf(2,bytes,opt)
+
+	// currentReplicas is current number of replicas of pods managed by this autoscaler,
+	// as last seen by the autoscaler.
+	currentReplicas: int32 @go(CurrentReplicas) @protobuf(3,varint,opt)
+
+	// desiredReplicas is the desired number of replicas of pods managed by this autoscaler,
+	// as last calculated by the autoscaler.
+	desiredReplicas: int32 @go(DesiredReplicas) @protobuf(4,varint,opt)
+
+	// currentMetrics is the last read state of the metrics used by this autoscaler.
+	// +optional
+	currentMetrics: [...#MetricStatus] @go(CurrentMetrics,[]MetricStatus) @protobuf(5,bytes,rep)
+
+	// conditions is the set of conditions required for this autoscaler to scale its target,
+	// and indicates whether or not those conditions are met.
+	// +optional
+	conditions: [...#HorizontalPodAutoscalerCondition] @go(Conditions,[]HorizontalPodAutoscalerCondition) @protobuf(6,bytes,rep)
+}
+
+// HorizontalPodAutoscalerConditionType are the valid conditions of
+// a HorizontalPodAutoscaler.
+#HorizontalPodAutoscalerConditionType: string // #enumHorizontalPodAutoscalerConditionType
+
+#enumHorizontalPodAutoscalerConditionType:
+	#ScalingActive |
+	#AbleToScale |
+	#ScalingLimited
+
+// ScalingActive indicates that the HPA controller is able to scale if necessary:
+// it's correctly configured, can fetch the desired metrics, and isn't disabled.
+#ScalingActive: #HorizontalPodAutoscalerConditionType & "ScalingActive"
+
+// AbleToScale indicates a lack of transient issues which prevent scaling from occurring,
+// such as being in a backoff window, or being unable to access/update the target scale.
+#AbleToScale: #HorizontalPodAutoscalerConditionType & "AbleToScale"
+
+// ScalingLimited indicates that the calculated scale based on metrics would be above or
+// below the range for the HPA, and has thus been capped.
+#ScalingLimited: #HorizontalPodAutoscalerConditionType & "ScalingLimited"
+
+// HorizontalPodAutoscalerCondition describes the state of
+// a HorizontalPodAutoscaler at a certain point.
+#HorizontalPodAutoscalerCondition: {
+	// type describes the current condition
+	type: #HorizontalPodAutoscalerConditionType @go(Type) @protobuf(1,bytes)
+
+	// status is the status of the condition (True, False, Unknown)
+	status: v1.#ConditionStatus @go(Status) @protobuf(2,bytes)
+
+	// lastTransitionTime is the last time the condition transitioned from
+	// one status to another
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is the reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable explanation containing details about
+	// the transition
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// MetricStatus describes the last-read state of a single metric.
+#MetricStatus: {
+	// type is the type of metric source.  It will be one of "ContainerResource", "External",
+	// "Object", "Pods" or "Resource", each corresponds to a matching field in the object.
+	// Note: "ContainerResource" type is available on when the feature-gate
+	// HPAContainerMetrics is enabled
+	type: #MetricSourceType @go(Type) @protobuf(1,bytes)
+
+	// object refers to a metric describing a single kubernetes object
+	// (for example, hits-per-second on an Ingress object).
+	// +optional
+	object?: null | #ObjectMetricStatus @go(Object,*ObjectMetricStatus) @protobuf(2,bytes,opt)
+
+	// pods refers to a metric describing each pod in the current scale target
+	// (for example, transactions-processed-per-second).  The values will be
+	// averaged together before being compared to the target value.
+	// +optional
+	pods?: null | #PodsMetricStatus @go(Pods,*PodsMetricStatus) @protobuf(3,bytes,opt)
+
+	// resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	resource?: null | #ResourceMetricStatus @go(Resource,*ResourceMetricStatus) @protobuf(4,bytes,opt)
+
+	// container resource refers to a resource metric (such as those specified in
+	// requests and limits) known to Kubernetes describing a single container in each pod in the
+	// current scale target (e.g. CPU or memory). Such metrics are built in to
+	// Kubernetes, and have special scaling options on top of those available
+	// to normal per-pod metrics using the "pods" source.
+	// +optional
+	containerResource?: null | #ContainerResourceMetricStatus @go(ContainerResource,*ContainerResourceMetricStatus) @protobuf(7,bytes,opt)
+
+	// external refers to a global metric that is not associated
+	// with any Kubernetes object. It allows autoscaling based on information
+	// coming from components running outside of cluster
+	// (for example length of queue in cloud messaging service, or
+	// QPS from loadbalancer running outside of cluster).
+	// +optional
+	external?: null | #ExternalMetricStatus @go(External,*ExternalMetricStatus) @protobuf(5,bytes,opt)
+}
+
+// ObjectMetricStatus indicates the current value of a metric describing a
+// kubernetes object (for example, hits-per-second on an Ingress object).
+#ObjectMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current:         #MetricValueStatus           @go(Current) @protobuf(2,bytes)
+	describedObject: #CrossVersionObjectReference @go(DescribedObject) @protobuf(3,bytes)
+}
+
+// PodsMetricStatus indicates the current value of a metric describing each pod in
+// the current scale target (for example, transactions-processed-per-second).
+#PodsMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ResourceMetricStatus: {
+	// Name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// ContainerResourceMetricStatus indicates the current value of a resource metric known to
+// Kubernetes, as specified in requests and limits, describing a single container in each pod in the
+// current scale target (e.g. CPU or memory).  Such metrics are built in to
+// Kubernetes, and have special scaling options on top of those available to
+// normal per-pod metrics using the "pods" source.
+#ContainerResourceMetricStatus: {
+	// Name is the name of the resource in question.
+	name: v1.#ResourceName @go(Name) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+
+	// Container is the name of the container in the pods of the scaling target
+	container: string @go(Container) @protobuf(3,bytes,opt)
+}
+
+// ExternalMetricStatus indicates the current value of a global metric
+// not associated with any Kubernetes object.
+#ExternalMetricStatus: {
+	// metric identifies the target metric by name and selector
+	metric: #MetricIdentifier @go(Metric) @protobuf(1,bytes)
+
+	// current contains the current value for the given metric
+	current: #MetricValueStatus @go(Current) @protobuf(2,bytes)
+}
+
+// MetricValueStatus holds the current value for a metric
+#MetricValueStatus: {
+	// value is the current value of the metric (as a quantity).
+	// +optional
+	value?: null | resource.#Quantity @go(Value,*resource.Quantity) @protobuf(1,bytes,opt)
+
+	// averageValue is the current value of the average of the
+	// metric across all relevant pods (as a quantity)
+	// +optional
+	averageValue?: null | resource.#Quantity @go(AverageValue,*resource.Quantity) @protobuf(2,bytes,opt)
+
+	// currentAverageUtilization is the current value of the average of the
+	// resource metric across all relevant pods, represented as a percentage of
+	// the requested value of the resource for the pods.
+	// +optional
+	averageUtilization?: null | int32 @go(AverageUtilization,*int32) @protobuf(3,bytes,opt)
+}
+
+// HorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.
+#HorizontalPodAutoscalerList: {
+	metav1.#TypeMeta
+
+	// metadata is the standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items is the list of horizontal pod autoscaler objects.
+	items: [...#HorizontalPodAutoscaler] @go(Items,[]HorizontalPodAutoscaler) @protobuf(2,bytes,rep)
+}

cue/cue.mod/gen/k8s.io/api/core/v1/annotation_key_constants_go_gen.cue

@@ -0,0 +1,136 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
+// webhook backend fails.
+#ImagePolicyFailedOpenKey: "alpha.image-policy.k8s.io/failed-open"
+
+// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
+#MirrorPodAnnotationKey: "kubernetes.io/config.mirror"
+
+// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
+// in the Annotations of a Pod.
+#TolerationsAnnotationKey: "scheduler.alpha.kubernetes.io/tolerations"
+
+// TaintsAnnotationKey represents the key of taints data (json serialized)
+// in the Annotations of a Node.
+#TaintsAnnotationKey: "scheduler.alpha.kubernetes.io/taints"
+
+// SeccompPodAnnotationKey represents the key of a seccomp profile applied
+// to all containers of a pod.
+// Deprecated: set a pod security context `seccompProfile` field.
+#SeccompPodAnnotationKey: "seccomp.security.alpha.kubernetes.io/pod"
+
+// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
+// to one container of a pod.
+// Deprecated: set a container security context `seccompProfile` field.
+#SeccompContainerAnnotationKeyPrefix: "container.seccomp.security.alpha.kubernetes.io/"
+
+// SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#SeccompProfileRuntimeDefault: "runtime/default"
+
+// SeccompProfileNameUnconfined is the unconfined seccomp profile.
+#SeccompProfileNameUnconfined: "unconfined"
+
+// SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
+#SeccompLocalhostProfileNamePrefix: "localhost/"
+
+// AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
+#AppArmorBetaContainerAnnotationKeyPrefix: "container.apparmor.security.beta.kubernetes.io/"
+
+// AppArmorBetaDefaultProfileAnnotatoinKey is the annotation key specifying the default AppArmor profile.
+#AppArmorBetaDefaultProfileAnnotationKey: "apparmor.security.beta.kubernetes.io/defaultProfileName"
+
+// AppArmorBetaAllowedProfileAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
+#AppArmorBetaAllowedProfilesAnnotationKey: "apparmor.security.beta.kubernetes.io/allowedProfileNames"
+
+// AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
+#AppArmorBetaProfileRuntimeDefault: "runtime/default"
+
+// AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
+#AppArmorBetaProfileNamePrefix: "localhost/"
+
+// AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
+#AppArmorBetaProfileNameUnconfined: "unconfined"
+
+// DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
+// Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
+#DeprecatedSeccompProfileDockerDefault: "docker/default"
+
+// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
+// in the Annotations of a Node.
+#PreferAvoidPodsAnnotationKey: "scheduler.alpha.kubernetes.io/preferAvoidPods"
+
+// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
+// an object (e.g. secret, config map) before fetching it again from apiserver.
+// This annotation can be attached to node.
+#ObjectTTLAnnotationKey: "node.alpha.kubernetes.io/ttl"
+
+// annotation key prefix used to identify non-convertible json paths.
+#NonConvertibleAnnotationPrefix: "non-convertible.kubernetes.io"
+_#kubectlPrefix:                 "kubectl.kubernetes.io/"
+
+// LastAppliedConfigAnnotation is the annotation used to store the previous
+// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
+#LastAppliedConfigAnnotation: "kubectl.kubernetes.io/last-applied-configuration"
+
+// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
+//
+// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
+// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
+// access only from the CIDRs currently allocated to MIT & the USPS.
+//
+// Not all cloud providers support this annotation, though AWS & GCE do.
+#AnnotationLoadBalancerSourceRangesKey: "service.beta.kubernetes.io/load-balancer-source-ranges"
+
+// EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
+// represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
+// of the last change, of some Pod or Service object, that triggered the endpoints object change.
+// In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
+// controller at T1, and the Endpoints object was changed at T2, the
+// EndpointsLastChangeTriggerTime would be set to T0.
+//
+// The "endpoints change trigger" here means any Pod or Service change that resulted in the
+// Endpoints object change.
+//
+// Given the definition of the "endpoints change trigger", please note that this annotation will
+// be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
+// Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
+// already set).
+//
+// This annotation will be used to compute the in-cluster network programming latency SLI, see
+// https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
+#EndpointsLastChangeTriggerTime: "endpoints.kubernetes.io/last-change-trigger-time"
+
+// EndpointsOverCapacity will be set on an Endpoints resource when it
+// exceeds the maximum capacity of 1000 addresses. Initially the Endpoints
+// controller will set this annotation with a value of "warning". In a
+// future release, the controller may set this annotation with a value of
+// "truncated" to indicate that any addresses exceeding the limit of 1000
+// have been truncated from the Endpoints resource.
+#EndpointsOverCapacity: "endpoints.kubernetes.io/over-capacity"
+
+// MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
+// list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
+// This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
+// CSI Backend for a volume plugin on a specific node.
+#MigratedPluginsAnnotationKey: "storage.alpha.kubernetes.io/migrated-plugins"
+
+// PodDeletionCost can be used to set to an int32 that represent the cost of deleting
+// a pod compared to other pods belonging to the same ReplicaSet. Pods with lower
+// deletion cost are preferred to be deleted before pods with higher deletion cost.
+// Note that this is honored on a best-effort basis, and so it does not offer guarantees on
+// pod deletion order.
+// The implicit deletion cost for pods that don't set the annotation is 0, negative values are permitted.
+//
+// This annotation is beta-level and is only honored when PodDeletionCost feature is enabled.
+#PodDeletionCost: "controller.kubernetes.io/pod-deletion-cost"
+
+// AnnotationTopologyAwareHints can be used to enable or disable Topology
+// Aware Hints for a Service. This may be set to "Auto" or "Disabled". Any
+// other value is treated as "Disabled".
+#AnnotationTopologyAwareHints: "service.kubernetes.io/topology-aware-hints"

cue/cue.mod/gen/k8s.io/api/core/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+// Package v1 is the v1 version of the core API.
+package v1

cue/cue.mod/gen/k8s.io/api/core/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#GroupName: ""

cue/cue.mod/gen/k8s.io/api/core/v1/well_known_labels_go_gen.cue

@@ -0,0 +1,55 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+#LabelHostname:       "kubernetes.io/hostname"
+#LabelTopologyZone:   "topology.kubernetes.io/zone"
+#LabelTopologyRegion: "topology.kubernetes.io/region"
+
+// These label have been deprecated since 1.17, but will be supported for
+// the foreseeable future, to accommodate things like long-lived PVs that
+// use them.  New users should prefer the "topology.kubernetes.io/*"
+// equivalents.
+#LabelFailureDomainBetaZone:   "failure-domain.beta.kubernetes.io/zone"
+#LabelFailureDomainBetaRegion: "failure-domain.beta.kubernetes.io/region"
+
+// Retained for compat when vendored.  Do not use these consts in new code.
+#LabelZoneFailureDomain:       "failure-domain.beta.kubernetes.io/zone"
+#LabelZoneRegion:              "failure-domain.beta.kubernetes.io/region"
+#LabelZoneFailureDomainStable: "topology.kubernetes.io/zone"
+#LabelZoneRegionStable:        "topology.kubernetes.io/region"
+#LabelInstanceType:            "beta.kubernetes.io/instance-type"
+#LabelInstanceTypeStable:      "node.kubernetes.io/instance-type"
+#LabelOSStable:                "kubernetes.io/os"
+#LabelArchStable:              "kubernetes.io/arch"
+
+// LabelWindowsBuild is used on Windows nodes to specify the Windows build number starting with v1.17.0.
+// It's in the format MajorVersion.MinorVersion.BuildNumber (for ex: 10.0.17763)
+#LabelWindowsBuild: "node.kubernetes.io/windows-build"
+
+// LabelNamespaceSuffixKubelet is an allowed label namespace suffix kubelets can self-set ([*.]kubelet.kubernetes.io/*)
+#LabelNamespaceSuffixKubelet: "kubelet.kubernetes.io"
+
+// LabelNamespaceSuffixNode is an allowed label namespace suffix kubelets can self-set ([*.]node.kubernetes.io/*)
+#LabelNamespaceSuffixNode: "node.kubernetes.io"
+
+// LabelNamespaceNodeRestriction is a forbidden label namespace that kubelets may not self-set when the NodeRestriction admission plugin is enabled
+#LabelNamespaceNodeRestriction: "node-restriction.kubernetes.io"
+
+// IsHeadlessService is added by Controller to an Endpoint denoting if its parent
+// Service is Headless. The existence of this label can be used further by other
+// controllers and kube-proxy to check if the Endpoint objects should be replicated when
+// using Headless Services
+#IsHeadlessService: "service.kubernetes.io/headless"
+
+// LabelNodeExcludeBalancers specifies that the node should not be considered as a target
+// for external load-balancers which use nodes as a second hop (e.g. many cloud LBs which only
+// understand nodes). For services that use externalTrafficPolicy=Local, this may mean that
+// any backends on excluded nodes are not reachable by those external load-balancers.
+// Implementations of this exclusion may vary based on provider.
+#LabelNodeExcludeBalancers: "node.kubernetes.io/exclude-from-external-load-balancers"
+
+// LabelMetadataName is the label name which, in-tree, is used to automatically label namespaces, so they can be selected easily by tools which require definitive labels
+#LabelMetadataName: "kubernetes.io/metadata.name"

cue/cue.mod/gen/k8s.io/api/core/v1/well_known_taints_go_gen.cue

@@ -0,0 +1,34 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/core/v1
+
+package v1
+
+// TaintNodeNotReady will be added when node is not ready
+// and removed when node becomes ready.
+#TaintNodeNotReady: "node.kubernetes.io/not-ready"
+
+// TaintNodeUnreachable will be added when node becomes unreachable
+// (corresponding to NodeReady status ConditionUnknown)
+// and removed when node becomes reachable (NodeReady status ConditionTrue).
+#TaintNodeUnreachable: "node.kubernetes.io/unreachable"
+
+// TaintNodeUnschedulable will be added when node becomes unschedulable
+// and removed when node becomes schedulable.
+#TaintNodeUnschedulable: "node.kubernetes.io/unschedulable"
+
+// TaintNodeMemoryPressure will be added when node has memory pressure
+// and removed when node has enough memory.
+#TaintNodeMemoryPressure: "node.kubernetes.io/memory-pressure"
+
+// TaintNodeDiskPressure will be added when node has disk pressure
+// and removed when node has enough disk.
+#TaintNodeDiskPressure: "node.kubernetes.io/disk-pressure"
+
+// TaintNodeNetworkUnavailable will be added when node's network is unavailable
+// and removed when network becomes ready.
+#TaintNodeNetworkUnavailable: "node.kubernetes.io/network-unavailable"
+
+// TaintNodePIDPressure will be added when node has pid pressure
+// and removed when node has enough pid.
+#TaintNodePIDPressure: "node.kubernetes.io/pid-pressure"

cue/cue.mod/gen/k8s.io/api/networking/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+#GroupName: "networking.k8s.io"

cue/cue.mod/gen/k8s.io/api/networking/v1/types_go_gen.cue

@@ -0,0 +1,543 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// NetworkPolicy describes what network traffic is allowed for a set of Pods
+#NetworkPolicy: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Specification of the desired behavior for this NetworkPolicy.
+	// +optional
+	spec?: #NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// PolicyType string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+// +enum
+#PolicyType: string // #enumPolicyType
+
+#enumPolicyType:
+	#PolicyTypeIngress |
+	#PolicyTypeEgress
+
+// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+#PolicyTypeIngress: #PolicyType & "Ingress"
+
+// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+#PolicyTypeEgress: #PolicyType & "Egress"
+
+// NetworkPolicySpec provides the specification of a NetworkPolicy
+#NetworkPolicySpec: {
+	// Selects the pods to which this NetworkPolicy object applies. The array of
+	// ingress rules is applied to any pods selected by this field. Multiple network
+	// policies can select the same set of pods. In this case, the ingress rules for
+	// each are combined additively. This field is NOT optional and follows standard
+	// label selector semantics. An empty podSelector matches all pods in this
+	// namespace.
+	podSelector: metav1.#LabelSelector @go(PodSelector) @protobuf(1,bytes,opt)
+
+	// List of ingress rules to be applied to the selected pods. Traffic is allowed to
+	// a pod if there are no NetworkPolicies selecting the pod
+	// (and cluster policy otherwise allows the traffic), OR if the traffic source is
+	// the pod's local node, OR if the traffic matches at least one ingress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy does not allow any traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default)
+	// +optional
+	ingress?: [...#NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep)
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	egress?: [...#NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep)
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"].
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	policyTypes?: [...#PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType)
+}
+
+// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+#NetworkPolicyIngressRule: {
+	// List of ports which should be made accessible on the pods selected for this
+	// rule. Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
+
+	// List of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all sources (traffic not restricted by
+	// source). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the from list.
+	// +optional
+	from?: [...#NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+#NetworkPolicyEgressRule: {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	ports?: [...#NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	to?: [...#NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyPort describes a port to allow traffic on
+#NetworkPolicyPort: {
+	// The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this
+	// field defaults to TCP.
+	// +optional
+	protocol?: null | v1.#Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol)
+
+	// The port on the given protocol. This can either be a numerical or named
+	// port on a pod. If this field is not provided, this matches all port names and
+	// numbers.
+	// If present, only traffic on the specified protocol AND port will be matched.
+	// +optional
+	port?: null | intstr.#IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt)
+
+	// If set, indicates that the range of ports from port to endPort, inclusive,
+	// should be allowed by the policy. This field cannot be defined if the port field
+	// is not defined or if the port field is defined as a named (string) port.
+	// The endPort must be equal or greater than port.
+	// This feature is in Beta state and is enabled by default.
+	// It can be disabled using the Feature Gate "NetworkPolicyEndPort".
+	// +optional
+	endPort?: null | int32 @go(EndPort,*int32) @protobuf(3,bytes,opt)
+}
+
+// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed
+// to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
+// that should not be included within this rule.
+#IPBlock: {
+	// CIDR is a string representing the IP Block
+	// Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+	cidr: string @go(CIDR) @protobuf(1,bytes)
+
+	// Except is a slice of CIDRs that should not be included within an IP Block
+	// Valid examples are "192.168.1.1/24" or "2001:db9::/64"
+	// Except values will be rejected if they are outside the CIDR range
+	// +optional
+	except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep)
+}
+
+// NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+// fields are allowed
+#NetworkPolicyPeer: {
+	// This is a label selector which selects Pods. This field follows standard label
+	// selector semantics; if present but empty, it selects all pods.
+	//
+	// If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
+	// +optional
+	podSelector?: null | metav1.#LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
+
+	// Selects Namespaces using cluster-scoped labels. This field follows standard label
+	// selector semantics; if present but empty, it selects all namespaces.
+	//
+	// If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
+	// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
+	// Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
+	// +optional
+	namespaceSelector?: null | metav1.#LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
+
+	// IPBlock defines policy on a particular IPBlock. If this field is set then
+	// neither of the other fields can be.
+	// +optional
+	ipBlock?: null | #IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep)
+}
+
+// NetworkPolicyList is a list of NetworkPolicy objects.
+#NetworkPolicyList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is a list of schema objects.
+	items: [...#NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep)
+}
+
+// Ingress is a collection of rules that allow inbound connections to reach the
+// endpoints defined by a backend. An Ingress can be configured to give services
+// externally-reachable urls, load balance traffic, terminate SSL, offer name
+// based virtual hosting etc.
+#Ingress: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec is the desired state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #IngressSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// Status is the current state of the Ingress.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	status?: #IngressStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// IngressList is a collection of Ingress.
+#IngressList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of Ingress.
+	items: [...#Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep)
+}
+
+// IngressSpec describes the Ingress the user wishes to exist.
+#IngressSpec: {
+	// IngressClassName is the name of the IngressClass cluster resource. The
+	// associated IngressClass defines which controller will implement the
+	// resource. This replaces the deprecated `kubernetes.io/ingress.class`
+	// annotation. For backwards compatibility, when that annotation is set, it
+	// must be given precedence over this field. The controller may emit a
+	// warning if the field and annotation have different values.
+	// Implementations of this API should ignore Ingresses without a class
+	// specified. An IngressClass resource may be marked as default, which can
+	// be used to set a default value for this field. For more information,
+	// refer to the IngressClass documentation.
+	// +optional
+	ingressClassName?: null | string @go(IngressClassName,*string) @protobuf(4,bytes,opt)
+
+	// DefaultBackend is the backend that should handle requests that don't
+	// match any rule. If Rules are not specified, DefaultBackend must be specified.
+	// If DefaultBackend is not set, the handling of requests that do not match any
+	// of the rules will be up to the Ingress controller.
+	// +optional
+	defaultBackend?: null | #IngressBackend @go(DefaultBackend,*IngressBackend) @protobuf(1,bytes,opt)
+
+	// TLS configuration. Currently the Ingress only supports a single TLS
+	// port, 443. If multiple members of this list specify different hosts, they
+	// will be multiplexed on the same port according to the hostname specified
+	// through the SNI TLS extension, if the ingress controller fulfilling the
+	// ingress supports SNI.
+	// +listType=atomic
+	// +optional
+	tls?: [...#IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep)
+
+	// A list of host rules used to configure the Ingress. If unspecified, or
+	// no rule matches, all traffic is sent to the default backend.
+	// +listType=atomic
+	// +optional
+	rules?: [...#IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep)
+}
+
+// IngressTLS describes the transport layer security associated with an Ingress.
+#IngressTLS: {
+	// Hosts are a list of hosts included in the TLS certificate. The values in
+	// this list must match the name/s used in the tlsSecret. Defaults to the
+	// wildcard host setting for the loadbalancer controller fulfilling this
+	// Ingress, if left unspecified.
+	// +listType=atomic
+	// +optional
+	hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep)
+
+	// SecretName is the name of the secret used to terminate TLS traffic on
+	// port 443. Field is left optional to allow TLS routing based on SNI
+	// hostname alone. If the SNI host in a listener conflicts with the "Host"
+	// header field used by an IngressRule, the SNI host is used for termination
+	// and value of the Host header is used for routing.
+	// +optional
+	secretName?: string @go(SecretName) @protobuf(2,bytes,opt)
+}
+
+// IngressStatus describe the current state of the Ingress.
+#IngressStatus: {
+	// LoadBalancer contains the current status of the load-balancer.
+	// +optional
+	loadBalancer?: v1.#LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt)
+}
+
+// IngressRule represents the rules mapping the paths under a specified host to
+// the related backend services. Incoming requests are first evaluated for a host
+// match, then routed to the backend associated with the matching IngressRuleValue.
+#IngressRule: {
+	// Host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	//    the IP in the Spec of the parent Ingress.
+	// 2. The `:` delimiter is not respected because ports are not allowed.
+	//   Currently the port of an Ingress is implicitly :80 for http and
+	//   :443 for https.
+	// Both these may change in the future.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// Host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If Host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
+	// +optional
+	host?: string @go(Host) @protobuf(1,bytes,opt)
+
+	#IngressRuleValue
+}
+
+// IngressRuleValue represents a rule to apply against incoming requests. If the
+// rule is satisfied, the request is routed to the specified backend. Currently
+// mixing different types of rules in a single Ingress is disallowed, so exactly
+// one of the following must be set.
+#IngressRuleValue: {
+	// +optional
+	http?: null | #HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt)
+}
+
+// HTTPIngressRuleValue is a list of http selectors pointing to backends.
+// In the example: http://<host>/<path>?<searchpart> -> backend where
+// where parts of the url correspond to RFC 3986, this resource will be used
+// to match against everything after the last '/' and before the first '?'
+// or '#'.
+#HTTPIngressRuleValue: {
+	// A collection of paths that map requests to backends.
+	// +listType=atomic
+	paths: [...#HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep)
+}
+
+// PathType represents the type of path referred to by a HTTPIngressPath.
+// +enum
+#PathType: string // #enumPathType
+
+#enumPathType:
+	#PathTypeExact |
+	#PathTypePrefix |
+	#PathTypeImplementationSpecific
+
+// PathTypeExact matches the URL path exactly and with case sensitivity.
+#PathTypeExact: #PathType & "Exact"
+
+// PathTypePrefix matches based on a URL path prefix split by '/'. Matching
+// is case sensitive and done on a path element by element basis. A path
+// element refers to the list of labels in the path split by the '/'
+// separator. A request is a match for path p if every p is an element-wise
+// prefix of p of the request path. Note that if the last element of the
+// path is a substring of the last element in request path, it is not a
+// match (e.g. /foo/bar matches /foo/bar/baz, but does not match
+// /foo/barbaz). If multiple matching paths exist in an Ingress spec, the
+// longest matching path is given priority.
+// Examples:
+// - /foo/bar does not match requests to /foo/barbaz
+// - /foo/bar matches request to /foo/bar and /foo/bar/baz
+// - /foo and /foo/ both match requests to /foo and /foo/. If both paths are
+//   present in an Ingress spec, the longest matching path (/foo/) is given
+//   priority.
+#PathTypePrefix: #PathType & "Prefix"
+
+// PathTypeImplementationSpecific matching is up to the IngressClass.
+// Implementations can treat this as a separate PathType or treat it
+// identically to Prefix or Exact path types.
+#PathTypeImplementationSpecific: #PathType & "ImplementationSpecific"
+
+// HTTPIngressPath associates a path with a backend. Incoming urls matching the
+// path are forwarded to the backend.
+#HTTPIngressPath: {
+	// Path is matched against the path of an incoming request. Currently it can
+	// contain characters disallowed from the conventional "path" part of a URL
+	// as defined by RFC 3986. Paths must begin with a '/' and must be present
+	// when using PathType with value "Exact" or "Prefix".
+	// +optional
+	path?: string @go(Path) @protobuf(1,bytes,opt)
+
+	// PathType determines the interpretation of the Path matching. PathType can
+	// be one of the following values:
+	// * Exact: Matches the URL path exactly.
+	// * Prefix: Matches based on a URL path prefix split by '/'. Matching is
+	//   done on a path element by element basis. A path element refers is the
+	//   list of labels in the path split by the '/' separator. A request is a
+	//   match for path p if every p is an element-wise prefix of p of the
+	//   request path. Note that if the last element of the path is a substring
+	//   of the last element in request path, it is not a match (e.g. /foo/bar
+	//   matches /foo/bar/baz, but does not match /foo/barbaz).
+	// * ImplementationSpecific: Interpretation of the Path matching is up to
+	//   the IngressClass. Implementations can treat this as a separate PathType
+	//   or treat it identically to Prefix or Exact path types.
+	// Implementations are required to support all path types.
+	pathType?: null | #PathType @go(PathType,*PathType) @protobuf(3,bytes,opt)
+
+	// Backend defines the referenced service endpoint to which the traffic
+	// will be forwarded to.
+	backend: #IngressBackend @go(Backend) @protobuf(2,bytes,opt)
+}
+
+// IngressBackend describes all endpoints for a given service and port.
+#IngressBackend: {
+	// Service references a Service as a Backend.
+	// This is a mutually exclusive setting with "Resource".
+	// +optional
+	service?: null | #IngressServiceBackend @go(Service,*IngressServiceBackend) @protobuf(4,bytes,opt)
+
+	// Resource is an ObjectRef to another Kubernetes resource in the namespace
+	// of the Ingress object. If resource is specified, a service.Name and
+	// service.Port must not be specified.
+	// This is a mutually exclusive setting with "Service".
+	// +optional
+	resource?: null | v1.#TypedLocalObjectReference @go(Resource,*v1.TypedLocalObjectReference) @protobuf(3,bytes,opt)
+}
+
+// IngressServiceBackend references a Kubernetes Service as a Backend.
+#IngressServiceBackend: {
+	// Name is the referenced service. The service must exist in
+	// the same namespace as the Ingress object.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// Port of the referenced service. A port name or port number
+	// is required for a IngressServiceBackend.
+	port?: #ServiceBackendPort @go(Port) @protobuf(2,bytes,opt)
+}
+
+// ServiceBackendPort is the service port being referenced.
+#ServiceBackendPort: {
+	// Name is the name of the port on the Service.
+	// This is a mutually exclusive setting with "Number".
+	// +optional
+	name?: string @go(Name) @protobuf(1,bytes,opt)
+
+	// Number is the numerical port number (e.g. 80) on the Service.
+	// This is a mutually exclusive setting with "Name".
+	// +optional
+	number?: int32 @go(Number) @protobuf(2,bytes,opt)
+}
+
+// IngressClass represents the class of the Ingress, referenced by the Ingress
+// Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be
+// used to indicate that an IngressClass should be considered default. When a
+// single IngressClass resource has this annotation set to true, new Ingress
+// resources without a class specified will be assigned this default class.
+#IngressClass: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// Spec is the desired state of the IngressClass.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
+	// +optional
+	spec?: #IngressClassSpec @go(Spec) @protobuf(2,bytes,opt)
+}
+
+// IngressClassSpec provides information about the class of an Ingress.
+#IngressClassSpec: {
+	// Controller refers to the name of the controller that should handle this
+	// class. This allows for different "flavors" that are controlled by the
+	// same controller. For example, you may have different Parameters for the
+	// same implementing controller. This should be specified as a
+	// domain-prefixed path no more than 250 characters in length, e.g.
+	// "acme.io/ingress-controller". This field is immutable.
+	controller?: string @go(Controller) @protobuf(1,bytes,opt)
+
+	// Parameters is a link to a custom resource containing additional
+	// configuration for the controller. This is optional if the controller does
+	// not require extra parameters.
+	// +optional
+	parameters?: null | #IngressClassParametersReference @go(Parameters,*IngressClassParametersReference) @protobuf(2,bytes,opt)
+}
+
+// IngressClassParametersReferenceScopeNamespace indicates that the
+// referenced Parameters resource is namespace-scoped.
+#IngressClassParametersReferenceScopeNamespace: "Namespace"
+
+// IngressClassParametersReferenceScopeNamespace indicates that the
+// referenced Parameters resource is cluster-scoped.
+#IngressClassParametersReferenceScopeCluster: "Cluster"
+
+// IngressClassParametersReference identifies an API object. This can be used
+// to specify a cluster or namespace-scoped resource.
+#IngressClassParametersReference: {
+	// APIGroup is the group for the resource being referenced. If APIGroup is
+	// not specified, the specified Kind must be in the core API group. For any
+	// other third-party types, APIGroup is required.
+	// +optional
+	apiGroup?: null | string @go(APIGroup,*string) @protobuf(1,bytes,opt,name=aPIGroup)
+
+	// Kind is the type of resource being referenced.
+	kind: string @go(Kind) @protobuf(2,bytes,opt)
+
+	// Name is the name of resource being referenced.
+	name: string @go(Name) @protobuf(3,bytes,opt)
+
+	// Scope represents if this refers to a cluster or namespace scoped resource.
+	// This may be set to "Cluster" (default) or "Namespace".
+	// +optional
+	scope?: null | string @go(Scope,*string) @protobuf(4,bytes,opt)
+
+	// Namespace is the namespace of the resource being referenced. This field is
+	// required when scope is set to "Namespace" and must be unset when scope is set to
+	// "Cluster".
+	// +optional
+	namespace?: null | string @go(Namespace,*string) @protobuf(5,bytes,opt)
+}
+
+// IngressClassList is a collection of IngressClasses.
+#IngressClassList: {
+	metav1.#TypeMeta
+
+	// Standard list metadata.
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// Items is the list of IngressClasses.
+	items: [...#IngressClass] @go(Items,[]IngressClass) @protobuf(2,bytes,rep)
+}

cue/cue.mod/gen/k8s.io/api/networking/v1/well_known_annotations_go_gen.cue

@@ -0,0 +1,11 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/api/networking/v1
+
+package v1
+
+// AnnotationIsDefaultIngressClass can be used to indicate that an
+// IngressClass should be considered default. When a single IngressClass
+// resource has this annotation set to true, new Ingress resources without a
+// class specified will be assigned this default class.
+#AnnotationIsDefaultIngressClass: "ingressclass.kubernetes.io/is-default-class"

cue/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/doc_go_gen.cue

@@ -0,0 +1,6 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+// Package v1 is the v1 version of the API.
+package v1

cue/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/register_go_gen.cue

@@ -0,0 +1,7 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+#GroupName: "apiextensions.k8s.io"

cue/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_go_gen.cue

@@ -0,0 +1,513 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// ConversionStrategyType describes different conversion types.
+#ConversionStrategyType: string // #enumConversionStrategyType
+
+#enumConversionStrategyType:
+	#NoneConverter |
+	#WebhookConverter
+
+// KubeAPIApprovedAnnotation is an annotation that must be set to create a CRD for the k8s.io, *.k8s.io, kubernetes.io, or *.kubernetes.io namespaces.
+// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
+// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
+#KubeAPIApprovedAnnotation: "api-approved.kubernetes.io"
+
+// NoneConverter is a converter that only sets apiversion of the CR and leave everything else unchanged.
+#NoneConverter: #ConversionStrategyType & "None"
+
+// WebhookConverter is a converter that calls to an external webhook to convert the CR.
+#WebhookConverter: #ConversionStrategyType & "Webhook"
+
+// CustomResourceDefinitionSpec describes how a user wants their resource to appear
+#CustomResourceDefinitionSpec: {
+	// group is the API group of the defined custom resource.
+	// The custom resources are served under `/apis/<group>/...`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	group: string @go(Group) @protobuf(1,bytes,opt)
+
+	// names specify the resource and kind names for the custom resource.
+	names: #CustomResourceDefinitionNames @go(Names) @protobuf(3,bytes,opt)
+
+	// scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+	// Allowed values are `Cluster` and `Namespaced`.
+	scope: #ResourceScope @go(Scope) @protobuf(4,bytes,opt,casttype=ResourceScope)
+
+	// versions is the list of all API versions of the defined custom resource.
+	// Version names are used to compute the order in which served versions are listed in API discovery.
+	// If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
+	// lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
+	// then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
+	// by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
+	// major version, then minor version. An example sorted list of versions:
+	// v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
+	versions: [...#CustomResourceDefinitionVersion] @go(Versions,[]CustomResourceDefinitionVersion) @protobuf(7,bytes,rep)
+
+	// conversion defines conversion settings for the CRD.
+	// +optional
+	conversion?: null | #CustomResourceConversion @go(Conversion,*CustomResourceConversion) @protobuf(9,bytes,opt)
+
+	// preserveUnknownFields indicates that object fields which are not specified
+	// in the OpenAPI schema should be preserved when persisting to storage.
+	// apiVersion, kind, metadata and known fields inside metadata are always preserved.
+	// This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`.
+	// See https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#pruning-versus-preserving-unknown-fields for details.
+	// +optional
+	preserveUnknownFields?: bool @go(PreserveUnknownFields) @protobuf(10,varint,opt)
+}
+
+// CustomResourceConversion describes how to convert different versions of a CR.
+#CustomResourceConversion: {
+	// strategy specifies how custom resources are converted between versions. Allowed values are:
+	// - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+	// - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
+	//   is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+	strategy: #ConversionStrategyType @go(Strategy) @protobuf(1,bytes)
+
+	// webhook describes how to call the conversion webhook. Required when `strategy` is set to `Webhook`.
+	// +optional
+	webhook?: null | #WebhookConversion @go(Webhook,*WebhookConversion) @protobuf(2,bytes,opt)
+}
+
+// WebhookConversion describes how to call a conversion webhook
+#WebhookConversion: {
+	// clientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
+	// +optional
+	clientConfig?: null | #WebhookClientConfig @go(ClientConfig,*WebhookClientConfig) @protobuf(2,bytes)
+
+	// conversionReviewVersions is an ordered list of preferred `ConversionReview`
+	// versions the Webhook expects. The API server will use the first version in
+	// the list which it supports. If none of the versions specified in this list
+	// are supported by API server, conversion will fail for the custom resource.
+	// If a persisted Webhook configuration specifies allowed versions and does not
+	// include any versions known to the API Server, calls to the webhook will fail.
+	conversionReviewVersions: [...string] @go(ConversionReviewVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+// WebhookClientConfig contains the information to make a TLS connection with the webhook.
+#WebhookClientConfig: {
+	// url gives the location of the webhook, in standard URL form
+	// (`scheme://host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	//
+	// The `host` should not refer to a service running in the cluster; use
+	// the `service` field instead. The host might be resolved via external
+	// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+	// in-cluster DNS as that would be a layering violation). `host` may
+	// also be an IP address.
+	//
+	// Please note that using `localhost` or `127.0.0.1` as a `host` is
+	// risky unless you take great care to run this webhook on all hosts
+	// which run an apiserver which might need to make calls to this
+	// webhook. Such installs are likely to be non-portable, i.e., not easy
+	// to turn up in a new cluster.
+	//
+	// The scheme must be "https"; the URL must begin with "https://".
+	//
+	// A path is optional, and if present may be any string permissible in
+	// a URL. You may use the path to pass an arbitrary string to the
+	// webhook, for example, a cluster identifier.
+	//
+	// Attempting to use a user or basic auth e.g. "user:password@" is not
+	// allowed. Fragments ("#...") and query parameters ("?...") are not
+	// allowed, either.
+	//
+	// +optional
+	url?: null | string @go(URL,*string) @protobuf(3,bytes,opt)
+
+	// service is a reference to the service for this webhook. Either
+	// service or url must be specified.
+	//
+	// If the webhook is running within the cluster, then you should use `service`.
+	//
+	// +optional
+	service?: null | #ServiceReference @go(Service,*ServiceReference) @protobuf(1,bytes,opt)
+
+	// caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+	// If unspecified, system trust roots on the apiserver are used.
+	// +optional
+	caBundle?: bytes @go(CABundle,[]byte) @protobuf(2,bytes,opt)
+}
+
+// ServiceReference holds a reference to Service.legacy.k8s.io
+#ServiceReference: {
+	// namespace is the namespace of the service.
+	// Required
+	namespace: string @go(Namespace) @protobuf(1,bytes,opt)
+
+	// name is the name of the service.
+	// Required
+	name: string @go(Name) @protobuf(2,bytes,opt)
+
+	// path is an optional URL path at which the webhook will be contacted.
+	// +optional
+	path?: null | string @go(Path,*string) @protobuf(3,bytes,opt)
+
+	// port is an optional service port at which the webhook will be contacted.
+	// `port` should be a valid port number (1-65535, inclusive).
+	// Defaults to 443 for backward compatibility.
+	// +optional
+	port?: null | int32 @go(Port,*int32) @protobuf(4,varint,opt)
+}
+
+// CustomResourceDefinitionVersion describes a version for CRD.
+#CustomResourceDefinitionVersion: {
+	// name is the version name, e.g. “v1”, “v2beta1”, etc.
+	// The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// served is a flag enabling/disabling this version from being served via REST APIs
+	served: bool @go(Served) @protobuf(2,varint,opt)
+
+	// storage indicates this version should be used when persisting custom resources to storage.
+	// There must be exactly one version with storage=true.
+	storage: bool @go(Storage) @protobuf(3,varint,opt)
+
+	// deprecated indicates this version of the custom resource API is deprecated.
+	// When set to true, API requests to this version receive a warning header in the server response.
+	// Defaults to false.
+	// +optional
+	deprecated?: bool @go(Deprecated) @protobuf(7,varint,opt)
+
+	// deprecationWarning overrides the default warning returned to API clients.
+	// May only be set when `deprecated` is true.
+	// The default warning indicates this version is deprecated and recommends use
+	// of the newest served version of equal or greater stability, if one exists.
+	// +optional
+	deprecationWarning?: null | string @go(DeprecationWarning,*string) @protobuf(8,bytes,opt)
+
+	// schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource.
+	// +optional
+	schema?: null | #CustomResourceValidation @go(Schema,*CustomResourceValidation) @protobuf(4,bytes,opt)
+
+	// subresources specify what subresources this version of the defined custom resource have.
+	// +optional
+	subresources?: null | #CustomResourceSubresources @go(Subresources,*CustomResourceSubresources) @protobuf(5,bytes,opt)
+
+	// additionalPrinterColumns specifies additional columns returned in Table output.
+	// See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+	// If no columns are specified, a single column displaying the age of the custom resource is used.
+	// +optional
+	additionalPrinterColumns?: [...#CustomResourceColumnDefinition] @go(AdditionalPrinterColumns,[]CustomResourceColumnDefinition) @protobuf(6,bytes,rep)
+}
+
+// CustomResourceColumnDefinition specifies a column for server side printing.
+#CustomResourceColumnDefinition: {
+	// name is a human readable name for the column.
+	name: string @go(Name) @protobuf(1,bytes,opt)
+
+	// type is an OpenAPI type definition for this column.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	type: string @go(Type) @protobuf(2,bytes,opt)
+
+	// format is an optional OpenAPI type definition for this column. The 'name' format is applied
+	// to the primary identifier column to assist in clients identifying column is the resource name.
+	// See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+	// +optional
+	format?: string @go(Format) @protobuf(3,bytes,opt)
+
+	// description is a human readable description of this column.
+	// +optional
+	description?: string @go(Description) @protobuf(4,bytes,opt)
+
+	// priority is an integer defining the relative importance of this column compared to others. Lower
+	// numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+	// should be given a priority greater than 0.
+	// +optional
+	priority?: int32 @go(Priority) @protobuf(5,bytes,opt)
+
+	// jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+	// each custom resource to produce the value for this column.
+	jsonPath: string @go(JSONPath) @protobuf(6,bytes,opt)
+}
+
+// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
+#CustomResourceDefinitionNames: {
+	// plural is the plural name of the resource to serve.
+	// The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+	// Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+	// Must be all lowercase.
+	plural: string @go(Plural) @protobuf(1,bytes,opt)
+
+	// singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
+	// +optional
+	singular?: string @go(Singular) @protobuf(2,bytes,opt)
+
+	// shortNames are short names for the resource, exposed in API discovery documents,
+	// and used by clients to support invocations like `kubectl get <shortname>`.
+	// It must be all lowercase.
+	// +optional
+	shortNames?: [...string] @go(ShortNames,[]string) @protobuf(3,bytes,opt)
+
+	// kind is the serialized kind of the resource. It is normally CamelCase and singular.
+	// Custom resource instances will use this value as the `kind` attribute in API calls.
+	kind: string @go(Kind) @protobuf(4,bytes,opt)
+
+	// listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
+	// +optional
+	listKind?: string @go(ListKind) @protobuf(5,bytes,opt)
+
+	// categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+	// This is published in API discovery documents, and used by clients to support invocations like
+	// `kubectl get all`.
+	// +optional
+	categories?: [...string] @go(Categories,[]string) @protobuf(6,bytes,rep)
+}
+
+// ResourceScope is an enum defining the different scopes available to a custom resource
+#ResourceScope: string // #enumResourceScope
+
+#enumResourceScope:
+	#ClusterScoped |
+	#NamespaceScoped
+
+#ClusterScoped:   #ResourceScope & "Cluster"
+#NamespaceScoped: #ResourceScope & "Namespaced"
+
+#ConditionStatus: string // #enumConditionStatus
+
+#enumConditionStatus:
+	#ConditionTrue |
+	#ConditionFalse |
+	#ConditionUnknown
+
+#ConditionTrue:    #ConditionStatus & "True"
+#ConditionFalse:   #ConditionStatus & "False"
+#ConditionUnknown: #ConditionStatus & "Unknown"
+
+// CustomResourceDefinitionConditionType is a valid value for CustomResourceDefinitionCondition.Type
+#CustomResourceDefinitionConditionType: string // #enumCustomResourceDefinitionConditionType
+
+#enumCustomResourceDefinitionConditionType:
+	#Established |
+	#NamesAccepted |
+	#NonStructuralSchema |
+	#Terminating |
+	#KubernetesAPIApprovalPolicyConformant
+
+// Established means that the resource has become active. A resource is established when all names are
+// accepted without a conflict for the first time. A resource stays established until deleted, even during
+// a later NamesAccepted due to changed names. Note that not all names can be changed.
+#Established: #CustomResourceDefinitionConditionType & "Established"
+
+// NamesAccepted means the names chosen for this CustomResourceDefinition do not conflict with others in
+// the group and are therefore accepted.
+#NamesAccepted: #CustomResourceDefinitionConditionType & "NamesAccepted"
+
+// NonStructuralSchema means that one or more OpenAPI schema is not structural.
+//
+// A schema is structural if it specifies types for all values, with the only exceptions of those with
+// - x-kubernetes-int-or-string: true — for fields which can be integer or string
+// - x-kubernetes-preserve-unknown-fields: true — for raw, unspecified JSON values
+// and there is no type, additionalProperties, default, nullable or x-kubernetes-* vendor extenions
+// specified under allOf, anyOf, oneOf or not.
+//
+// Non-structural schemas will not be allowed anymore in v1 API groups. Moreover, new features will not be
+// available for non-structural CRDs:
+// - pruning
+// - defaulting
+// - read-only
+// - OpenAPI publishing
+// - webhook conversion
+#NonStructuralSchema: #CustomResourceDefinitionConditionType & "NonStructuralSchema"
+
+// Terminating means that the CustomResourceDefinition has been deleted and is cleaning up.
+#Terminating: #CustomResourceDefinitionConditionType & "Terminating"
+
+// KubernetesAPIApprovalPolicyConformant indicates that an API in *.k8s.io or *.kubernetes.io is or is not approved.  For CRDs
+// outside those groups, this condition will not be set.  For CRDs inside those groups, the condition will
+// be true if .metadata.annotations["api-approved.kubernetes.io"] is set to a URL, otherwise it will be false.
+// See https://github.com/kubernetes/enhancements/pull/1111 for more details.
+#KubernetesAPIApprovalPolicyConformant: #CustomResourceDefinitionConditionType & "KubernetesAPIApprovalPolicyConformant"
+
+// CustomResourceDefinitionCondition contains details for the current condition of this pod.
+#CustomResourceDefinitionCondition: {
+	// type is the type of the condition. Types include Established, NamesAccepted and Terminating.
+	type: #CustomResourceDefinitionConditionType @go(Type) @protobuf(1,bytes,opt,casttype=CustomResourceDefinitionConditionType)
+
+	// status is the status of the condition.
+	// Can be True, False, Unknown.
+	status: #ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=ConditionStatus)
+
+	// lastTransitionTime last time the condition transitioned from one status to another.
+	// +optional
+	lastTransitionTime?: metav1.#Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
+
+	// reason is a unique, one-word, CamelCase reason for the condition's last transition.
+	// +optional
+	reason?: string @go(Reason) @protobuf(4,bytes,opt)
+
+	// message is a human-readable message indicating details about last transition.
+	// +optional
+	message?: string @go(Message) @protobuf(5,bytes,opt)
+}
+
+// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
+#CustomResourceDefinitionStatus: {
+	// conditions indicate state for particular aspects of a CustomResourceDefinition
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	conditions: [...#CustomResourceDefinitionCondition] @go(Conditions,[]CustomResourceDefinitionCondition) @protobuf(1,bytes,opt)
+
+	// acceptedNames are the names that are actually being used to serve discovery.
+	// They may be different than the names in spec.
+	// +optional
+	acceptedNames: #CustomResourceDefinitionNames @go(AcceptedNames) @protobuf(2,bytes,opt)
+
+	// storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+	// versions allows a migration path for stored versions in etcd. The field is mutable
+	// so a migration controller can finish a migration to another version (ensuring
+	// no old objects are left in storage), and then remove the rest of the
+	// versions from this list.
+	// Versions may not be removed from `spec.versions` while they exist in this list.
+	// +optional
+	storedVersions: [...string] @go(StoredVersions,[]string) @protobuf(3,bytes,rep)
+}
+
+#CustomResourceCleanupFinalizer: "customresourcecleanup.apiextensions.k8s.io"
+
+// CustomResourceDefinition represents a resource that should be exposed on the API server.  Its name MUST be in the format
+// <.spec.name>.<.spec.group>.
+#CustomResourceDefinition: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
+
+	// spec describes how the user wants the resources to appear
+	spec: #CustomResourceDefinitionSpec @go(Spec) @protobuf(2,bytes,opt)
+
+	// status indicates the actual state of the CustomResourceDefinition
+	// +optional
+	status?: #CustomResourceDefinitionStatus @go(Status) @protobuf(3,bytes,opt)
+}
+
+// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
+#CustomResourceDefinitionList: {
+	metav1.#TypeMeta
+
+	// Standard object's metadata
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// +optional
+	metadata?: metav1.#ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
+
+	// items list individual CustomResourceDefinition objects
+	items: [...#CustomResourceDefinition] @go(Items,[]CustomResourceDefinition) @protobuf(2,bytes,rep)
+}
+
+// CustomResourceValidation is a list of validation methods for CustomResources.
+#CustomResourceValidation: {
+	// openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
+	// +optional
+	openAPIV3Schema?: null | #JSONSchemaProps @go(OpenAPIV3Schema,*JSONSchemaProps) @protobuf(1,bytes,opt)
+}
+
+// CustomResourceSubresources defines the status and scale subresources for CustomResources.
+#CustomResourceSubresources: {
+	// status indicates the custom resource should serve a `/status` subresource.
+	// When enabled:
+	// 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+	// 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+	// +optional
+	status?: null | #CustomResourceSubresourceStatus @go(Status,*CustomResourceSubresourceStatus) @protobuf(1,bytes,opt)
+
+	// scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
+	// +optional
+	scale?: null | #CustomResourceSubresourceScale @go(Scale,*CustomResourceSubresourceScale) @protobuf(2,bytes,opt)
+}
+
+// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
+// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
+// * exposes a /status subresource for the custom resource
+// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
+// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
+#CustomResourceSubresourceStatus: {
+}
+
+// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
+#CustomResourceSubresourceScale: {
+	// specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.spec`.
+	// If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+	specReplicasPath: string @go(SpecReplicasPath) @protobuf(1,bytes)
+
+	// statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status`.
+	// If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+	// will default to 0.
+	statusReplicasPath: string @go(StatusReplicasPath) @protobuf(2,bytes,opt)
+
+	// labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+	// Only JSON paths without the array notation are allowed.
+	// Must be a JSON Path under `.status` or `.spec`.
+	// Must be set to work with HorizontalPodAutoscaler.
+	// The field pointed by this JSON path must be a string field (not a complex selector struct)
+	// which contains a serialized label selector in string form.
+	// More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+	// If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+	// subresource will default to the empty string.
+	// +optional
+	labelSelectorPath?: null | string @go(LabelSelectorPath,*string) @protobuf(3,bytes,opt)
+}
+
+// ConversionReview describes a conversion request/response.
+#ConversionReview: {
+	metav1.#TypeMeta
+
+	// request describes the attributes for the conversion request.
+	// +optional
+	request?: null | #ConversionRequest @go(Request,*ConversionRequest) @protobuf(1,bytes,opt)
+
+	// response describes the attributes for the conversion response.
+	// +optional
+	response?: null | #ConversionResponse @go(Response,*ConversionResponse) @protobuf(2,bytes,opt)
+}
+
+// ConversionRequest describes the conversion request parameters.
+#ConversionRequest: {
+	// uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
+	// otherwise identical (parallel requests, etc).
+	// The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
+	// It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
+	desiredAPIVersion: string @go(DesiredAPIVersion) @protobuf(2,bytes)
+
+	// objects is the list of custom resource objects to be converted.
+	objects: [...runtime.#RawExtension] @go(Objects,[]runtime.RawExtension) @protobuf(3,bytes,rep)
+}
+
+// ConversionResponse describes a conversion response.
+#ConversionResponse: {
+	// uid is an identifier for the individual request/response.
+	// This should be copied over from the corresponding `request.uid`.
+	uid: types.#UID @go(UID) @protobuf(1,bytes)
+
+	// convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
+	// The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
+	// must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
+	// The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
+	convertedObjects: [...runtime.#RawExtension] @go(ConvertedObjects,[]runtime.RawExtension) @protobuf(2,bytes,rep)
+
+	// result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
+	// the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
+	// conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
+	// `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
+	// will be used to construct an error message for the end user.
+	result: metav1.#Status @go(Result) @protobuf(3,bytes)
+}

cue/cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1/types_jsonschema_go_gen.cue

@@ -0,0 +1,257 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
+
+package v1
+
+// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
+#JSONSchemaProps: {
+	id?:          string         @go(ID) @protobuf(1,bytes,opt)
+	$schema?:     #JSONSchemaURL @go(Schema) @protobuf(2,bytes,opt,name=schema)
+	$ref?:        null | string  @go(Ref,*string) @protobuf(3,bytes,opt,name=ref)
+	description?: string         @go(Description) @protobuf(4,bytes,opt)
+	type?:        string         @go(Type) @protobuf(5,bytes,opt)
+
+	// format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
+	//
+	// - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
+	// - uri: an URI as parsed by Golang net/url.ParseRequestURI
+	// - email: an email address as parsed by Golang net/mail.ParseAddress
+	// - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
+	// - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
+	// - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
+	// - cidr: a CIDR as parsed by Golang net.ParseCIDR
+	// - mac: a MAC address as parsed by Golang net.ParseMAC
+	// - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
+	// - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
+	// - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
+	// - isbn10: an ISBN10 number string like "0321751043"
+	// - isbn13: an ISBN13 number string like "978-0321751041"
+	// - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
+	// - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
+	// - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
+	// - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
+	// - byte: base64 encoded binary data
+	// - password: any kind of string
+	// - date: a date string like "2006-01-02" as defined by full-date in RFC3339
+	// - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
+	// - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
+	format?: string @go(Format) @protobuf(6,bytes,opt)
+	title?:  string @go(Title) @protobuf(7,bytes,opt)
+
+	// default is a default value for undefined object fields.
+	// Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
+	// Defaulting requires spec.preserveUnknownFields to be false.
+	default?:          null | #JSON   @go(Default,*JSON) @protobuf(8,bytes,opt)
+	maximum?:          null | float64 @go(Maximum,*float64) @protobuf(9,bytes,opt)
+	exclusiveMaximum?: bool           @go(ExclusiveMaximum) @protobuf(10,bytes,opt)
+	minimum?:          null | float64 @go(Minimum,*float64) @protobuf(11,bytes,opt)
+	exclusiveMinimum?: bool           @go(ExclusiveMinimum) @protobuf(12,bytes,opt)
+	maxLength?:        null | int64   @go(MaxLength,*int64) @protobuf(13,bytes,opt)
+	minLength?:        null | int64   @go(MinLength,*int64) @protobuf(14,bytes,opt)
+	pattern?:          string         @go(Pattern) @protobuf(15,bytes,opt)
+	maxItems?:         null | int64   @go(MaxItems,*int64) @protobuf(16,bytes,opt)
+	minItems?:         null | int64   @go(MinItems,*int64) @protobuf(17,bytes,opt)
+	uniqueItems?:      bool           @go(UniqueItems) @protobuf(18,bytes,opt)
+	multipleOf?:       null | float64 @go(MultipleOf,*float64) @protobuf(19,bytes,opt)
+	enum?: [...#JSON] @go(Enum,[]JSON) @protobuf(20,bytes,rep)
+	maxProperties?: null | int64 @go(MaxProperties,*int64) @protobuf(21,bytes,opt)
+	minProperties?: null | int64 @go(MinProperties,*int64) @protobuf(22,bytes,opt)
+	required?: [...string] @go(Required,[]string) @protobuf(23,bytes,rep)
+	items?: null | #JSONSchemaPropsOrArray @go(Items,*JSONSchemaPropsOrArray) @protobuf(24,bytes,opt)
+	allOf?: [...#JSONSchemaProps] @go(AllOf,[]JSONSchemaProps) @protobuf(25,bytes,rep)
+	oneOf?: [...#JSONSchemaProps] @go(OneOf,[]JSONSchemaProps) @protobuf(26,bytes,rep)
+	anyOf?: [...#JSONSchemaProps] @go(AnyOf,[]JSONSchemaProps) @protobuf(27,bytes,rep)
+	not?: null | #JSONSchemaProps @go(Not,*JSONSchemaProps) @protobuf(28,bytes,opt)
+	properties?: {[string]: #JSONSchemaProps} @go(Properties,map[string]JSONSchemaProps) @protobuf(29,bytes,rep)
+	additionalProperties?: null | #JSONSchemaPropsOrBool @go(AdditionalProperties,*JSONSchemaPropsOrBool) @protobuf(30,bytes,opt)
+	patternProperties?: {[string]: #JSONSchemaProps} @go(PatternProperties,map[string]JSONSchemaProps) @protobuf(31,bytes,rep)
+	dependencies?:    #JSONSchemaDependencies       @go(Dependencies) @protobuf(32,bytes,opt)
+	additionalItems?: null | #JSONSchemaPropsOrBool @go(AdditionalItems,*JSONSchemaPropsOrBool) @protobuf(33,bytes,opt)
+	definitions?:     #JSONSchemaDefinitions        @go(Definitions) @protobuf(34,bytes,opt)
+	externalDocs?:    null | #ExternalDocumentation @go(ExternalDocs,*ExternalDocumentation) @protobuf(35,bytes,opt)
+	example?:         null | #JSON                  @go(Example,*JSON) @protobuf(36,bytes,opt)
+	nullable?:        bool                          @go(Nullable) @protobuf(37,bytes,opt)
+
+	// x-kubernetes-preserve-unknown-fields stops the API server
+	// decoding step from pruning fields which are not specified
+	// in the validation schema. This affects fields recursively,
+	// but switches back to normal pruning behaviour if nested
+	// properties or additionalProperties are specified in the schema.
+	// This can either be true or undefined. False is forbidden.
+	"x-kubernetes-preserve-unknown-fields"?: null | bool @go(XPreserveUnknownFields,*bool) @protobuf(38,bytes,opt,name=xKubernetesPreserveUnknownFields)
+
+	// x-kubernetes-embedded-resource defines that the value is an
+	// embedded Kubernetes runtime.Object, with TypeMeta and
+	// ObjectMeta. The type must be object. It is allowed to further
+	// restrict the embedded object. kind, apiVersion and metadata
+	// are validated automatically. x-kubernetes-preserve-unknown-fields
+	// is allowed to be true, but does not have to be if the object
+	// is fully specified (up to kind, apiVersion, metadata).
+	"x-kubernetes-embedded-resource"?: bool @go(XEmbeddedResource) @protobuf(39,bytes,opt,name=xKubernetesEmbeddedResource)
+
+	// x-kubernetes-int-or-string specifies that this value is
+	// either an integer or a string. If this is true, an empty
+	// type is allowed and type as child of anyOf is permitted
+	// if following one of the following patterns:
+	//
+	// 1) anyOf:
+	//    - type: integer
+	//    - type: string
+	// 2) allOf:
+	//    - anyOf:
+	//      - type: integer
+	//      - type: string
+	//    - ... zero or more
+	"x-kubernetes-int-or-string"?: bool @go(XIntOrString) @protobuf(40,bytes,opt,name=xKubernetesIntOrString)
+
+	// x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
+	// as the index of the map.
+	//
+	// This tag MUST only be used on lists that have the "x-kubernetes-list-type"
+	// extension set to "map". Also, the values specified for this attribute must
+	// be a scalar typed field of the child structure (no nesting is supported).
+	//
+	// The properties specified must either be required or have a default value,
+	// to ensure those properties are present for all list items.
+	//
+	// +optional
+	"x-kubernetes-list-map-keys"?: [...string] @go(XListMapKeys,[]string) @protobuf(41,bytes,rep,name=xKubernetesListMapKeys)
+
+	// x-kubernetes-list-type annotates an array to further describe its topology.
+	// This extension must only be used on lists and may have 3 possible values:
+	//
+	// 1) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic lists will be entirely replaced when updated. This extension
+	//      may be used on any type of list (struct, scalar, ...).
+	// 2) `set`:
+	//      Sets are lists that must not have multiple items with the same value. Each
+	//      value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
+	//      array with x-kubernetes-list-type `atomic`.
+	// 3) `map`:
+	//      These lists are like maps in that their elements have a non-index key
+	//      used to identify them. Order is preserved upon merge. The map tag
+	//      must only be used on a list with elements of type object.
+	// Defaults to atomic for arrays.
+	// +optional
+	"x-kubernetes-list-type"?: null | string @go(XListType,*string) @protobuf(42,bytes,opt,name=xKubernetesListType)
+
+	// x-kubernetes-map-type annotates an object to further describe its topology.
+	// This extension must only be used when type is object and may have 2 possible values:
+	//
+	// 1) `granular`:
+	//      These maps are actual maps (key-value pairs) and each fields are independent
+	//      from each other (they can each be manipulated by separate actors). This is
+	//      the default behaviour for all maps.
+	// 2) `atomic`: the list is treated as a single entity, like a scalar.
+	//      Atomic maps will be entirely replaced when updated.
+	// +optional
+	"x-kubernetes-map-type"?: null | string @go(XMapType,*string) @protobuf(43,bytes,opt,name=xKubernetesMapType)
+
+	// x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
+	// This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
+	// +patchMergeKey=rule
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=rule
+	"x-kubernetes-validations"?: #ValidationRules @go(XValidations) @protobuf(44,bytes,rep,name=xKubernetesValidations)
+}
+
+// ValidationRules describes a list of validation rules written in the CEL expression language.
+#ValidationRules: [...#ValidationRule]
+
+// ValidationRule describes a validation rule written in the CEL expression language.
+#ValidationRule: {
+	// Rule represents the expression which will be evaluated by CEL.
+	// ref: https://github.com/google/cel-spec
+	// The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
+	// The `self` variable in the CEL expression is bound to the scoped value.
+	// Example:
+	// - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
+	//
+	// If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
+	// via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
+	// absent fields in CEL expressions.
+	// If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
+	// are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
+	// are accessible via CEL macros and functions such as `self.all(...)`.
+	// If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
+	// functions.
+	// If the Rule is scoped to a scalar, `self` is bound to the scalar value.
+	// Examples:
+	// - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
+	// - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
+	// - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
+	//
+	// The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
+	// object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
+	//
+	// Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
+	// expressions. This includes:
+	// - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
+	// - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
+	//   - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
+	//   - An array where the items schema is of an "unknown type"
+	//   - An object where the additionalProperties schema is of an "unknown type"
+	//
+	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
+	// Accessible property names are escaped according to the following rules when accessed in the expression:
+	// - '__' escapes to '__underscores__'
+	// - '.' escapes to '__dot__'
+	// - '-' escapes to '__dash__'
+	// - '/' escapes to '__slash__'
+	// - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
+	//   "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
+	//   "import", "let", "loop", "package", "namespace", "return".
+	// Examples:
+	//   - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
+	//   - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
+	//   - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
+	//
+	// Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
+	// Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
+	//   - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
+	//     non-intersecting elements in `Y` are appended, retaining their partial order.
+	//   - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
+	//     are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
+	//     non-intersecting keys are appended, retaining their partial order.
+	rule: string @go(Rule) @protobuf(1,bytes,opt)
+
+	// Message represents the message displayed when validation fails. The message is required if the Rule contains
+	// line breaks. The message must not contain line breaks.
+	// If unset, the message is "failed rule: {Rule}".
+	// e.g. "must be a URL with the host matching spec.host"
+	message?: string @go(Message) @protobuf(2,bytes,opt)
+}
+
+// JSON represents any valid JSON value.
+// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
+#JSON: _
+
+// JSONSchemaURL represents a schema url.
+#JSONSchemaURL: string
+
+// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
+// or an array of JSONSchemaProps. Mainly here for serialization purposes.
+#JSONSchemaPropsOrArray: _
+
+// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
+// Defaults to true for the boolean property.
+#JSONSchemaPropsOrBool: _
+
+// JSONSchemaDependencies represent a dependencies property.
+#JSONSchemaDependencies: {[string]: #JSONSchemaPropsOrStringArray}
+
+// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
+#JSONSchemaPropsOrStringArray: _
+
+// JSONSchemaDefinitions contains the models explicitly defined in this spec.
+#JSONSchemaDefinitions: {[string]: #JSONSchemaProps}
+
+// ExternalDocumentation allows referencing an external resource for extended documentation.
+#ExternalDocumentation: {
+	description?: string @go(Description) @protobuf(1,bytes,opt)
+	url?:         string @go(URL) @protobuf(2,bytes,opt)
+}

cue/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/amount_go_gen.cue

@@ -0,0 +1,47 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Scale is used for getting and setting the base-10 scaled value.
+// Base-2 scales are omitted for mathematical simplicity.
+// See Quantity.ScaledValue for more details.
+#Scale: int32 // #enumScale
+
+#enumScale:
+	#Nano |
+	#Micro |
+	#Milli |
+	#Kilo |
+	#Mega |
+	#Giga |
+	#Tera |
+	#Peta |
+	#Exa
+
+#values_Scale: {
+	Nano:  #Nano
+	Micro: #Micro
+	Milli: #Milli
+	Kilo:  #Kilo
+	Mega:  #Mega
+	Giga:  #Giga
+	Tera:  #Tera
+	Peta:  #Peta
+	Exa:   #Exa
+}
+
+#Nano:  #Scale & -9
+#Micro: #Scale & -6
+#Milli: #Scale & -3
+#Kilo:  #Scale & 3
+#Mega:  #Scale & 6
+#Giga:  #Scale & 9
+#Tera:  #Scale & 12
+#Peta:  #Scale & 15
+#Exa:   #Scale & 18
+
+// infDecAmount implements common operations over an inf.Dec that are specific to the quantity
+// representation.
+_#infDecAmount: string

cue/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/math_go_gen.cue

@@ -0,0 +1,13 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// maxInt64Factors is the highest value that will be checked when removing factors of 10 from an int64.
+// It is also the maximum decimal digits that can be represented with an int64.
+_#maxInt64Factors: 18
+
+_#mostNegative: -9223372036854775808
+
+_#mostPositive: 9223372036854775807

cue/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/quantity_go_gen.cue

@@ -0,0 +1,96 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+// Quantity is a fixed-point representation of a number.
+// It provides convenient marshaling/unmarshaling in JSON and YAML,
+// in addition to String() and AsInt64() accessors.
+//
+// The serialization format is:
+//
+// <quantity>        ::= <signedNumber><suffix>
+//   (Note that <suffix> may be empty, from the "" case in <decimalSI>.)
+// <digit>           ::= 0 | 1 | ... | 9
+// <digits>          ::= <digit> | <digit><digits>
+// <number>          ::= <digits> | <digits>.<digits> | <digits>. | .<digits>
+// <sign>            ::= "+" | "-"
+// <signedNumber>    ::= <number> | <sign><number>
+// <suffix>          ::= <binarySI> | <decimalExponent> | <decimalSI>
+// <binarySI>        ::= Ki | Mi | Gi | Ti | Pi | Ei
+//   (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+// <decimalSI>       ::= m | "" | k | M | G | T | P | E
+//   (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
+// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
+//
+// No matter which of the three exponent forms is used, no quantity may represent
+// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+// places. Numbers larger or more precise will be capped or rounded up.
+// (E.g.: 0.1m will rounded up to 1m.)
+// This may be extended in the future if we require larger or smaller quantities.
+//
+// When a Quantity is parsed from a string, it will remember the type of suffix
+// it had, and will use the same type again when it is serialized.
+//
+// Before serializing, Quantity will be put in "canonical form".
+// This means that Exponent/suffix will be adjusted up or down (with a
+// corresponding increase or decrease in Mantissa) such that:
+//   a. No precision is lost
+//   b. No fractional digits will be emitted
+//   c. The exponent (or suffix) is as large as possible.
+// The sign will be omitted unless the number is negative.
+//
+// Examples:
+//   1.5 will be serialized as "1500m"
+//   1.5Gi will be serialized as "1536Mi"
+//
+// Note that the quantity will NEVER be internally represented by a
+// floating point number. That is the whole point of this exercise.
+//
+// Non-canonical values will still parse as long as they are well formed,
+// but will be re-emitted in their canonical form. (So always use canonical
+// form, or don't diff.)
+//
+// This format is intended to make it difficult to use these numbers without
+// writing some sort of special handling code in the hopes that that will
+// cause implementors to also use a fixed point implementation.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+#Quantity: _
+
+// CanonicalValue allows a quantity amount to be converted to a string.
+#CanonicalValue: _
+
+// Format lists the three possible formattings of a quantity.
+#Format: string // #enumFormat
+
+#enumFormat:
+	#DecimalExponent |
+	#BinarySI |
+	#DecimalSI
+
+#DecimalExponent: #Format & "DecimalExponent"
+#BinarySI:        #Format & "BinarySI"
+#DecimalSI:       #Format & "DecimalSI"
+
+// splitREString is used to separate a number from its suffix; as such,
+// this is overly permissive, but that's OK-- it will be checked later.
+_#splitREString: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
+
+_#int64QuantityExpectedBytes: 18
+
+// QuantityValue makes it possible to use a Quantity as value for a command
+// line parameter.
+//
+// +protobuf=true
+// +protobuf.embed=string
+// +protobuf.options.marshal=false
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+// +k8s:deepcopy-gen=true
+#QuantityValue: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/api/resource/suffix_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/api/resource
+
+package resource
+
+_#suffix: string
+
+// suffixer can interpret and construct suffixes.
+_#suffixer: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/duration_go_gen.cue

@@ -0,0 +1,10 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Duration is a wrapper around time.Duration which supports correct
+// marshaling to YAML and JSON. In particular, it marshals into strings, which
+// can be used as map keys in json.
+#Duration: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/group_version_go_gen.cue

@@ -0,0 +1,48 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// GroupResource specifies a Group and a Resource, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	resource: string @go(Resource) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionResource unambiguously identifies a resource.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionResource: {
+	group:    string @go(Group) @protobuf(1,bytes,opt)
+	version:  string @go(Version) @protobuf(2,bytes,opt)
+	resource: string @go(Resource) @protobuf(3,bytes,opt)
+}
+
+// GroupKind specifies a Group and a Kind, but does not force a version.  This is useful for identifying
+// concepts during lookup stages without having partially valid types
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupKind: {
+	group: string @go(Group) @protobuf(1,bytes,opt)
+	kind:  string @go(Kind) @protobuf(2,bytes,opt)
+}
+
+// GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+// to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersionKind: {
+	group:   string @go(Group) @protobuf(1,bytes,opt)
+	version: string @go(Version) @protobuf(2,bytes,opt)
+	kind:    string @go(Kind) @protobuf(3,bytes,opt)
+}
+
+// GroupVersion contains the "group" and the "version", which uniquely identifies the API.
+//
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#GroupVersion: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/meta_go_gen.cue

@@ -0,0 +1,33 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// TODO: move this, Object, List, and Type to a different package
+#ObjectMetaAccessor: _
+
+// Object lets you work with object metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field (Name, UID, Namespace on lists) will be a no-op and return
+// a default value.
+#Object: _
+
+// ListMetaAccessor retrieves the list interface from an object
+#ListMetaAccessor: _
+
+// Common lets you work with core metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Common: _
+
+// ListInterface lets you work with list metadata from any of the versioned or
+// internal API objects. Attempting to set or retrieve a field on an object that does
+// not support that field will be a no-op and return a default value.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#ListInterface: _
+
+// Type exposes the type and APIVersion of versioned or internal API objects.
+// TODO: move this, and TypeMeta and ListMeta, to a different package
+#Type: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/micro_time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#RFC3339Micro: "2006-01-02T15:04:05.000000Z07:00"
+
+// MicroTime is version of Time with microsecond level precision.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#MicroTime: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/register_go_gen.cue

@@ -0,0 +1,9 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+#GroupName: "meta.k8s.io"
+
+#WatchEventKind: "WatchEvent"

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_go_gen.cue

@@ -0,0 +1,14 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Time is a wrapper around time.Time which supports correct
+// marshaling to YAML and JSON.  Wrappers are provided for many
+// of the factory methods that the time package offers.
+//
+// +protobuf.options.marshal=false
+// +protobuf.as=Timestamp
+// +protobuf.options.(gogoproto.goproto_stringer)=false
+#Time: _

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/time_proto_go_gen.cue

@@ -0,0 +1,21 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+// Timestamp is a struct that is equivalent to Time, but intended for
+// protobuf marshalling/unmarshalling. It is generated into a serialization
+// that matches Time. Do not use in Go structs.
+#Timestamp: {
+	// Represents seconds of UTC time since Unix epoch
+	// 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+	// 9999-12-31T23:59:59Z inclusive.
+	seconds: int64 @go(Seconds) @protobuf(1,varint,opt)
+
+	// Non-negative fractions of a second at nanosecond resolution. Negative
+	// second values with fractions must still have non-negative nanos values
+	// that count forward in time. Must be from 0 to 999,999,999
+	// inclusive. This field may be limited in precision depending on context.
+	nanos: int32 @go(Nanos) @protobuf(2,varint,opt)
+}

cue/cue.mod/gen/k8s.io/apimachinery/pkg/apis/meta/v1/watch_go_gen.cue

@@ -0,0 +1,30 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/apis/meta/v1
+
+package v1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/watch"
+)
+
+// Event represents a single event to a watched resource.
+//
+// +protobuf=true
+// +k8s:deepcopy-gen=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+#WatchEvent: {
+	type: string @go(Type) @protobuf(1,bytes,opt)
+
+	// Object is:
+	//  * If Type is Added or Modified: the new state of the object.
+	//  * If Type is Deleted: the state of the object immediately before deletion.
+	//  * If Type is Error: *Status is recommended; other types may make sense
+	//    depending on context.
+	object: runtime.#RawExtension @go(Object) @protobuf(2,bytes,opt)
+}
+
+// InternalEvent makes watch.Event versioned
+// +protobuf=false
+#InternalEvent: watch.#Event

cue/cue.mod/gen/k8s.io/apimachinery/pkg/runtime/codec_go_gen.cue

@@ -0,0 +1,37 @@
+// Code generated by cue get go. DO NOT EDIT.
+
+//cue:generate cue get go k8s.io/apimachinery/pkg/runtime
+
+package runtime
+
+// codec binds an encoder and decoder.
+_#codec: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+// NoopEncoder converts an Decoder to a Serializer or Codec for code that expects them but only uses decoding.
+#NoopEncoder: {
+	Decoder: #Decoder
+}
+
+_#noopEncoderIdentifier: #Identifier & "noop"
+
+// NoopDecoder converts an Encoder to a Serializer or Codec for code that expects them but only uses encoding.
+#NoopDecoder: {
+	Encoder: #Encoder
+}
+
+_#base64Serializer: {
+	Encoder: #Encoder
+	Decoder: #Decoder
+}
+
+_#internalGroupVersionerIdentifier: "internal"
+_#disabledGroupVersionerIdentifier: "disabled"
+
+_#internalGroupVersioner: {
+}
+
+_#disabledGroupVersioner: {
+}